FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vkulik
Staff
Staff
Description
Sometimes you have to configure an LDAP object on the FortiGate and use it with the FSAE configuration.
This article explains why the 'Query failed' message is received on the Web Based Manager (GUI) and how to test LDAP connectivity.

If you go to : User -> Remote -> LDAP -> edit the  required LDAP object and click on the icon 'query distinguished name'; the query will fail and you will see the following screen :

ldap-failed.png

Scope
All FortiOS

Solution
This happens because the GUI query button will work only when "Bind Type" set to "Regular" with the proper User DN set. The correct User DN would looks like :

cn=administrator,cn=users,dc=vlad-ad,dc=local

To test your LDAP object and see if it's working properly , the following CLI command can be used :

FGT# diagnose test authserver ldap <LDAP server_name> <username> <password>

Where <LDAP server_name> = name of LDAP object on Fortigate (not actual LDAP server name!)

For username/password you may use any from the AD,  but it is recommended (at least at the first stage) to test credentials you have used in the LDAP object itself. If this credentials will fail then any other will fail as well as the FortiGate will not be able to bind to the LDAP server


CLI Example

FGT# diagnose test authserver ldap Vlad-AD administrator 12345678


Advanced troubleshooting

To get more information regarding the reason of authentication failure, you can run the following commands from the CLI :

FGT# diagnose debug enable
FGT# diagnose debug application fnbamd 255

....to stop this debug type :

FGT# diagnose debug application fnbamd 0

...and then run an LDAP authentication test :

FGT# diagnose test authserver ldap Vlad-AD administrator 12345678


Successful Login output example

fnbamd_fsm.c[933] handle_req-Rcvd auth req 10158080 for administrator in Vlad-AD opt=27 prot=0
fnbamd_ldap.c[383] resolve_ldap_FQDN-Resolved address 172.17.97.158, result 172.17.97.158
fnbamd_ldap.c[144] start_search_dn-base:DC=vlad-ad,Dc=local filter:cn=administrator
fnbamd_ldap.c[682] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1155] poll_auth-Continue pending for req 10158080
fnbamd_ldap.c[172] get_all_dn-Found DN 1:CN=Administrator,CN=Users,DC=vlad-ad,DC=local
fnbamd_ldap.c[188] get_all_dn-Found 1 DN's
fnbamd_ldap.c[214] start_next_dn_bind-Trying DN 1:CN=Administrator,CN=Users,DC=vlad-ad,DC=local
fnbamd_ldap.c[597] fnbamd_ldap_get_result-Going to REBIND state
fnbamd_fsm.c[1155] poll_auth-Continue pending for req 10158080
fnbamd_ldap.c[705] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[777] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[1347] fnbamd_auth_poll-Result for ldap svr 172.17.97.158 is SUCCESS
fnbamd_comm.c[104] fnbamd_comm_send_result-Sending result 0 for req 10158080
authenticate 'administrator' against 'Vlad-AD' succeeded!


Failed Login output example

fnbamd_fsm.c[933] handle_req-Rcvd auth req 10158082 for momo in Vlad-AD opt=27 prot=0
fnbamd_ldap.c[383] resolve_ldap_FQDN-Resolved address 172.17.97.158, result 172.17.97.158
fnbamd_ldap.c[144] start_search_dn-base:DC=vlad-ad,Dc=local filter:cn=momo
fnbamd_ldap.c[682] fnbamd_ldap_get_result-Going to SEARCH state
fnbamd_fsm.c[1155] poll_auth-Continue pending for req 10158082
fnbamd_ldap.c[183] get_all_dn-Found no DN
fnbamd_ldap.c[202] start_next_dn_bind-No more DN left
fnbamd_ldap.c[592] fnbamd_ldap_get_result-No more DN
fnbamd_ldap.c[777] fnbamd_ldap_get_result-Going to DONE state res=1
fnbamd_auth.c[1341] fnbamd_auth_poll-Result for ldap svr 172.17.97.158 is denied
fnbamd_comm.c[104] fnbamd_comm_send_result-Sending result 1 for req 10158082
authenticate 'momo' against 'Vlad-AD' failed!


Contributors