Description

This article describes what debug log means when ‘fnbamd_ldap_parse_response-Error 34’ is checked and what is the solution to fix it.

When the client accesses the LDAP Server via FortiGate , the error messages captured by FortiGate is showing as below, and cannot access to it normally.

Solution

Run the following commands from the CLI:

diagnose debug disable
diagnose debug reset
diagnose debug application fnbamd -1
diagnose debug enable

To stop this debug type:

diagnose debug disable

diagnose debug reset

In the fnbamd debug logs, the error message is found when trying to log on via the LDAP server.

[981] __ldap_rxtx-state 11(DN search)
[751] fnbamd_ldap_build_dn_search_req-base:'dc=test\2C dc=lab' filter:sAMAccountName=xxxx
[981] __ldap_rxtx-state 12(DN search resp)
[1127] __fnbamd_ldap_read-Read 8
[1127] __fnbamd_ldap_read-Read 94
[1307] fnbamd_ldap_recv-Response len: 96, svr: x.x.x.x
[988] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
[1010] fnbamd_ldap_parse_response-Error 34(0000208F: LdapErr: DSID-0C090A90, comment: Error processing name, data 0, v4563)
[1023] fnbamd_ldap_parse_response-ret=34

LDAP Error Codes is a Result Code indicating something went wrong.

Error LDAP 34: Invalid syntax for DN

Check on the DN syntax in the LDAP configuration.

Example:

config user ldap
    edit "LDAP_Server"
        set server "X.X.X.X"
        set cnid "sAMAccountName"
        set dn "dc=test, dc=lab"                <----- Set dn 'dc=test,dc=lab', additional space between.
end

Refer to RFC 2253 - Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished ... for UTF-8 String Representation of Distinguished Names.