This article describes how to troubleshoot the 'Invalid LDAP server' Error.

Sometimes, the LDAP server is connected successfully and can authenticate the username against the LDAP server.

When the group information is trying to be pulled, it will give the error 'Invalid LDAP server'. It will keep loading as shown in the picture.

• It will give the error 'Invalid LDAP server'.
• If a Wireshark capture is run, 'abandon request' information will appear:

• As seen in the packet capture, there is a 5-second delay between the messages. Also, the messages are sent from FortiGate, but there is no response.
• As a result, when the FortiGate does not receive a response in time, it will send an AbandonRequest. To stop the operation on the LDAP server if it was responding.
• There could be multiple reasons for that, but one reason is that there might be some latency in the customer environment, and that is why this operation does not get completed.

Solution:

Ideally, this issue will not appear. The reason here is that the remote LDAP server is not responding in time. See to address that with the network and server team responsible. To workaround this issue, it is possible to increase the value of the remote authentication timeout:

config system global

    set remoteauthtimeout 300 <-----  The default value is set to 5 seconds, the same as what the packet capture had shown above.

end

For further LDAP troubleshooting, refer to the article below:

Troubleshooting Tip: FortiGate LDAP

• It is also possible to try using the BIND type on the LDAP server as Regular and enter the credentials.
• After that, it is possible to go back and check again if it still shows the same error.
• If it shows the same error, collect a packet capture between FortiGate's IP and the LDAP server before replicating the issue:

diagnose sniffer packet any 'host (x.x.x.x and y.y.y.y) and port 389' 6 0 l

To convert packet capture to Wireshark readable: Technical Tip: How to import 'diagnose sniffer packet' data to WireShark.

Once the issue is replicated, it should be possible to see the flow/communication.

The 'Invalid Server Error' may also be encountered if searching by the wrong DN (Searchrequest field in packet capture), as showcased in the following screenshot. The DN set on the FortiGate was 'DC=T3stconsulting', but the actual DN on the server was 'dc=Testconsulting', hence the following error was observed in the packet capture.
                                               

If the issue persists, contact Fortinet Support.

It is also possible to receive an 'invalid LDAP server' error in FortiGate LDAP servers while performing a DN query:

Commands to verify fnbamd debug:

diagnose debug disable
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug application fnbamd -1

To stop this debug type:

diagnose debug application fnbamd 0

diagnose debug disable

diagnose debug reset

The error below, if it appeared in the fnbamd debug and packet capture for the LDAP, indicates a binding issue and a need to perform the change on the AD server. The issue can be addressed from the Microsoft side by adding a registry to the Windows Server.

[1186] fnbamd_ldap_parse_response-Error 1(000004DC: LdapErr: DSID-0C090BA8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839)

In another scenario, the FortiGate gives the same error 'Invalid LDAP server', but doing the packet capture and the fnbamd debugs shows the error' to perform this operation a successful bind must be completed on the connection'. 

The error indicated a binding issue and the need to perform the change on the AD server. The issue can be addressed from the Microsoft side by adding a registry to the Windows Server. See this document LDAP Simple Bind failing.

After making sure the aforementioned steps are completed, it can be seen in the packet capture that the bind from the FortiGate is successful, but the LDAP server replies with an operations error: 'to perform this operation, a successful bind must be completed on the connection'. This is an issue on the LDAP server side, so check for changes or updates on the LDAP server.

It is also possible to receive the 'Invalid LDAP server' error due to a typo in the distinguished name.

Ensure that the distinguished name is correctly configured.

Once fixed, select 'Browse,' and the information should display correctly.