| Description |
This article describes how to resolve an issue where LDAP authentication intermittently fails for FortiGate admin login, an VPN authentication or captive portal and fnbamd show the debug error code 'ldap_error-Ret 10, st = 3'. |
| Scope | FortiGate. |
| Solution |
In some scenarios, a delay in the response from the server for a Bind Request or searchRequest may occur, as shown in the following example:
Working LDAP communication capture:
In the 33rd packet, server 10.1.1.1 took 7 seconds to process and respond to the FortiGate bindRequest sent in the 31st packet.
In newer versions of FortiOS, 'ldapconntimeout' will be applied for the LDAP/TACACS+/POP3 response. If FortiGate fails to get server response within the ldapconntimeout period (500 milliseconds by default), FortiGate will send the fin packet to the server.
In the above capture, FortiGate sends TCP packets with the fin flag (11th packet), after 500 milliseconds of bindRequest.
In the fnbamd debug, the following messages will be seen as well.
2024-08-20 17:25:13 [984] __ldap_next_state-State: DN Search -> User Binding
The solution is to increase the 'ldapconntimeout' value under global settings, depending on the delay in response by the server. In the above example, around 7 seconds of delay are seen in response, so it can be increased to around 10000 milliseconds to avoid user authentication failure due to the ldapconntimeout timer. It may be set up to 300,000 milliseconds.
config system global set ldapconntimeout 10000 end
|
