Description
This article describes how to increase the timeout on FortiGate for LDAP queries.
Scope
FortiGate.
Solution
In some cases, the LDAP server is not directly connected to FortiGate and due to a delay in the path, the LDAP query is not recording a timeout.
'fnbamd debugs' on FortiGate will record an entry.
2020-03-17 20:27:50 [823] __ldap_timeout-
2020-03-17 20:27:50 [798] __ldap_try_next_server-LDAP 'LDAP' conn failed, svr: ldap-test
2020-03-17 20:27:50 [764] __ldap_error-
2020-03-17 20:27:50 [753] __ldap_stop-svr 'LDAP'
2020-03-17 20:27:50 [3246] fnbamd_ldap_result-Error (3) for req 608660764
Or errors like:
024-08-26 14:38:22 [1257] __ldap_rxtx-Start ldap conn timer.
2024-08-26 14:38:22 [594] __ldap_conn_timeout-Connction with LDAP:192.168.x.x timed out.
2024-08-26 14:38:22 [1642] __ldap_error-Ret 10, st = 3.
2024-08-26 14:38:22 [1679] __ldap_error-
2024-08-26 14:38:22 [1485] __ldap_tcps_close-closed.
2024-08-26 14:38:22 [1567] __ldap_conn_stop-Stop ldap conn timer.
In this case, 2 timeout values need to be taken into account.
config sys global
set remoteauthtimeout <in seconds> <----- By default 5 seconds.
set ldapconntimeout <in milliseconds> <----- By default 500 milliseconds.
end
Increasing these timeouts will result in a successful LDAP query.
Related article:
Troubleshooting Tip: SSL VPN 'permission denied' error while using DUO as Two-Factor Authentication ...
