Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jfgagnon
New Contributor II

LDAP Lab - Error ldap_-5

Hi!

 

I'm working on a lab with a Windows 2012R2 and a Fortigate VM64-KVM (trial version) running version 6 (tried 5.6 as well).

When adding the LDAP server to the Fortigate, I always get error LDAP_-5 in red. And I can't get to query against it.

 

When I debug, I can authenticate against it:

FortiGate-VM64-KVM # diagnose test authserver ldap "LDAP DC-01" user1 testpassword authenticate 'user1' against 'LDAP DC-01' succeeded! Group membership(s) - CN=Domain Admins,CN=Users,DC=fgtad,DC=local CN=Domain Users,CN=Users,DC=fgtad,DC=local

 

Config:

 

config user ldap edit "LDAP DC-01" set server "10.10.10.11" set cnid "cn" set dn "dc=fgtad,dc=local" set type regular set username "LDAPconnect" set password ENC ceUtrzALEk7sWZhJjrw1JElXiACZiRxwHScw9Spf2i2Fmr/FGSis8dpC0JyAuuAya/kZ91ECVenukLlLy8xfFyfJZ6hGqheLG5PCIhjVF8aLQxaeWlb8XnPJvR/ZBSIArzHDq+bD34X9fuUO0oraXOJbhOZfshPzCpZzvgJT04fVKhvWtZ3A56yCmgS2VjSVmMh45g== next end

 

Any ideas?

 

Thanks!

 

1 Solution
emnoc
Esteemed Contributor III

A linux or  Windows host :)

 

e.g

 

curl.exe  -k -v -u  "kfelix@example.com"  "ldaps://1.1.1.1:636/DC=example,DC=com?cn,objectClass?sub?"

 

Place your credentials and make sure it pass, make sure a list of  DNs are given

PCNSE 

NSE 

StrongSwan  

View solution in original post

13 REPLIES 13
Alivo__FTNT

Hello,

it should be fixed in release 6.0.5

 

livo

Harmonikas

Hi,

 

Thanks for update, but that only fixed LDAP(S) issue, but not basic LDAP configuration issue from GUI that we all mentioned before. This is annoying

Aron1

6.2.1 on a 60E. New location for a client. Having above issue.

 

diag test authserver ldap ****** username password works on a cli.

 

Test Credentials gets the ldap_-5

Ignotum per ignotius...

randomcatperson

HOW TO FIX:

This looks to be a bug that hits various versions of FortiOS at various times. We found that it was only hitting FortiGates that had reasonably high latency between the FortiGate & the LDAP Server. The fix for us was to change the 'remoteauthtimeout' value under 'config system global'. The default is 5 seconds. We changed ours to 30. After that, the process of checking status & 'test user credentials' takes a LONG time in the GUI, but works & we get green ticks all the way now. As a side note, this seems to only impact the GUI. If you run a test from the CLI, it works almost instantly. Before resolving the issue in the GUI with the timeout change, we configured the LDAP server, user group, etc. via the CLI. LDAP authentication worked without issue. We used it for VPN & Administrator authentication successfully - all prior to making the change to remoteauthtimeout. The remoteauthtimeout change resolved the GUI issue only. config system global set remoteauthtimeout 30 end

 

EDIT:

Forgot to mention the devices in question were running 6.2.4. at the time.

Also forgot to mention that changing the password & re-configuring the LDAP Server in the FortiGate made no difference. It was only the timeout value change that fixed the GUI problem for us.

 

HTH