When troubleshooting issues for LDAPS user credentials, use the fnbamd debug to collect information about the interaction between the FortiGate and the LDAPS server.

FGT-A# diagnose debug console timestamp enable

FGT-A# diagnose debug app fnbamd -1

FGT-A# diagnose debug enable

FGT-A# diagnose test authserver ldap AD_LDAP user1 password

To disable the debugging commands above, run the following command:

FGT-A# diagnose debug disable

If the following log message is seen in the fnbamd debug it indicates that the certificate on the LDAPS server has expired.

2024-07-24 10:45:00 [1666] __verify_cb-Cert error 10, certificate has expired. Depth 0. Subject ''

2024-07-24 10:45:00 [1345] __ldap_tcps_connect-tcps_connect(172.16.37.10) failed: ssl_connect() failed: 167772294 (error:0A000086:SSL routines::certificate verify failed).

If the following log message is seen in the fnbamd debug it indicates that the certificate on the LDAPS server has expired.

It is also possible to run a packet capture on the FortiGate to check the validity of the LDAP Server's Certificate.

This can be seen when expanding the packet on Wireshark:

Server Hello or Certificate Packet -> Transport Layer Security -> Certificate -> Validity -> notAfter:

Related articles:

• Troubleshooting Tip: FortiGate LDAP
• Technical Tip: LDAPS/STARTTLS certificate issuer enforcement
• Technical Tip: LDAPS connections no longer work after update to v7.4.4