Description |
This article describes an issue that occurs where the connection status shows 'Can't contact LDAP server' when ‘Secure Connection’ is enabled under LDAP Server settings and when the certificate was imported and specified under the ‘Certificate’ field correctly as per these instructions.
|
Scope | FortiGate v6.x and v7.x. |
Solution |
In the packet captures, the client (FortiGate) sent ‘Alert (Level: Fatal, Description: Bad Certificate)’ to the server. This alert message is sent when there is a mismatch between the IP/FQDN of the server and the Common Name (CN) of the certificate.
By default, the FortiGate checks the identity of the certificate to make sure that the LDAP certificate’s Common Name (CN) field matches with the IP or FQDN of the LDAP server. If the check fails, the connection will fail. It is necessary to make sure the Common Name (CN) resolves to the IP address of the LDAP server.
As a workaround, disable ‘server-identity-check’ under the LDAP Server settings on the GUI or CLI:
config user ldap edit “Test_LDAP” set server-identity-check disable <-- Enabled by default when ‘Secure Connection’ is enabled. end |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.