| Description | This article describes a way to identify the LDAPS connection issue based on the server replies packet with its SSL certificate. |
| Scope | FortiGate. |
| Solution |
To perform packet capture from GUI.
Go to Network -> Packet Capture and create a new filter to capture the LDAPS server traffic.
Download and open the captured PCAP file with Wireshark.
Filter “tcp.port==636”
In the above example, the user can examine when the server replies Hello packet to identify the server certificate details and proceed to check against with following FortiGate configurations.
1). Determine whether the CA certificate has been imported correctly and FortiGate will accept the LDAP server certificates signed by that CA certificate.
2). Make sure FortiGate is able to resolve the server certificate common name with a correct IP address.
# exec ping winsvr16.fortilab.local
PING winsvr16.fortilab.local (10.165.2.110): 56 data bytes 64 bytes from 10.165.2.110: icmp_seq=0 ttl=128 time=0.4 ms
3). Check and update the LDAP Server setting to refer the LDAP server certificate common.
# config user ldap edit "LDAPS" set server "winsvr16.fortilab.local" <<< set secure ldaps set ca-cert "CA_Cert_1" set port 636 next end
|
