Skip to main content
locaol
locaol
Visitor III
November 5, 2024
Solved

Trouble with LDAP authentication

  • November 5, 2024
  • 3 replies
  • 5597 views

Hello,

 

I'm facing a trouble with setting up the LDAP authentication: my LDAP server seems to be well configured, Connectivity and User Credentials works from the GUI.

From console, I try:

 

diagnose test authserver ldap "LDAP TEST" ldapreader password diagnose test authserver ldap "LDAP TEST" myaccount password

 

ldapreader is the username setted for the connection to LDAP, myaccount is my username.

Each time I get : authenticate 'account' against 'LDAP TEST' failed! (account is the account I test)

 

I'd tried many settings for the User group, adding my user (from ldap) or adding a remote group in which I am, it doesn't work.

 

Product: Fortigate v7.4.4

 

 

 

Best answer by ndumaj

Hello @locaol 

Starting from FGT 7.4.4 the FGT requires Root CA (issuer) to be uploaded to the FGT, please review the following article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-LDAPS-STARTTLS-certificate-issuer-enforcement/ta-p/316854

Also, self-signed certificates cannot be verified by FGT.

BR

3 replies

AEK
SuperUser
AEK
SuperUser
November 5, 2024

Hello

Your syntax is correct.

In case the password contains special characters, can you just try put it between quotes?

AEK
    maulishshah
    Staff
    maulishshah
    Staff
    November 5, 2024

    Hello @locaol ,

     

    Can you please follow this article to identify the reason? 

    https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-LDAP-troubleshooting-and-debug/ta-p/196280

     

    Please run the following commands to identify what could be the reason for failed authentication.

     

    FGT# diagnose debug enable
    FGT# diagnose debug application fnbamd 255

    Note: Then run your test

     

    diagnose test authserver ldap "LDAP TEST" ldapreader password


    Thank you. 

      locaol
      locaolAuthor
      Visitor III
      November 6, 2024

      I think the trouble is with the ldap certificate:

      [1666] __verify_cb-Cert error 20, unable to get local issuer certificate. Depth 0. Subject '/CN=MYAD01.domain.dmn' [1345] __ldap_tcps_connect-tcps_connect(192.168.1.1) failed: ssl_connect() failed: 167772294 (error:0A000086:SSL routines::certificate verify failed).

      I'll try to correct that.

      The strange thing is that when I use the GUI, it works, using starttls or ldaps.

      maulishshah
      Staff
      maulishshah
      Staff
      November 6, 2024

      Hi, Can you please provide the configuration of LDAP server? 

       

      show user ldap 

       

        salmas
        Staff
        salmas
        Staff
        November 5, 2024

        Hello @locaol ,

        You can try another syntax just for testing and put the password between quotes as @AEK suggested.

        diagnose test authserver ldap LDAP\ TEST ldapreader "password"

          Terms & ConditionsAccessibility statement