|
Debug Commands for LDAP Authentication:
diagnose debug application authentication 255 <----- Or 8.
diagnose debug console timestamp enable
diagnose debug enable
Scenario 1: Invalid Password.
- The above debug output shows that an authentication request was sent with username 'ldapuser1' from GUI '172.31.200.1'.
- The result from the LDAP server stating 'Invalid credentials (49)' is obtained.
Solution:
- Confirm the password used for authentication.
- Reset the password for the user on the LDAP Server if required.
Scenario 2: User does not exist in FortiManager/FortiAnalyzer.
- The above debug shows that an authentication request was sent with username 'ldapuser10' from GUI '172.31.200.1'.
- Received a response from FortiManager/FortiAnalyzer stating 'unknown admin: ldapuser10', which means FortiManager/FortiAnalyzer could not find admin 'ldapuser10' and for this reason the authentication was denied.
Solution:
Create an Administrator on FortiManager/FortiAnalyzer under System Settings -> Admin -> Administrators.
Scenario 3: The user does not exist on the LDAP Server.
- The above debug shows authentication admin user 'ldapuser2' was found on FortiManager/FortiAnalyzer.
- Later, the debug shows 'no user matched' on LDAP.
- This means the user was not found on the LDAP Server.
Solution: Verify that the LDAP user is created on the LDAP server.
Scenario 4: Distinguished Name for LDAP Server is incorrectly configured on FortiManager/FortiAnalyzer.
The above debug shows searching for users with the configured Distinguished Name or Common Name Identifier fails.
Solution:
- Verify that the Distinguished Name and Command Name Identifier configured for the LDAP Server on FortiManager/FortiAnalyzer is correct.
- Use the 'Query' button next to the Distinguished Name field to verify that the LDAP Browser shows User Details for the LDAP Server.
Scenario 5: Invalid Credentials for LDAP Binding Admin.
The above debug shows that the LDAP connection is denied due to incorrect credentials configured for User DN and/or Password for the LDAP Server.
Solutions:
- Verify the User DN and Password configured under the LDAP Server on FortiManager/FortiAnalyzer.
- If the LDAP Server cannot be contacted, it is also possible to use the fallback password for the admin, which was initially configured during the admin creation process.
Scenario 6: FortiManager/FortiAnalyzer cannot contact the LDAP Server.
- The debug shows 'bind failed: Can't contact LDAP Server'. This means the FortiManager/FortiAnalyzer cannot connect to the LDAP server, which could be due to an incorrect Server Name/IP, Port.
- If the LDAP Server cannot be contacted, it is also possible to use the fallback password for the admin, which was initially configured during the admin creation process.
Solution:
- Verify the configured Server Name/IP and Port.
- Use the 'Query' button next to the Distinguished Name field to verify that the LDAP Browser shows User Details for the LDAP Server.
- It is possible that the Server Name and Port are correctly configured, and the LDAP connection fails. In this case, run a packet capture to troubleshoot the connectivity between the FortiManager/FortiAnalyzer and the LDAP Server.
Scenario 7: There is no CA cert found via FortiAnalyzer.
The debug output above shows LDAP using port 636, able to reach the LDAP and find the user. However, the CA section is empty.
Solutions:
- Verify CA has been uploaded to FortiAnalyzer.
- If the CA has been uploaded, it is possible to choose the correct certificate from the LDAP configuration in a remote authentication section.
Related articles:
Technical Tip: Configuring LDAPS on FortiManager and FortiAnalyzer
Technical Tip: Configuring LDAP system administrators in FortiManager for FortiGate
|
