FortiManager/FortiAnalyzer, Windows Active Directory (AD) will be used as the LDAP server and Certificate Authority (CA).

Note.

The 'Server Name/IP' attribute in LDAP settings must match the LDAP Server Certificate CN field or Subject Alternative Name. 

Allow the required port (389/636) for the communication between FortiManager and the AD.

Configuring Windows AD:

1. Open Server Manager -> Manage -> Add Roles and Features.
2. In the Add Roles and Features Wizard, select 'Next' on 'Before You Begin', Installation Type & Server Selection to choose the default value.
3. In Server Roles, select Active Directory Certificate Services and select Add Features.
4. Proceed to select Next as not making any changes to other settings.
5. In AD CS -> Role Services, select Certification Authority and select Next.

6. At the Confirmation page, verify the roles and services that will be installed. Once done, verify, select Install.

    

7. Once installation is complete, select Configure Active Directory Certificate Services on the destination server.

    

   

    

8. In the AD CS Configuration wizard, read and verify the credentials and select Next.

    

   

    

9. In Role Services, select Certification Authority and select Next.

    

   

    

10. On the Setup Type page, select Enterprise CA and select Next:

     

    

     

11. On the CA Type page, select Root CA and select Next.

     

    

     

12. On the Private Key page, select Create a new private key and select Next.

     

    

     

13. On the Cryptography page, select the default value and select Next.

     

14. On the CA Name page, change the common name (CN) to be the same as the Computer name/Hostname.

     

    

     

15. Select Next on the Validity Period and Certificate Database page.

     

16. On the Confirmation page, verify the details and select Configure. Once done, close the wizard.

     

    

     

Export CA Certificate:

1. Press Windows+R to open Run, type certlm.msc, and select OK.

2. This will launch the Local Computer certificates page. The Root Certificate generated earlier will appear under Personal -> Certificates.

    

   

    

3. 'Right Click' on the root cert -> All Tasks -> Export.

    

   

    

4. On the Certificate Export Wizard, select Next.

    

5. Select No, do not export the private key, and select Next.

    

   

    

6. Select the DER format and select Next.

    

    

7. Browse the location to export, followed by the filename, and select Next.

    

   

    

8. Once done, select Finish to close the wizard.

    

Configuring LDAPS in FortiManager/FortiAnalyzer:

1. Navigate to System Settings -> Certificates -> CA Certificates -> Import.

2. Import the CA Cert that was exported earlier and select OK.

    

   

    

3. Navigate to System Settings -> Admin -> Remote Authentication Server -> Create New -> LDAP Server.

    

4. Enter the details of the LDAP server:

   Enter the FQDN of the server name in the Server Name/IP field. 

   Make sure FortiManager/FortiAnalyzer DNS can resolve the FQDN.

   Select Secure Connection, Protocol: LDAPS, and choose the correct CA Cert.

    

   

    

5. Once done, select Query and verify if able to query the LDAP correctly.

    

   

    

6. Close the LDAP Browser and select OK to save the LDAP settings.

    

Test Scenario:

Go to FortiManager/FortiAnalyzer GUI and log in with an LDAP user.

Troubleshooting guide:

1. Generally, there will be three problems that might cause LDAP issues:

• LDAP server configuration.
• FortiManager/FortiAnalyzer LDAP settings.
• Network connectivity issue.

To check on LDAP debug, look for any error message from the debug output:

Enable debugging from FortiManager/FortiAnalyzer:

diagnose debug application auth 8

diagnose debug timestamp enable

diagnose debug enable

Once the above debug starts running, log in with the LDAP user and verify the debug output log.

Sample output:

Wira-kvm13 # diagnose debug application auth 8

Wira-kvm13 # diagnose debug timestamp enable

Wira-kvm13 # diagnose debug enable

Wira-kvm13 # 2023-04-16 22:23:10

2023-04-16 22:23:10 s2802: auth request: user=fortinet from=GUI(10.x.x.x)

2023-04-16 22:23:10 s2802: wildcard admin: ldap-user

2023-04-16 22:23:10 s2802:   start ldap: ldap-server

2023-04-16 22:23:10 s2802:ldap-server: url: ldaps://labtest.fortilab.com:636

2023-04-16 22:23:10 s2802:ldap-server: binding admin: tadmin

2023-04-16 22:23:10 s2802:ldap-server:   got result: Success(0)

2023-04-16 22:23:10 s2802:ldap-server: searching users: OU=labgroup,DC=fortilab,DC=com scope=subtree filter=cn=fortinet attrs=1.1

2023-04-16 22:23:10 s2802:ldap-server:   got result: Success(0)

2023-04-16 22:23:10 s2802:ldap-server:   dn: CN=fortinet,OU=labgroup,DC=fortilab,DC=com

2023-04-16 22:23:10 s2802:ldap-server: binding user: CN=fortinet,OU=labgroup,DC=fortilab,DC=com

2023-04-16 22:23:11 s2802:ldap-server:   got result: Success(0)

2023-04-16 22:23:11 s2802:ldap-server: success

2023-04-16 22:23:11 s2802: wildcard admin matched: ldap-user

2023-04-16 22:23:11 s2802: auth result: success

To disable debug output:

diagnose debug disable
diagnose debug reset

2. To check the network connectivity issue, run a packet capture from the GUI or CLI to verify the connection. From the GUI, go to System Settings -> Network -> Packet Capture. From CLI, run the below sniffer packet command:

diagnose sniffer packet any “host <server_ip> and port <ldap_port>” 4 0 l

Related articles:

• Troubleshooting Tip: LDAP authentication for FortiManager/FortiAnalyzer
• Technical Tip: Configuring LDAP system administrators in FortiManager for FortiGate