FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description Sometimes you have to configure an LDAP object on the FortiGate and use it with the FSAE configuration. This article explains why the 'Query failed' message is received on the Web Based Manager (GUI) and how to test LDAP connectivity.
If you go to : User -> Remote -> LDAP -> edit the required LDAP object and click on the icon 'query distinguished name'; the query will fail and you will see the following screen :
Scope All FortiOS
Solution This happens because the GUI query button will work only when "Bind Type" set to "Regular" with the proper User DN set. The correct User DN would looks like :
cn=administrator,cn=users,dc=vlad-ad,dc=local
To test your LDAP object and see if it's working properly , the following CLI command can be used :
FGT# diagnose test authserver ldap <LDAP server_name> <username> <password>
Where <LDAP server_name> = name of LDAP object on Fortigate (not actual LDAP server name!)
For username/password you may use any from the AD, but it is recommended (at least at the first stage) to test credentials you have used in the LDAP object itself. If this credentials will fail then any other will fail as well as the FortiGate will not be able to bind to the LDAP server
CLI Example
FGT# diagnose test authserver ldap Vlad-AD administrator 12345678
Advanced troubleshooting
To get more information regarding the reason of authentication failure, you can run the following commands from the CLI :