| Description |
This article describes how to troubleshoot and verify LDAP users and groups using the 'diagnose test authserver' commands. |
| Scope | FortiGate. |
| Solution |
To verify if LDAP user authentication is successful and fetching the correct user group membership, run the following command:
diagnose test authserver ldap <ldap_server_name> <username> <password>
Example:
LDAP server is configured on the FortiGate as follows:
config user ldap edit "WINSERVER-AD" set server "10.0.0.1" set cnid "sAMAccountName" set dn "ou=FortiGate,dc=winserver,dc=lab" set type regular set username "WINSERVER\\fgt.svc" set password ENC [masked] next end
Run the below command to verify if LDAP user authentication is successful and pull the correct group membership:
diagnose test authserver ldap WINSERVER-AD fgt.svc Passw0rd!
To search for LDAP object(s), such as the list of users in a group given an LDAP filter, use the following command:
diagnose test authserver ldap-search <server ip> <port> <dn> <cn> <user> <password> <secure: 0,1,2> <filter> <flag: 1,2> <page_no>
Example:
(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=FTC Users,ou=FortiGate,dc=winserver,dc=lab))
Run the below command to list the result of the given LDAP filter:
diagnose test authserver ldap-search 10.0.0.1 389 "ou=FortiGate,dc=winserver,dc=lab" cn fgt.svc@winserver.lab Passw0rd! 0 '(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=FortiGate Group,ou=FortiGate,dc=winserver,dc=lab))' 2
(&(sAMAccountName=*)(mail=*fortinet*))
Run the below command to list the result of the given LDAP filter:
diagnose test authserver ldap-search 10.0.0.1 389 "ou=FortiGate,dc=winserver,dc=lab" cn fgt.svc@winserver.lab Passw0rd! 0 '(&(sAMAccountName=*)(mail=*fortinet*))' 2
Related article: Troubleshooting Tip: FortiGate LDAP troubleshooting and debug logs created by fnbamd |
