Cannot contact LDAP Remote server

Forum|Forum|7 years ago
February 1, 2019
2 replies
12815 views

We have successfully configured Fortigate to authenticate SSLVPN users with remote ldap server, using LDAPS from AzureAD.

Now we are trying to implement FortiAuthenticator as we wish to implement MFA

On the FAC, when trying to setup the ldap server, we fail to import the users.

It fails with the following message:

Query failed: ldap_simple_bind_s failed: Can't contact LDAP server error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)

I cannot figure out what I need to do. Ldap on Azure requires to run on port 636.

On the FAC, I selected Secure Connection and LDAPS protocol. Somehow I obliged to select one of the built-in FAC CA certificate, which is not required on the Fortigate, and this seems to be the issue.

Has someone an idea of what needs to be done?

Has someone been able to setup a remote LDAP server on FAC using AzureAD LDAPS service?

Thanks

LDAP

Ricardo_Tomas

New Member

Not sure it will help, but in my case I had to add my LDAP CA to trusted CAs.

I’m guessing you will need to get the Azure CA certificate, add it to: Certificate Management -> certificate Authorities -> Trusted CAs.

Then Fortiauthenticator must be able to go to internet to check the certificate presented from the Azure LDAP against the CA.

v20100Author

New Member

Thanks Ricardo

I added the AzureAD certificate but it did not make a difference

At the moment, I have all outgoing traffic allowed.

For a short period, I also allowed all incoming, to make sure I was not blocking anything but that did not make a difference.

Will try to see if I can help from Fortinet Support. It is a trial version of FortiAuthenticator (we want to test 2FA on multiple Fortigate using AzureAD LDAPS), and I am not sure if Support helps in these cases

Cheers