This article describes an issue that occurs where the connection status shows 'Can't contact LDAP server' when ‘Secure Connection’ (LDAPS) is enabled under LDAP Server settings.

In the packet captures, the client (FortiGate) sent ‘Alert (Level: Fatal, Description: Bad Certificate)’ to the server.

This alert message is sent when FortiGate fails validate the Server certificate sent by the LDAP server.

When the setting "Server Identity Check" is enabled under LDAP server setting, FortiGate validates the certificate sent by the LDAP server.

• If the LDAP server configuration on the FortiGate uses an IP address, the Certificate must specify the matching IP address in the SAN extension.
• If the LDAP server configuration on the FortiGate uses 'Name', the hostname must match the CN of the certificate or DNS name in the SAN extension.

Note:
When using the server name instead of IP address, make sure the DNS on FortiGate is resolved correctly and use the fully qualified domain name instead of only the host name.

If the above checks are not satisfied, the certificate validation will fail. In cases where immediately modifying the LDAPS certificate is not possible, the setting 'server-identity-check' can be disabled as a workaround.

config user ldap

    edit “Test_LDAP”

        set server-identity-check disable <-- Enabled by default when ‘Secure Connection’ is enabled.

    end

In v7.4.4 and above, there is no option to disable this check. The correct CA certificate must be imported into the FortiGate for LDAPS to work: Technical Tip: LDAPS connections no longer work af... - Fortinet Community.