FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ckumar_FTNT
Staff
Staff
Article Id 196280

Description


This article describes the LDAP's most common problems and presents troubleshooting tips.

 

Scope

 

FortiGate.

Solution


To test the LDAP object and see if it is working properly, the following CLI command can be used :

 

FGT# diagnose test authserver ldap <LDAP server_name> <username> <password>

 

Where:


 <LDAP server_name> <----- Is the name of the LDAP object on FortiGate (not the actual LDAP server name).

 

For username/password, use any from the AD. However, it is recommended (at least at the first stage) to test the credentials used in the LDAP object itself.
If these credentials will fail then any other will fail as well as the FortiGate will not be able to bind to the LDAP server.

CLI Example:

 

FGT# diagnose test authserver ldap LDAP_SERVER user1 password

 

If the LDAP configuration in FortiGate has a space in the name, such as 'LDAP SERVER', use this syntax for testing.

 

FGT# diagnose test authserver ldap "LDAP SERVER" user1 password 

 

Or:

 

FGT# diagnose test authserver ldap LDAP\ SERVER user1 password

 

Advanced troubleshooting:

To get more information regarding the reason for authentication failure, run the following commands from the CLI:

 

FGT# diagnose debug enable
FGT# diagnose debug application fnbamd 255

 

To stop this debug type:

 

FGT# diagnose debug application fnbamd 0

 

Then run an LDAP authentication test:

 

FGT# diag test authserver ldap AD_LDAP user1 password

 

Advanced troubleshooting:

 

FGT_MASTER (root) # diag test authserver ldap AD_LDAP user1 password
[2274] handle_req-Rcvd auth req 237259201 for user1 in AD_LDAP opt=0000001b prot=0   <----- fnbamd received the authentication request with a session number that can be followed. The session ends with this user authenticated or failing.
[398] __compose_group_list_from_req-Group 'AD_LDAP'
[614] fnbamd_pop3_start-user1
[1042] __fnbamd_cfg_get_ldap_list_by_server-Loading LDAP server 'AD_LDAP'
[1662] fnbamd_ldap_init-search filter is: sAMAccountName=user1     <----- Username and base DN for LDAP search.
[1671] fnbamd_ldap_init-search base is: dc=test,dc=local
[1019] __fnbamd_ldap_dns_cb-Resolved AD_LDAP(idx 0) to 192.168.1.10
[1087] __fnbamd_ldap_dns_cb-Still connecting.
[557] create_auth_session-Total 1 server(s) to try
[969] __ldap_connect-tcps_connect(192.168.1.10) is established.
[843] __ldap_rxtx-state 3(Admin Binding)                          <----- Admin bind.
[204] __ldap_build_bind_req-Binding to 'Administrator'
[925] fnbamd_ldap_send-sending 32 bytes to 192.168.1.10
[937] fnbamd_ldap_send-Request is sent. ID 1
[843] __ldap_rxtx-state 4(Admin Bind resp)
[968] __fnbamd_ldap_read-Read 8
[1074] fnbamd_ldap_recv-Leftover 2
[968] __fnbamd_ldap_read-Read 14
[1148] fnbamd_ldap_recv-Response len: 16, svr: 192.168.1.10
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[864] fnbamd_ldap_parse_response-ret=0                             <----- Admin bind successfully.
[910] __ldap_rxtx-Change state to 'DN search'
[843] __ldap_rxtx-state 11(DN search)
[592] fnbamd_ldap_build_dn_search_req-base:'dc=test,dc=local' filter:sAMAccountName=user1  <----- Starting next step.
[925] fnbamd_ldap_send-sending 75 bytes to 192.168.1.10
[937] fnbamd_ldap_send-Request is sent. ID 2
[843] __ldap_rxtx-state 12(DN search resp)
[968] __fnbamd_ldap_read-Read 8
[1074] fnbamd_ldap_recv-Leftover 2
[968] __fnbamd_ldap_read-Read 52
[1148] fnbamd_ldap_recv-Response len: 54, svr: 192.168.1.10
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry
[864] fnbamd_ldap_parse_response-ret=0
[1180] __fnbamd_ldap_dn_entry-Get DN 'CN=user1,CN=Users,DC=TEST,DC=LOCAL'
[91] ldap_dn_list_add-added CN=user1,CN=Users,DC=TEST,DC=LOCAL

[910] __ldap_rxtx-Change state to 'User Binding'
[843] __ldap_rxtx-state 5(User Binding)
[437] fnbamd_ldap_build_userbind_req-Trying DN 'CN=user1,CN=Users,DC=TEST,DC=LOCAL'
[204] __ldap_build_bind_req-Binding to 'CN=user1,CN=Users,DC=TEST,DC=LOCAL'
[925] fnbamd_ldap_send-sending 91 bytes to 192.168.1.10
[937] fnbamd_ldap_send-Request is sent. ID 3
[843] __ldap_rxtx-state 6(User Bind resp)
[968] __fnbamd_ldap_read-Read 8
[1074] fnbamd_ldap_recv-Leftover 2
[968] __fnbamd_ldap_read-Read 14
[1148] fnbamd_ldap_recv-Response len: 16, svr: 192.168.1.10
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind
[864] fnbamd_ldap_parse_response-ret=0
[910] __ldap_rxtx-Change state to 'Attr query'
[843] __ldap_rxtx-state 7(Attr query)
[490] fnbamd_ldap_build_attr_search_req-Adding attr 'memberOf'
[502] fnbamd_ldap_build_attr_search_req-base:'CN=user1,CN=Users,DC=TEST,DC=LOCAL' filter:cn=*
[925] fnbamd_ldap_send-sending 113 bytes to 192.168.1.10
[937] fnbamd_ldap_send-Request is sent. ID 4
[843] __ldap_rxtx-state 8(Attr query resp)
[968] __fnbamd_ldap_read-Read 8
[1074] fnbamd_ldap_recv-Leftover 2
[968] __fnbamd_ldap_read-Read 290
[1148] fnbamd_ldap_recv-Response len: 292, svr: 192.168.1.10
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-entry
[864] fnbamd_ldap_parse_response-ret=0
[553] __get_member_of_groups-Get the memberOf groups.
[519] __retrieve_group_values-Get the memberOf groups.
[530] __retrieve_group_values- attr='memberOf', found 3 values
[91] ldap_dn_list_add-added CN=GROUP1,CN=Users,DC=TEST,DC=LOCAL
[539] __retrieve_group_values-val[0]='CN=GROUP1,CN=Users,DC=TEST,DC=LOCAL'
[91] ldap_dn_list_add-added CN=GROUP2,CN=Users,DC=TEST,DC=LOCAL
[539] __retrieve_group_values-val[1]='CN=GROUP2,CN=Users,DC=TEST,DC=LOCAL'
[91] ldap_dn_list_add-added CN=GROUP3,CN=Users,DC=TEST,DC=LOCAL
[539] __retrieve_group_values-val[2]='CN=GROUP3,CN=Users,DC=TEST,DC=LOCAL'
[1148] fnbamd_ldap_recv-Response len: 16, svr: 192.168.1.10
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-result
[864] fnbamd_ldap_parse_response-ret=0
[1260] __fnbamd_ldap_attr_next-Entering CHKPRIMARYGRP state
[910] __ldap_rxtx-Change state to 'Primary group query'
[843] __ldap_rxtx-state 13(Primary group query)
[526] fnbamd_ldap_build_primary_grp_search_req-starting primary group check...
...
[925] fnbamd_ldap_send-sending 121 bytes to 192.168.1.10
[937] fnbamd_ldap_send-Request is sent. ID 5
[843] __ldap_rxtx-state 14(Primary group query resp)
[968] __fnbamd_ldap_read-Read 8
[1074] fnbamd_ldap_recv-Leftover 2
[968] __fnbamd_ldap_read-Read 110
[1148] fnbamd_ldap_recv-Response len: 112, svr: 192.168.1.10
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-entry
[864] fnbamd_ldap_parse_response-ret=0
[91] ldap_dn_list_add-added CN=Domain Users,CN=Users,DC=TEST,DC=LOCAL
[470] __get_one_group-group: CN=Domain Users,CN=Users,DC=TEST,DC=LOCAL
….

[1386] __fnbamd_ldap_primary_grp_next-Auth accepted
[910] __ldap_rxtx-Change state to 'Done'
[843] __ldap_rxtx-state 23(Done)
[925] fnbamd_ldap_send-sending 7 bytes to 192.168.1.10
[937] fnbamd_ldap_send-Request is sent. ID 6
[753] __ldap_stop-svr 'AD_LDAP'
[53] ldap_dn_list_del_all-Del CN=user1,CN=Users,DC=TEST,DC=LOCAL
[3064] fnbamd_ldap_result-Result for ldap svr 192.168.1.10 is SUCCESS
…..

 

LDAP Common Problems:

Incorrect Admin Bind:

 

FGT_MASTER (root) # diag test authserver ldap AD_LDAP user1 password
[2274] handle_req-Rcvd auth req 237259384 for user1 in AD_LDAP opt=0000001b prot=0    <----- fnbamd received the authentication request with a session number that can be followed. The session ends with this user authenticated or failing.
[398] __compose_group_list_from_req-Group 'AD_LDAP'
[614] fnbamd_pop3_start-user1
[1042] __fnbamd_cfg_get_ldap_list_by_server-Loading LDAP server 'AD_LDAP'
[1662] fnbamd_ldap_init-search filter is: sAMAccountName=user1
[1671] fnbamd_ldap_init-search base is: dc=test,dc=local
[1019] __fnbamd_ldap_dns_cb-Resolved AD_LDAP(idx 0) to 192.168.1.10
[1087] __fnbamd_ldap_dns_cb-Still connecting.
[557] create_auth_session-Total 1 server(s) to try
[969] __ldap_connect-tcps_connect(192.168.1.10) is established.
[843] __ldap_rxtx-state 3(Admin Binding)
[204] __ldap_build_bind_req-Binding to 'Administrator'
[925] fnbamd_ldap_send-sending 27 bytes to 192.168.1.10
[937] fnbamd_ldap_send-Request is sent. ID 1
[843] __ldap_rxtx-state 4(Admin Bind resp)
...
[1148] fnbamd_ldap_recv-Response len: 104, svr: 192.168.1.10
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[851] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839)   <----- LDAP error for invalid credentials.
[864] fnbamd_ldap_parse_response-ret=49
[753] __ldap_stop-svr 'AD_LDAP'
[182] fnbamd_comm_send_result-Sending result 1 (error 0, nid 0) for req 237259384 <----- fnbamd ended the authentication with this session.
authenticate 'user1' against 'AD_LDAP' failed.

 

To check the binding name, the following Windows commands are useful:

 

dsquery user -name <admin full user name>
dsquery user -samid <admin login name>

 

Check the Admin password.

 

User Not Found:

 

… <output ommited> ...
[592] fnbamd_ldap_build_dn_search_req-base:'dc=test,dc=local' filter:sAMAccountName=user1        <----- User account.
[925] fnbamd_ldap_send-sending 73 bytes to 192.168.1.10
[937] fnbamd_ldap_send-Request is sent. ID 2
[843] __ldap_rxtx-state 12(DN search resp)
[968] __fnbamd_ldap_read-Read 8
[1074] fnbamd_ldap_recv-Leftover 2
[968] __fnbamd_ldap_read-Read 78
[1148] fnbamd_ldap_recv-Response len: 80, svr: 192.168.1.10
...
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
[864] fnbamd_ldap_parse_response-ret=0
[1198] __fnbamd_ldap_dn_next-No DN is found.             <----- Unable to locate user DN.
….
[753] __ldap_stop-svr 'AD_LDAP'
[182] fnbamd_comm_send_result-Sending result 1 (error 0, nid 0) for req 237259385 <----- fnbamd ended the authentication with this session.
authenticate 'user1' against 'AD_LDAP' failed!

 

In case the where seeing this error 'No DN is found' it implies the user is not found, check the following:

  • If the common Name Identifier is 'sAMAccountName', try to use the login name.
  • If it is 'cn', try the user's full-name.
  • If 'sAMAccountName' does not yield results, try 'userPrincipalName' as an alternative attribute for the username.

  • Double-check the user's full DN by performing the following Windows command:


dsquery user -name <full-user-name>

 

Also, check the following in the LDAP configuration:

 

config user ldap

    edit <LDAP Server Name>
        set cnid "UserPrincipalName"

end

 

Note: Only 'UserPrincipalName' would work for 'username@domain.local', while sAMAccountName and cn are suitable for 'username' and 'domain\username'.

 

Incorrect User Password:

 

...<output ommited>...
[910] __ldap_rxtx-Change state to 'User Binding'
[843] __ldap_rxtx-state 5(User Binding)
[437] fnbamd_ldap_build_userbind_req-Trying DN 'CN=user1,CN=Users,DC=test,DC=LOCAL'
[204] __ldap_build_bind_req-Binding to 'CN=user1,CN=Users,DC=test,DC=LOCAL'
[925] fnbamd_ldap_send-sending 90 bytes to 192.168.1.10
...
[1148] fnbamd_ldap_recv-Response len: 104, svr: 192.168.1.10
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind
[851] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839)    <----- Invalid credentials.
[864] fnbamd_ldap_parse_response-ret=49
[910] __ldap_rxtx-Change state to 'Done'
[843] __ldap_rxtx-state 23(Done)
[925] fnbamd_ldap_send-sending 7 bytes to 192.168.1.10
[937] fnbamd_ldap_send-Request is sent. ID 4
[753] __ldap_stop-svr 'AD_LDAP'
[53] ldap_dn_list_del_all-Del CN=user1,CN=Users,DC=test,DC=LOCAL
[182] fnbamd_comm_send_result-Sending result 1 (error 0, nid 0) for req 237259387  <----- fnbamd ended the authentication with this session.
authenticate 'user1' against 'AD_LDAP' failed!

 

Groups Not Found:

The following error indicates that no user group information has been found during the LDAP response based on the configured attribute (memberOf is the default value):

 

get_member_of_groups-attr=<attribute_name> found 0 values

 

Password Expired.

 

… <output ommited> ...
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
[799] fnbamd_ldap_parse_response-ret=0
[882] __ldap_rxtx-Change state to 'User Binding'
[815] __ldap_rxtx-state 5(User Binding)
[437] fnbamd_ldap_build_userbind_req-Trying DN 'CN=user1,DC=test,DC=LOCAL'
[204] __ldap_build_bind_req-Binding to 'CN=user1,DC=test,DC=LOCAL'
[860] fnbamd_ldap_send-sending 116 bytes to 192.168.1.182
. . .
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind
[786] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error, data 532, v3839) <----- Logon failure: the specified account password has expired.
[799] fnbamd_ldap_parse_response-ret=49
[882] __ldap_rxtx-Change state to 'Done'
[815] __ldap_rxtx-state 21(Done)
[860] fnbamd_ldap_send-sending 7 bytes to 192.168.1.182
[872] fnbamd_ldap_send-Request is sent. ID 4
[725] __ldap_stop-svr 'AD_LDAP'
[53] ldap_dn_list_del_all-Del CN=user1,DC=test,DC=LOCAL
[181] fnbamd_comm_send_result-Sending result 1 (error 0, nid 0) for req 300967187  <----- fnbamd ended the authentication with this session.
authenticate 'user1' against 'AD_LDAP' failed!                                                                                     

 

From v7.6.0, LDAP config has the option to configure the 'source-ip-interface' to overcome the challenges of dynamic IP address change.

 

Refer to the below doc for more information:

Implement the interface name as the source IP address in RADIUS, LDAP, and DNS configurations

 

Related articles:
Troubleshooting Tip: FortiGate LDAP authentication errors

Troubleshooting Tip: 'No DN is Found' error during LDAP authentication failure for usernames with do...