Observations:

1. When attempting login from the FortiSwitch GUI or CLI (SSH), no debug output is seen in fnbamd, nor are packets initiated from the FortiSwitch. However, login failures are recorded in FortiSwitch logs (execute log display).

Example log entry:

log_id=0202022001 tz=-0800 type=event subtype=system pri=alert vd=root sn=0 user="TEST-USER" ui=https(12.12.0.50) method=https srcip=12.12.0.50 dstip=10.10.10.1 action=login status=failed reason=name_invalid msg="Administrator TEST-USER login failed from https(12.12.0.50) because of invalid user name"

2. Testing LDAP credentials using the following command shows successful results:

diagnose test authserver ldap <server_name> <user_name> <password>

Debug output confirms authentication success:

FortiSwitch # diagnose debug application fnbamd -1
FortiSwitch # diagnose debug en

fnbamd_ldap.c[1808] fnbamd_ldap_get_result-Auth accepted
fnbamd_ldap.c[1922] fnbamd_ldap_get_result-Going to DONE state res=0
fnbamd_auth.c[3308] fnbamd_auth_poll_ldap-Result for ldap svr 100.100.100.15 is SUCCESS
fnbamd_auth.c[3332] fnbamd_auth_poll_ldap-Skipping group matching
fnbamd_comm.c[211] fnbamd_comm_send_result-Sending result FNBAM_SUCCESS for req 133005617 fifo_name /dev/fnbamd_fifo_1531_1 len 402 class 0:0 filter 0:0

Example for FortiSwitch LDAP server configuration:

config user ldap
    edit "SERVER1"
        set server "100.100.100.15"
        set cnid "SAMAccountName"
        set dn "cn=users,dc=ot,dc=captive,dc=ce"
        set type regular
        set username "ot\\TEST-USER"
        set password ENC
    next
end

config user group
    edit "TEST-USERSERV-Read&Write"
        set member "SERVER1"
            config match
                edit 1
                    set server-name "SERVER1"
                    set group-name "Engineer"
                next
            end
        next
        edit "TEST-USERSERV-ReadOnly"
            set member "SERVER1"
                config match
                    edit 1
                        set server-name "SERVER1"
                        set group-name "Operator"
                    next
                end
            next
        edit "radius-admin"
            set member "RADIUS"
        next
        edit "TEST-USERSERV-Administrator"
            set member "SERVER1"
        next
end

config system admin
    edit "admin"
        set accprofile "super_admin"
        set password ENC SH2
    next
    edit "TEST-LDAP-Engineer"
        set remote-auth enable
        set accprofile "Read&Write"
        set remote-group "TEST-USERSERV-Read&Write"
        set password ENC SH2
    next
    edit "TEST-LDAP-Operator"
        set remote-auth enable
        set accprofile "ReadOnly"
        set remote-group "TEST-USERSERV-ReadOnly"
        set password ENC SH2/
    next
    edit "TEST-LDAP-Admin"
        set remote-auth enable
        set accprofile "super_admin"
        set remote-group "TEST-USERSERV-Administrator"
        set password ENC SH2
    next
end

Resolution:

Enable the wildcard option under system admin for LDAP-based administrator entries:

config system admin
    edit "TEST-LDAP-Engineer"
        set wildcard enable
    next
    edit "TEST-LDAP-Operator"
        set wildcard enable
    next
    edit "TEST-LDAP-Admin"
        set wildcard enable
    next
end

Explanation:

• Without the wildcard setting, FortiSwitch treats entries such as TEST-LDAP-Engineer as specific administrator accounts whose passwords are verified by the LDAP server.
• If a user attempts login as TEST-USER, FortiSwitch does not find a matching non-wildcard account (admin, TEST-LDAP-Engineer, TEST-LDAP-Operator, or TEST-LDAP-Admin) and no authentication is performed.
• Enabling the wildcard option allows LDAP user accounts matching the configured group membership to authenticate successfully.