Description
This article describes how to configure LDAP over SSL with an example scenario. The LDAP traffic is secured by SSL.
Scope
FortiGate.
Solution
In this scenario, a Microsoft Windows Active Directory (AD) server is used as the Certificate Authority (CA). Certificate services have been added as a role and the CA certificate is available for export already.
Prerequisites.Before performing the steps below, install the Active Directory Certificate Services role first as the Certification Authority.
To install Active Directory Certificate Services:
- Open the Server Manager. In the Server Manager, select Manager -> Add Roles and Features in the top right corner. Select Next until the Server Roles section appears.
- Select Active Directory Certificate Services and select Add Features:
-
Select Next until the Role Services section appears. Select Certification Authority.
-
Select Next and finish the installation. After the installation has finished, select Configure Active Directory Certificate Services on the destination server.
-
A new window will pop up. Select Next and ensure Certification Authority is checked under Role Services then select Next.
-
Select Enterprise CA. If the Enterprise CA cannot be selected, ensure to be logged in as the Administrator in the AD Domain.
-
Continue to select Next until the final screen is reached. The rest of the options can be left on default. Choose to configure them differently according to the requirements.
-
After selecting Configure, the configuration should succeed as such. Select Close when it is done.
Follow the steps below to configure LDAPS.
Configure LDAPS on the Microsoft Windows Certificate Authority server:
- On the Active Directory server, open the MMC (Microsoft Management Console). Go to File and select Add/Remove Snap-in, then select Certificates and select Add:
-
Select Computer account:
-
Select Local computer and select Finish:
-
The Certificates section appears on the left-hand side. Expand the tree and go to Personal -> Certificates. Then, select the root certificate. In the intended Purpose column, it shows <All>. Go to All Tasks and select Export:
Note:
If this certificate is not imported then the error can be encountered when uploading this certificate on FortiGate about 'This certificate is not a CA certificate'.
-
When the Certificate Export Wizard appears, select Next:
-
Do not Export the Private Key:
-
Select the DER file format:
-
Specify the name of the file and select Next:
-
Complete the Certificate Export Wizard and select Finish:
A message to indicate that the wizard process was completed will appear.
Configure LDAPS on the FortiGate:
- Import the CA Certificate that was exported in the steps earlier to the FortiGate. To do this, go to System -> Certificates, select Import CA Certificate and upload the file:
-
Create a new 'LDAPS' server in the GUI and select the imported certificate:
Note:
- Before v7.4.4, if no certificate is selected, FortiGate will accept any data from the LDAPS server.
- After v7.4.4, the CA certificate is required even if not specified in the LDAPS config.
- See: Technical Tip: LDAPS connections no longer work after update to v7.4.4
- For lower versions, if a certificate is selected, FortiGate will only accept certificates signed by that CA certificate.
(Optional) Debugging processes:
Use packet capture and sniffer to verify the communication between FortiGate and the AD server. After a 3-way handshake, data transaction between the client and server will be visible:
'Hello Exchange' -> Client Hello -> Server Hello -> Server Hello Done.
The certificate sent by the LDAPS server can be seen in the packet, labeled as 'Certificate, Client Key Exchange, …'.
Unlike regular LDAP over TCP/389, it is not possible to see LDAP queries and replies. However, a non-secure LDAP can be useful for troubleshooting purposes.
diagnose sniffer packet any "host 192.168.252.133 and port 636"
interfaces=[any]
filters=[host 192.168.252.133 and port 636]
3.653907 192.168.252.187.11640 -> 192.168.252.133.636: syn 2104591803
3.655022 192.168.252.133.636 -> 192.168.252.187.11640: syn 3985690082 ack 2104591804
3.655066 192.168.252.187.11640 -> 192.168.252.133.636: ack 3985690083
3.655524 192.168.252.187.11640 -> 192.168.252.133.636: psh 2104591804 ack 3985690083
3.656473 192.168.252.133.636 -> 192.168.252.187.11640: 3985690083 ack 2104592128
interfaces=[any]
filters=[host 192.168.252.133 and port 636]
3.653907 192.168.252.187.11640 -> 192.168.252.133.636: syn 2104591803
3.655022 192.168.252.133.636 -> 192.168.252.187.11640: syn 3985690082 ack 2104591804
3.655066 192.168.252.187.11640 -> 192.168.252.133.636: ack 3985690083
3.655524 192.168.252.187.11640 -> 192.168.252.133.636: psh 2104591804 ack 3985690083
3.656473 192.168.252.133.636 -> 192.168.252.187.11640: 3985690083 ack 2104592128
Note:
From FortiOS v7.2.0 onwards, administrators can configure a FortiGate client certificate in the LDAP server configuration when the FortiGate connects to an LDAPS server that requires client certificate authentication:
config user ldap
edit <ldap_server>
set client-cert-auth {enable | disable}
set client-cert <source>
next
end
Related articles:
Troubleshooting Tip: FortiGate LDAP troubleshooting and debug logs created by fnbamd
