FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
Saif_Momin
Staff
Staff
Article Id 287232
Description This article provides some common troubleshooting scenarios for LDAP Authentication.
Scope FortiManager/FortiAnalyzer 6.X and 7.X
Solution

Debug Commands for LDAP Authentication:

 

diagnose debug application auth 255
diagnose debug timestamp enable

diagnose debug enable

 

 

Scenario 1: Invalid Password.

 

Scenario1.png

 

  • The above debug shows an authentication request was sent with username 'ldapuser1' from GUI '172.31.200.1'.
  • The result from the LDAP server stating 'Invalid credentials (49)' is obtained,

 

Solution:

 

  • Confirm the password used for authentication.
  • Reset the password for the user on the LDAP Server if required.

 

Scenario 2: User does not exist in FortiManager/FortiAnalyzer.

 

Scenario2.png

 

  • The above debug shows an authentication request was sent with username 'ldapuser10' from GUI '172.31.200.1'.
  • Received a response from FortiManager/FortiAnalyzer stating 'unknown admin: ldapuser10' which means FortiManager/FortiAnalyzer could not find admin 'ldapuser10' and for this reason the authentication was denied.

 

Solution:

 

  • Create an Administrator on FortiManager/FortiAnalyzer under System Settings -> Admin -> Administrators.

 

Scenario 3: User does not exist on the LDAP Server.

 

Scenario3.png

 

  • The above debug shows authentication admin user 'ldapuser2' was found on FortiManager/FortiAnalyzer.
  • Later the debug shows 'no user matched' on LDAP.
  • This means the user was not found on the LDAP Server

 

Solution:

 

  • Verify the LDAP user is created on the LDAP server.

 

Scenario 4: Distinguished Name for LDAP Server incorrectly configured on FortiManager/FortiAnalyzer.

 

Scenario4.png

 

  • The above debug shows searching for users with the configured Distinguished Name or Common Name Identifier fails

 

Solution:

 

  • Verify the Distinguished Name and Command Name Identifier configured for the LDAP Server on FortiManager/FortiAnalyzer is correct.
  • Use the 'Query' button next to the Distinguished Name field to verify the  LDAP Browser shows User Details for the LDAP Server.
     

Scenario 5: Invalid Credentials for LDAP Binding Admin.

 

Scenario5.png

 

  • The above debug shows that the LDAP connection is denied due to incorrect credentials configured for User DN and/or Password for the LDAP Server.

 

Solutions:

 

  • Verify User DN and Password configured under LDAP Server on FortiManager/FortiAnalyzer.
  • If the LDAP Server cannot be contacted, It is also possible touse the fallback password for the admin which was initially configured during the admin creation process

 

Scenario 6: FortiManager/FortiAnalyzer cannot contact the LDAP Server.

 

Scenario6.png

 

  • The debug shows 'bind failed: Can't contact LDAP Server'. This means the FortiManager/FortiAnalyzer cannot connect to the LDAP server which could be due to an incorrect Server Name/IP, Port.
  • If the LDAP Server cannot be contacted, it is also possible to use the fallback password for the admin which was initially configured during the admin creation process

 

Solution:

 

  • Verify the configured Server Name/IP and Port.
  • Use the 'Query' button next to the Distinguished Name field to verify the  LDAP Browser shows User Details for the LDAP Server.
  • It is possible that the Server Name and Port are correctly configured and the LDAP connection fails. In this case, run packet capture to troubleshoot the connectivity between the FortiManager/FortiAnalyzer and the LDAP Server.
Contributors