While implementing the LDAP server in FortiGate with Bind Type as regular, provide the LDAP server admin credentials to authenticate the LDAP server to perform a user search. While implementing, consider the following points regarding the Username configured in the FortiGate.

1. If the Common Name Identifier is set as 'cn', use the user name (Display name) in the LDAP server. In case the Common Name Identifier is set as sAMAccountName, use the logon name.
2. Use the below syntax to mention the username If the Common Name Identifier is set as 'cn', mention the user Distinguished Name.

It is possible to use the query username '<full_user_name>' to find the complete DN of the user.

Example:

C:\Users\Administrator>dsquery user -name "ldap test"
"CN=ldap test,CN=Users,DC=t3sophialab,DC=net"

In FortiGate, Username will be CN=ldap test,CN=Users,DC=t3sophialab,DC=net

If Common Name Identifier is set as sAMAccountName, mention domain\logon name (do not use domain extensions such as .net, .com, .local).

Example:

t3sophialab\logon name

3. An LDAP admin username with an incomplete or wrongly set Distinguished Name or domain name will also result in Invalid credentials.

4. The user account might be blocked on the AD server, which can also cause the 'Invalid credentials' error. Unlocking the user account on the AD server should resolve the issue.