FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hbac
Staff
Staff
Article Id 251563
Description

This article describes an issue that occurs where the connection status shows 'Can't contact LDAP server' when ‘Secure Connection’ is enabled under LDAP Server settings and when the certificate was imported and specified under the ‘Certificate’ field correctly as per these instructions.

 

image1.PNG

Scope FortiGate v6.x and v7.x.
Solution

In the packet captures, the client (FortiGate) sent ‘Alert (Level: Fatal, Description: Bad Certificate)’ to the server.

This alert message is sent when there is a mismatch between the IP/FQDN of the server and the Common Name (CN) of the certificate.

 

image 2.PNG

 

By default, the FortiGate checks the identity of the certificate to make sure that the LDAP certificate’s Common Name (CN) field matches with the IP or FQDN of the LDAP server. If the check fails, the connection will fail.

It is necessary to make sure the Common Name (CN) resolves to the IP address of the LDAP server.

 

As a workaround, disable ‘server-identity-check’ under the LDAP Server settings on the GUI or CLI:

 

config user ldap

    edit “Test_LDAP”

        set server-identity-check disable <-- Enabled by default when ‘Secure Connection’ is enabled.

    end