New Member

Question

Cannot connect to AD LDAPS

Forum|Forum|5 years ago
March 12, 2021
7 replies
37633 views

Hi,

I would to configure LDAPS connection to my domain controller, installed cert on AD, installed CA cert on Fortigate,

from any windows PC using ldap.exe I have secure connection to DC on port 636.

Domain controller name is resolved by FQDN from Fortigate, but when I create connection using secure option I get error : " Can't contact LDAP server"

marchand

New Member

To configure the secure LDAP, you first need to install and configure Certificate Authority on our Domain Controller.

Tutek_OLDAuthor

New Member

I don't need local CA, we use public commercial certificate.

marchand

New Member

Ok ! I'm using self signed certificates .

Then check if your certificat meets the requirements

Setup LDAPS (LDAP over SSL)

The Certificate to be used for LDAPS must satisfy the following 3 requirements: • Certificate must be valid for the purpose of Server Authentication. This means that it must also contains the Server Authentication object identifier (OID): 1.3.6.1.5.5.7.3.1 • The Subject name or the first name in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the host machine. For more information, see How to add a Subject Alternative Name to a secure LDAP certificate . • The host machine account must have access to the private key

clicerioneto

New Member

Hi,

Via CLI, you can try to disable the parameter "server-identity-check" in LDAP configuration.

orech

New Member

You probably use IP address of LDAP server. Try to use DNS name of LDAP server instead of IP address. This was my case but I didn't read carefully "name is resolved by FQDN from Fortigate".

FG_MS

Visitor III

In my case this helped. I had exactly the same porblem. I changed the IP to FQDN and it works.

warshad

Staff

Hi Tutek,

Please make sure if you receiving any traffic at Fortigate interface. You can test it in a different way.

Does the ping work?

If not, run a sniffer as follows:

diag sniffer packet any 'host <LDAP-IP>' 4 0 a

It will show you, if there is traffic, on which interface this is leaving and what traffic this might be. ICMP should at least leave the FortiGate (and hopefully getting a response as well).

If you are sure which interface, the traffic must exit:

diag sniffer packet <interface> 4 0 a

Then leave this running for some time. You might see arp requests for the IP that are not getting responses.

ahmadswa

Explorer

Hi All,

i am facing the same issue, has anyone figured it out?

warshad

Staff

Hi,

Do you see any traffic at Fortigate interface? Please run siniffer as follows:

diag sniffer packet any 'host <LDAP-IP>' 4 0 a

ahmadswa

Explorer

Hi Wardshad,

Thank you for your reply, there is a traffc since i have already connected it by LDAP

only LDAPS is not working properly

i have uploaded the CA Certificate of the Domain Controller on the firewall, Although setting the Certificate option to "Empty" results in "Can't contact LDAP server"

find screenshots below

Thanks in advance