FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nprakash
Staff
Staff
Article Id 318021
Description This article describes the changes in LDAPS authentication behavior introduced in v7.4.4 & v.7.4.5.
Scope FortiGate v7.4.4 and above.
Solution

After upgrading to v7.4.4 and above, attempts to authenticate using LDAPS are unsuccessful. This issue can be confirmed by running a packet sniffer for the LDAPS server's IP address and executing the debug commands mentioned below:

 

di de application fnbamd -1
di de console time enable
di de en ​

 

To start the sniffer, navigate to Network -> Diagnostics and select 'New Packet Capture'. 

 

LDAPS-1.png


The packet sniffer can be stopped after a failed authentication attempt and saved to the local machine. 

From the debug command logs, FortiGate fails to validate the server certificate:


LDAPS-2.png
Using the Wireshark tool, the saved sniffer file can be viewed, but FortiGate (10.21.7.38) fails to validate the server certificate.


LDAPS-3.png

 

FortiOS 7.4.4 enhances the security standards for LDAPS by requiring that the server certificate be trusted by FortiOS during the TLS handshake. To comply with this requirement, CA certificate of the LDAP server must be imported into the FortiGate.  

In this example, the LDAP Servers (10.21.0.100) certificate is issued by the CA 'WIN-LT4LK9KDT21-CA'.  This CA certificate 'WIN-LT4LK9KDT21-CA' must be imported into FortiGate. 

LDAPS-4.png

Import the CA certificate by following the steps outlined below:

  1. Enable 'Certificates' options in GUI:


LDAPS-5.png

 

  1. Navigate to System -> Certificates, select 'Create/Import' and select 'CA Certificate'.

 

LDAPS-6.png

 

  1. Select 'File' and upload the CA Certificate:


LDAPS-7.png
It is possible to verify if the LDAP authentication is working by following these steps: Navigate to User & Authentication -> LDAP Servers, edit the LDAPS server, and select 'Test User Credentials'. Provide the User credentials and select 'Test'.   

LDAPS-8.png

 

LDAPS-9.png