Skip to main content
Gunnerman
Gunnerman
New Member
March 12, 2020
Solved

Resolving LDAPS Server Name on Fortigate

  • March 12, 2020
  • 1 reply
  • 26207 views

Hello,

 

We have an LDAP connection to our DC setup on our Fortigate 60E (v6.2.2 build1010). We connect to the domain controller over a S2S VPN. Insecure connections on port 389 connect just fine. However, when I attempt to turn on LDAPS, and issue command: 

diagnose test authserver ldap SDC_LDAP <username> <password>
I get 
authenticate '<username>' against 'SDC_LDAP' failed!

I have imported a CA cert into the Fortigate that is in the trusted CA store of the DC (SDC_LDAP) as well.

 

After a bit of troubleshooting, I believe I cannot connect via LDAPS because the Fortigate does not resolve the fqdn of the LDAP server IP, thus causing a cert validation failure. Entering in the fqdn of the DC into the server field does not work because the Fortigate does not resolve the name to an IP address (a DNS resolution failure). 

 

Using the Ldp utility from my desktop I get a similar result, I can connect via LDAPS just fine if and only if I use the DC hostname/fqdn. (The LDAPS Cookbook guide uses an IP address just fine. I am not using AD CS, I generated the root key pair via OpenSSL on a different box so I am kind of curious what might be different here. Adding the IP to the cert seems a little janky to me)

 

How do I best go about getting the Fortigate to resolve the name? I have changed the Fortigate's network DNS to use our DNS to no avail. Any help would be appreciated. 

 

Thanks.

Best answer by Alivo__FTNT

Hello,

in fnbamd - 1 debug you probably see similar line to this:

 

failed: ssl_connect() failed: 5 (error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed).

 

Issue is likely that the SubjectAltName of the certificate does not have IP address which you are connecting to.

It is the IP or FQDN which you would use in config user ldap > set server ....

 

Fix (workaround):

If you edit ldap in FortiGate:

 

config user ldap

edit <your ldap>

set server-identity-check disable

end

 

The check will be disabled and LDAPS will work. Authentication will not be affected at all.

By default, in 6.2, when you select certificate for LDAPS, the option "set server-identity-check" is enabled.

Best Regards,

Alivo

 

 

1 reply

Alivo__FTNT
Staff
Alivo__FTNTAnswer
Staff
March 13, 2020

Hello,

in fnbamd - 1 debug you probably see similar line to this:

 

failed: ssl_connect() failed: 5 (error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed).

 

Issue is likely that the SubjectAltName of the certificate does not have IP address which you are connecting to.

It is the IP or FQDN which you would use in config user ldap > set server ....

 

Fix (workaround):

If you edit ldap in FortiGate:

 

config user ldap

edit <your ldap>

set server-identity-check disable

end

 

The check will be disabled and LDAPS will work. Authentication will not be affected at all.

By default, in 6.2, when you select certificate for LDAPS, the option "set server-identity-check" is enabled.

Best Regards,

Alivo

 

 

    Gunnerman
    GunnermanAuthor
    New Member
    March 16, 2020

    Hi, and thanks for the reply.

    Issue is likely that the SubjectAltName of the certificate does not have IP address which you are connecting to.

    It is the IP or FQDN which you would use in config user ldap > set server ....

    Correct. I do not have the IP in the certificate. I would like to use the FQDN (to bypass not having the ip in the cert) however I am having a hard time getting the Fortigate to resolve the FQDN. I have setup the Fortigate as a slave dns server and pointed the Fortigate system dns to itself and pings still fail to the fqdn from cli. 

     

    I have enabled your workaround for now.

     

    Thanks again.

    dstainebze
    dstainebze
    New Member
    January 14, 2021

    Alivo, Thanks for that tip worked well for me. 

     

    Regards,

     

     

    Terms & ConditionsAccessibility statement