Technical Tip: mailNickName attribute prevents LDAP authentication from working

An issue may be seen whereby LDAP authentication fails when the mailNickName attribute is used to authenticate via FortiAuthenticator using LDAP.

In this scenario, only certain username formats will be accepted, with the 'mailNickName' Active Directory format being rejected when logging in.

The FortiAuthenticator RADIUS debugs (which can be viewed at: https://<FortiAuthenticator-IP-Address>/debug) will show something similar to the following:

===================================
WARNING: Warning: username is not a valid mailNickName as required by remote LDAP server: 'user.test'
ERROR: Unexpected empty upn_username.
update_fac_authlog:161 nas_str = FAC_GUI:2~10.1.2.3.
Updated auth log 'user.test' for attempt from FAC_GUI:2~10.1.2.3: Remote LDAP user authentication from 10.1.2.3 with no token failed: invalid user
facauth: facauth: print reply attributes of request id 2:
[facauth] = reject
} # Auth-Type FACAUTH = reject
Failed to authenticate the user
===================================

This issue has been confirmed to be a bug in the current (October 2024) Firmware v6.5.5.

Contact Fortinet technical support for a special release build to work around this issue, or update to FortiAuthenticator over v6.5.6 when it is released.