Created on 04-16-2023 11:08 PM Edited on 04-17-2023 01:48 AM By Jean-Philippe_P
Description | This article describes how to configure LDAP over a secure connection on FortiManager/FortiAnalyzer. |
Scope |
- FortiManager/FortiAnalyzer. - Windows Active Directory (AD) will be used as the LDAP server and Certificate Authority (CA). |
Solution |
Note. - 'Server Name/IP' attribute in LDAP settings must match the LDAP Server Certificate CN field.
Configuring Windows AD: 1) Open Server Manager -> Manage -> Add Roles and Features. 2) In the Add Roles and Features Wizard, select 'Next' on 'Before You Begin', Installation Type & Server Selection to choose the default value. 3) In Server Roles, select Active Directory Certificate Services and select Add Features. 4) Proceed to select Next as not making any changes on other settings. 5) In AD CS -> Role Services, select Certification Authority and select Next.
6) At the Confirmation page, verify the roles and services that will be installed. Once done verify, select Install. 7) Once installation is complete, select Configure Active Directory Certificate Services on the destination server.
8) In the AD CS Configuration wizard, read and verify the credential and select Next.
9) In Role Services, select Certification Authority and select Next.
10) On the Setup Type page, select Enterprise CA and select Next:
11) On the CA Type page, select Root CA and select Next.
12) On the Private Key page, select Create a new private key and select Next.
13) On the Cryptography page, select the default value and select Next. 14) On the CA Name page, change the common name (CN) to be same as the Computer name/Hostname.
15) Select Next on Validity Period and Certificate Database page. 16) On the Confirmation page, verify the details and select Configure. Once done, Close the wizard
Export CA Certificate: 1) Press Windows+R to open Run, type certlm.msc, and select OK.
2) This will launch the Local Computer certificates page. The Root Certificate generated earlier will appear under Personal -> Certificates.
3) 'Right Click' on the root cert -> All Tasks -> Export.
4) On Certificate Export Wizard, select Next. 5) Select No, do not export the private key, and select Next.
6) Select DER format and select Next.
7) Browse the location to export followed by the filename and select Next.
8) Once done, select Finish to close the wizard.
Configuring LDAPS in FortiManager/FortiAnalyzer: 1) Navigate to System Settings -> Certificates -> CA Certificates -> Import.
2) Import the CA Cert that was exported earlier and select OK.
3) Navigate to System Settings -> Admin -> Remote Authentication Server -> Create New -> LDAP Server. 4) Enter the details of the LDAP server: - Enter the FQDN of the server name in Server Name/IP field. Make sure FortiManager/FortiAnalyzer DNS is able to resolve the FQDN. - Select Secure Connection, Protocol: LDAPS, and choose the correct CA Cert.
5) Once done, select Query and verify if able to query the LDAP correctly.
6) Close the LDAP Browser and select OK to save the LDAP settings
Test Scenario: 1) Go to FortiManager/FortiAnalyzer GUI and log in with LDAP user.
Troubleshooting guide: Generally, there will be three problems that might cause LDAP issues: - LDAP server configuration. - FortiManager/FortiAnalyzer LDAP settings. - Network connectivity issue.
1) To check on LDAP debug, look for any error message from the debug output: Enable debugging from FortiManager/FortiAnalyzer:
# diagnose debug application auth 8 # diagnose debug timestamp enable # diagnose debug enable
Once enable debug log is, login with the LDAP user and verify the debug output log.
Sample output:
Wira-kvm13 # diag debug application auth 8 Wira-kvm13 # di de timestamp en Wira-kvm13 # di de en Wira-kvm13 # 2023-04-16 22:23:10 2023-04-16 22:23:10 s2802: auth request: user=fortinet from=GUI(10.x.x.x) 2023-04-16 22:23:10 s2802: wildcard admin: ldap-user 2023-04-16 22:23:10 s2802: start ldap: ldap-server 2023-04-16 22:23:10 s2802:ldap-server: url: ldaps://labtest.fortilab.com:636 2023-04-16 22:23:10 s2802:ldap-server: binding admin: tadmin 2023-04-16 22:23:10 s2802:ldap-server: got result: Success(0) 2023-04-16 22:23:10 s2802:ldap-server: searching users: OU=labgroup,DC=fortilab,DC=com scope=subtree filter=cn=fortinet attrs=1.1 2023-04-16 22:23:10 s2802:ldap-server: got result: Success(0) 2023-04-16 22:23:10 s2802:ldap-server: dn: CN=fortinet,OU=labgroup,DC=fortilab,DC=com 2023-04-16 22:23:10 s2802:ldap-server: binding user: CN=fortinet,OU=labgroup,DC=fortilab,DC=com 2023-04-16 22:23:11 s2802:ldap-server: got result: Success(0) 2023-04-16 22:23:11 s2802:ldap-server: success 2023-04-16 22:23:11 s2802: wildcard admin matched: ldap-user 2023-04-16 22:23:11 s2802: auth result: success
To disable debug output:
# diag debug disable
2) To check the network connectivity issue, run packet capture from GUI or CLI to verify the connection. From GUI, go to System Settings -> Network -> Packet Capture. From CLI, run the below sniffer packet command: # diagnose sniffer packet any “host <server_ip> and port <ldap_port>” 4 0 l |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.