Skip to main content
deny_all
deny_all
New Member
December 28, 2017
Question

Port only for LDAP Authentication

  • December 28, 2017
  • 1 reply
  • 7983 views

I see that FortiGate requires certificates for secure LDAP. I do not want to introduce certificates on my domain. Is it possible to setup a port just for LDAP (unsecure) authentication for users logging into an SSL VPN and have a different port be for the internal network for the VPN?

    1 reply

    emnoc
    emnoc
    New Member
    December 28, 2017

    Not following you. Let's  back up  a little since what you stated is NOT correct

     

    I see that FortiGate requires certificates for secure LDAP

     

    In correct, you can  configure a LDAPS server and the fortigate  can query against that LDAPS server ( 636 )  and does NOT need a client_certificate

     

    So if you have a LDAPS server today and want to query it, just enable LDAPS in the config  user ldap  settings and  be done with it.

     

    e.g

     

    config user ldap

    edit LDAP1

        set port 636

    end

     

    deny_all
    deny_allAuthor
    New Member
    December 28, 2017

    emnoc wrote:

    Not following you. Let's  back up  a little since what you stated is NOT correct

     

    I see that FortiGate requires certificates for secure LDAP

     

    In correct, you can  configure a LDAPS server and the fortigate  can query against that LDAPS server ( 636 )  and does NOT need a client_certificate

     

    So if you have a LDAPS server today and want to query it, just enable LDAPS in the config  user ldap  settings and  be done with it.

     

    e.g

     

    config user ldap

    edit LDAP1

        set port 636

    end

     

    All of the docs that I've read have mentioned exporting a certificate from a domain controller and importing it into the FortiGate to get LDAPS working. In the GUI, when I enable secure connection on the LDAP server setup page, leave the certificate drop down empty, save the config and then test the connection, the test fails. Is the command line configuration that you mentioned different than what I've done?

    emnoc
    emnoc
    New Member
    December 28, 2017

    Again; You do NOT need to   import a certificate for  LDAPS.

     

    login via cli

     

    do a  "show full  user ldap" review the settings, review that the right port is enabled?  Ensure that the  ldap_client ( fgt ) is configured correct.  Run cli cmd  diag system sniffer any "port 636" and look for layer4 esatblishments

     

     

    reference  my jumpcloud   post from a previous deployment

     

    http://socpuppet.blogspot.com/2017/03/jump-cloud-ldap-with-fortigate-for-user.html

     

    Terms & ConditionsAccessibility statement