Skip to main content
andmag
andmag
New Member
May 11, 2017
Question

FG not trying to contact LDAP

  • May 11, 2017
  • 2 replies
  • 29274 views

Hi!

 

Running Fortigate 1200D cluster in Vdom mode.

 

I have configured an LDAP Server and it is no problem browsing the AD from the settings in GUI and Success with the testing function in GUI. Logs in AD see the user login in and do some credential lookup. All good!

 

But testing with AD-user in CLI totally fails and I see no attempts for FG to log in to AD at all.

Telnet from CLI on port tcp 389 is also successful. I have opened a ticket at Fortinet but it is sloooooow, probably the time difference to Sweden :)

 

Could we solve this before the official support? :D

 

-- Debug

 

## diagnose test authserver ldap ENVDC01 amagnusson XXXXXXXX

[1938] handle_req-Rcvd auth req 1356397311 for amagnusson in ENVDC01 opt=0000001b prot=0 [345] __compose_group_list_from_req-Group 'ENVDC01' [694] fnbamd_pop3_start-amagnusson [976] __fnbamd_cfg_get_ldap_list_by_server-Loading LDAP server 'ENVDC01' [984] resolve_ldap_FQDN-Resolved address 172.16.9.50, result 172.16.9.50 [1352] fnbamd_ldap_init-search filter is: sAMAccountName=amagnusson

[1355] fnbamd_ldap_init-search base is: dc=envirotainer,dc=com

[1495] fnbamd_ldap_start-Error in ldap_sasl_bind [441] ldap_start-Failed to start ldap request for 172.16.9.50 [456] create_auth_session-Error starting authentication [1957] handle_req-Error creating session [180] fnbamd_comm_send_result-Sending result 3 (error 0) for req 1356397311 authenticate 'amagnusson' against 'ENVDC01' failed!

 

-- Config

 

config user ldap edit "ENVDC01" set server "172.16.9.50" set cnid "sAMAccountName" set dn "dc=envirotainer,dc=com" set type regular set username "CN=SER081,OU=Service Accounts,OU=Accounts,OU=Envirotainer,DC=envirotainer,DC=com" set password XXXXXXXXXXXXXXXXXXXXXXXXXXX

2 replies

rwpatterson
rwpatterson
New Member
May 11, 2017

The working AD credentials I have are:

    edit "LDAP-AD_DC01"
        set server "192.168.1.158"
        set cnid "samaccountname"
        set dn "dc=ad,dc=company,dc=com"
        set type regular
        set username "cn=fortigate,cn=Managed Service Accounts,dc=ad,dc=company,dc=com"
        set password ENC /////+/sJ+m1GJREBTbkguglnn+ozh8LF6PNa5UIT97GAL1f1BZOVyroT5K2toP6mdJcaBc123wZegM1pR/xW4jmfVWOIUB23KYzSOCc73zajVj/X1SWHHtQsf873GGvmiPlRjNvgCoB3BQyQw5PnRFCiqp61S/p69vxmE1weRbBCIweJpuyJH39p85FA77vRfUCqw==
    next

As you see in mine, I didn't use any Organizational Units (OUs), I only used Containters (CNs) and it works like a charm. Try swapping those out and see where you get.

andmag
andmagAuthor
New Member
May 11, 2017

Thx for reply But there is no problem for the FortiGate to log into AD with the credentials provided, it is successful. The problem is the when SSL-Users try to login or I run diagnose test in CLI, it fails. Packet trace shows that it does not even try to contact AD :(

rwpatterson
rwpatterson
New Member
May 11, 2017

OK. Been a while since I had to configure from scratch. You are right. In order to authenticate SSL VPN users against AD, I used an LDAP query into the AD architecture. The way Fortigate works with FSAE/FSSO Ad authentication, it needs to know the user is logged into AD with FSAE/FSSO before it will grant outbound access. It cannot do that if the user is on the dirty side of the firewall. For this SSL VPN mechanism to work, you need to do an AD query as the user tries to authenticate with the SSL VPN portal. This is the primary reason you will never see an FSAE/FSSO inquiry when an SSL VPN user attempts to authenticate.

xsilver_FTNT
Staff
xsilver_FTNT
Staff
May 16, 2017

Hi andmag,

if you would run fnbamd debug with console timestamp enabled we might check the timing.

As we do not have the info my advise is a bit of shooting from the hip.

I would suggest to increase timeout value in system->global->ldapconntimeout  (ms) and retry.

Default is 500, which might not be enough for slow or loaded LDAP server.

Tomas

 

emnoc
emnoc
New Member
May 16, 2017

I seen this error before "[441] ldap_start-Failed to start ldap request for" when you have a route missing to the target LDAP server or binding to the wrong interface source?

 

suggestions:

 

Can you ping the object? Can you confirm your source-ip? Can you set the source-ip ?

 

NOTE: keep in mind the  diag test command does NOT always follow the set source-ip . I hate this and wish FTNT would fix it. Maybe in v5.10.x FortiOS they will add  switch to select the source address.

 

 

I still would suggest when running diag test authserver to have 2 ssh console open and in  one you would run the

 

diag sniffer packet any "port 389 or 636 "  while running the  diag test cmd .

 

Ken

 

xsilver_FTNT
Staff
xsilver_FTNT
Staff
May 17, 2017

I think andmag stated that GUI test button stuff works and LDAP browse via built-in LDAP browser also works from FGT. So it did not seemed to me like connectivity or port issue.

 

What caught my attention is :  [1495] fnbamd_ldap_start-Error in ldap_sasl_bind

That's why it seemed to me like timeout issue.

More could be seen from fnbamd with timestamps (diag debug console timestamp enable).

And I also guess that LDAP (non-S!) should work smoothly.

Terms & ConditionsAccessibility statement