FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
tnesh
Staff
Staff
Article Id 252591
Description This article describes how to configure LDAP over a secure connection on FortiManager/FortiAnalyzer.
Scope

- FortiManager/FortiAnalyzer.

- Windows Active Directory (AD) will be used as the LDAP server and Certificate Authority (CA).
Solution

Note.

- 'Server Name/IP' attribute in LDAP settings must match the LDAP Server Certificate CN field.

 

Configuring Windows AD:

1) Open Server Manager -> Manage -> Add Roles and Features.

2) In the Add Roles and Features Wizard, select 'Next' on 'Before You Begin', Installation Type Server Selection to choose the default value.

3) In Server Roles, select Active Directory Certificate Services and select Add Features.

4) Proceed to select Next as not making any changes on other settings.

5) In AD CS -> Role Services, select Certification Authority and select Next.

 

role-services.png

 

6) At the Confirmation page, verify the roles and services that will be installed. Once done verify, select Install.

7) Once installation is complete, select Configure Active Directory Certificate Services on the destination server.

 

adcs-destination.png

 

8) In the AD CS Configuration wizard, read and verify the credential and select Next.

 

credential.png

 

9) In Role Services, select Certification Authority and select Next.

 

role-services2.png

 

10) On the Setup Type page, select Enterprise CA and select Next:

 

enterprise-ca.png

 

11) On the CA Type page, select Root CA and select Next.

 

root-ca.png

 

12) On the Private Key page, select Create a new private key and select Next.

 

new-pri-key.png

 

13) On the Cryptography page, select the default value and select Next.

14) On the CA Name page, change the common name (CN) to be same as the Computer name/Hostname.

 

ca-name.png

 

15) Select Next on Validity Period and Certificate Database page.

16) On the Confirmation page, verify the details and select Configure. Once done, Close the wizard

 

confirmation2.png

 

Export CA Certificate:

1) Press Windows+R to open Run, type certlm.msc, and select OK.

 

run-certlm.png

 

2) This will launch the Local Computer certificates page.

The Root Certificate generated earlier will appear under Personal -> Certificates.

 

certlm.msc.png

 

3) 'Right Click' on the root cert -> All Tasks -> Export.

 

export.png

 

4) On Certificate Export Wizard, select Next.

5) Select No, do not export the private key, and select Next.

 

export-cert2.png

 

6) Select DER format and select Next.

 

der-format.png

7) Browse the location to export followed by the filename and select Next.

 

export-location.png

 

8) Once done, select Finish to close the wizard.

 

Configuring LDAPS in FortiManager/FortiAnalyzer:

1) Navigate to System Settings -> Certificates -> CA Certificates -> Import.

 

ldaps-settings.png

 

2) Import the CA Cert that was exported earlier and select OK.

 

tnesh_8-1681694369987.png

 

3) Navigate to System Settings -> Admin -> Remote Authentication Server -> Create New -> LDAP Server.

4) Enter the details of the LDAP server:

- Enter the FQDN of the server name in Server Name/IP field. 

Make sure FortiManager/FortiAnalyzer DNS is able to resolve the FQDN.

- Select Secure Connection, Protocol: LDAPS, and choose the correct CA Cert.

 

ldaps-settings-details.png

5) Once done, select Query and verify if able to query the LDAP correctly.

 

ldap-query.png

6) Close the LDAP Browser and select OK to save the LDAP settings

 

Test Scenario:

1) Go to FortiManager/FortiAnalyzer GUI and log in with LDAP user.

 

Troubleshooting guide:

Generally, there will be three problems that might cause LDAP issues:

- LDAP server configuration.

- FortiManager/FortiAnalyzer LDAP settings.

- Network connectivity issue.

 

1) To check on LDAP debug, look for any error message from the debug output:

Enable debugging from FortiManager/FortiAnalyzer:

 

# diagnose debug application auth 8

# diagnose debug timestamp enable

# diagnose debug enable

 

Once enable debug log is, login with the LDAP user and verify the debug output log.

 

Sample output:

 

Wira-kvm13 # diag debug application auth 8

Wira-kvm13 # di de timestamp en

Wira-kvm13 # di de en

Wira-kvm13 # 2023-04-16 22:23:10

2023-04-16 22:23:10 s2802: auth request: user=fortinet from=GUI(10.x.x.x)

2023-04-16 22:23:10 s2802: wildcard admin: ldap-user

2023-04-16 22:23:10 s2802:   start ldap: ldap-server

2023-04-16 22:23:10 s2802:ldap-server: url: ldaps://labtest.fortilab.com:636

2023-04-16 22:23:10 s2802:ldap-server: binding admin: tadmin

2023-04-16 22:23:10 s2802:ldap-server:   got result: Success(0)

2023-04-16 22:23:10 s2802:ldap-server: searching users: OU=labgroup,DC=fortilab,DC=com scope=subtree filter=cn=fortinet attrs=1.1

2023-04-16 22:23:10 s2802:ldap-server:   got result: Success(0)

2023-04-16 22:23:10 s2802:ldap-server:   dn: CN=fortinet,OU=labgroup,DC=fortilab,DC=com

2023-04-16 22:23:10 s2802:ldap-server: binding user: CN=fortinet,OU=labgroup,DC=fortilab,DC=com

2023-04-16 22:23:11 s2802:ldap-server:   got result: Success(0)

2023-04-16 22:23:11 s2802:ldap-server: success

2023-04-16 22:23:11 s2802: wildcard admin matched: ldap-user

2023-04-16 22:23:11 s2802: auth result: success

 

To disable debug output:

 

# diag debug disable

 

2) To check the network connectivity issue, run packet capture from GUI or CLI to verify the connection.

From GUI, go to System Settings -> Network -> Packet Capture.

From CLI, run the below sniffer packet command:

# diagnose sniffer packet any “host <server_ip> and port <ldap_port>” 4 0 l