Technical Tip: Configuring LDAPS on FortiManager and FortiAnalyzer

FortiManager/FortiAnalyzer, Windows Active Directory (AD) will be used as the LDAP server and Certificate Authority (CA).

Note.

The 'Server Name/IP' attribute in LDAP settings must match the LDAP Server Certificate CN field or Subject Alternative Name. 

Allow the required port (389/636) for the communication between FortiManager and the AD.

Configuring Windows AD:

1. Open Server Manager -> Manage -> Add Roles and Features.
2. In the Add Roles and Features Wizard, select 'Next' on 'Before You Begin', Installation Type & Server Selection to choose the default value.
3. In Server Roles, select Active Directory Certificate Services and select Add Features.
4. Proceed to select Next as not making any changes on other settings.
5. In AD CS -> Role Services, select Certification Authority and select Next.

6. At the Confirmation page, verify the roles and services that will be installed. Once done verify, select Install.

    

7. Once installation is complete, select Configure Active Directory Certificate Services on the destination server.

    

   

    

8. In the AD CS Configuration wizard, read and verify the credential and select Next.

    

   

    

9. In Role Services, select Certification Authority and select Next.

    

   

    

10. On the Setup Type page, select Enterprise CA and select Next:

     

    

     

11. On the CA Type page, select Root CA and select Next.

     

    

     

12. On the Private Key page, select Create a new private key and select Next.

     

    

     

13. On the Cryptography page, select the default value and select Next.

     

14. On the CA Name page, change the common name (CN) to be same as the Computer name/Hostname.

     

    

     

15. Select Next on the Validity Period and Certificate Database page.

     

16. On the Confirmation page, verify the details and select Configure. Once done, Close the wizard

     

    

     

Export CA Certificate:

1. Press Windows+R to open Run, type certlm.msc, and select OK.

2. This will launch the Local Computer certificates page. The Root Certificate generated earlier will appear under Personal -> Certificates.

    

   

    

3. 'Right Click' on the root cert -> All Tasks -> Export.

    

   

    

4. On Certificate Export Wizard, select Next.

    

5. Select No, do not export the private key, and select Next.

    

   

    

6. Select DER format and select Next.

    

    

7. Browse the location to export followed by the filename and select Next.

    

   

    

8. Once done, select Finish to close the wizard.

    

Configuring LDAPS in FortiManager/FortiAnalyzer:

1. Navigate to System Settings -> Certificates -> CA Certificates -> Import.

2. Import the CA Cert that was exported earlier and select OK.

    

   

    

3. Navigate to System Settings -> Admin -> Remote Authentication Server -> Create New -> LDAP Server.

    

4. Enter the details of the LDAP server:

   Enter the FQDN of the server name in the Server Name/IP field. 

   Make sure FortiManager/FortiAnalyzer DNS can resolve the FQDN.

   Select Secure Connection, Protocol: LDAPS, and choose the correct CA Cert.

    

   

    

5. Once done, select Query and verify if able to query the LDAP correctly.

    

   

    

6. Close the LDAP Browser and select OK to save the LDAP settings

    

Test Scenario:

Go to FortiManager/FortiAnalyzer GUI and login with LDAP user.

Troubleshooting guide:

1. Generally, there will be three problems that might cause LDAP issues:

• LDAP server configuration.
• FortiManager/FortiAnalyzer LDAP settings.
• Network connectivity issue.

To check on LDAP debug, look for any error message from the debug output:

Enable debugging from FortiManager/FortiAnalyzer:

diagnose debug application auth 8

diagnose debug timestamp enable

diagnose debug enable

Once enable debug log is, login with the LDAP user and verify the debug output log.

Sample output:

Wira-kvm13 # diag debug application auth 8

Wira-kvm13 # di de timestamp en

Wira-kvm13 # di de en

Wira-kvm13 # 2023-04-16 22:23:10

2023-04-16 22:23:10 s2802: auth request: user=fortinet from=GUI(10.x.x.x)

2023-04-16 22:23:10 s2802: wildcard admin: ldap-user

2023-04-16 22:23:10 s2802:   start ldap: ldap-server

2023-04-16 22:23:10 s2802:ldap-server: url: ldaps://labtest.fortilab.com:636

2023-04-16 22:23:10 s2802:ldap-server: binding admin: tadmin

2023-04-16 22:23:10 s2802:ldap-server:   got result: Success(0)

2023-04-16 22:23:10 s2802:ldap-server: searching users: OU=labgroup,DC=fortilab,DC=com scope=subtree filter=cn=fortinet attrs=1.1

2023-04-16 22:23:10 s2802:ldap-server:   got result: Success(0)

2023-04-16 22:23:10 s2802:ldap-server:   dn: CN=fortinet,OU=labgroup,DC=fortilab,DC=com

2023-04-16 22:23:10 s2802:ldap-server: binding user: CN=fortinet,OU=labgroup,DC=fortilab,DC=com

2023-04-16 22:23:11 s2802:ldap-server:   got result: Success(0)

2023-04-16 22:23:11 s2802:ldap-server: success

2023-04-16 22:23:11 s2802: wildcard admin matched: ldap-user

2023-04-16 22:23:11 s2802: auth result: success

To disable debug output:

diag debug disable

2. To check the network connectivity issue, run packet capture from GUI or CLI to verify the connection. From GUI, go to System Settings -> Network -> Packet Capture. From CLI, run the below sniffer packet command:

diagnose sniffer packet any “host <server_ip> and port <ldap_port>” 4 0 l