Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gunnerman
New Contributor

Resolving LDAPS Server Name on Fortigate

Hello,

 

We have an LDAP connection to our DC setup on our Fortigate 60E (v6.2.2 build1010). We connect to the domain controller over a S2S VPN. Insecure connections on port 389 connect just fine. However, when I attempt to turn on LDAPS, and issue command:

diagnose test authserver ldap SDC_LDAP <username> <password>
I get
authenticate '<username>' against 'SDC_LDAP' failed!

I have imported a CA cert into the Fortigate that is in the trusted CA store of the DC (SDC_LDAP) as well.

 

After a bit of troubleshooting, I believe I cannot connect via LDAPS because the Fortigate does not resolve the fqdn of the LDAP server IP, thus causing a cert validation failure. Entering in the fqdn of the DC into the server field does not work because the Fortigate does not resolve the name to an IP address (a DNS resolution failure). 

 

Using the Ldp utility from my desktop I get a similar result, I can connect via LDAPS just fine if and only if I use the DC hostname/fqdn. (The LDAPS Cookbook guide uses an IP address just fine. I am not using AD CS, I generated the root key pair via OpenSSL on a different box so I am kind of curious what might be different here. Adding the IP to the cert seems a little janky to me)

 

How do I best go about getting the Fortigate to resolve the name? I have changed the Fortigate's network DNS to use our DNS to no avail. Any help would be appreciated. 

 

Thanks.

1 Solution
Alivo__FTNT
Staff
Staff

Hello,

in fnbamd - 1 debug you probably see similar line to this:

 

failed: ssl_connect() failed: 5 (error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed).

 

Issue is likely that the SubjectAltName of the certificate does not have IP address which you are connecting to.

It is the IP or FQDN which you would use in config user ldap > set server ....

 

Fix (workaround):

If you edit ldap in FortiGate:

 

config user ldap

edit <your ldap>

set server-identity-check disable

end

 

The check will be disabled and LDAPS will work. Authentication will not be affected at all.

By default, in 6.2, when you select certificate for LDAPS, the option "set server-identity-check" is enabled.

Best Regards,

Alivo

 

 

livo

View solution in original post

5 REPLIES 5
Alivo__FTNT
Staff
Staff

Hello,

in fnbamd - 1 debug you probably see similar line to this:

 

failed: ssl_connect() failed: 5 (error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed).

 

Issue is likely that the SubjectAltName of the certificate does not have IP address which you are connecting to.

It is the IP or FQDN which you would use in config user ldap > set server ....

 

Fix (workaround):

If you edit ldap in FortiGate:

 

config user ldap

edit <your ldap>

set server-identity-check disable

end

 

The check will be disabled and LDAPS will work. Authentication will not be affected at all.

By default, in 6.2, when you select certificate for LDAPS, the option "set server-identity-check" is enabled.

Best Regards,

Alivo

 

 

livo

Gunnerman

Hi, and thanks for the reply.

Issue is likely that the SubjectAltName of the certificate does not have IP address which you are connecting to.

It is the IP or FQDN which you would use in config user ldap > set server ....

Correct. I do not have the IP in the certificate. I would like to use the FQDN (to bypass not having the ip in the cert) however I am having a hard time getting the Fortigate to resolve the FQDN. I have setup the Fortigate as a slave dns server and pointed the Fortigate system dns to itself and pings still fail to the fqdn from cli. 

 

I have enabled your workaround for now.

 

Thanks again.

dstainebze

Alivo, Thanks for that tip worked well for me. 

 

Regards,

 

 

Huey
New Contributor III

Gunnerman wrote:

Hi, and thanks for the reply.

Issue is likely that the SubjectAltName of the certificate does not have IP address which you are connecting to.

It is the IP or FQDN which you would use in config user ldap > set server ....

Correct. I do not have the IP in the certificate. I would like to use the FQDN (to bypass not having the ip in the cert) however I am having a hard time getting the Fortigate to resolve the FQDN. I have setup the Fortigate as a slave dns server and pointed the Fortigate system dns to itself and pings still fail to the fqdn from cli. 

 

I have enabled your workaround for now.

 

Thanks again.

Are you still having this issue?  I have the same issue but resolved the ping by setting the source address of the ping to the internal interface IP address (exec ping-options source x.x.x.x).  However the sutrhentication still fails, even with the server-identity-check disabled.

Layer8 Consulting

http://www.L8C.com

 

Layer8 Consulting http://www.L8C.com
TecnetRuss

Under Network / DNS you need to have your FortiGate pointing at your internal DNS IP (e.g. DC's IP) and have your internal DNS suffix entered there too for internal name resolution to work, assuming that you're using an internal CA-generated certificate for LDAPS.  Your Fortigate then should be able to ping your internal DC or LDAPS server by the same internal FQDN as that name on the LDAPS certificate issued by the internal CA.  If the ping works, configure the LDAP server with the same internal FQDN (e.g. DC1.yourdomain.local or DC1.corp.yourdomain.com) and everything should work with server-identity-check enabled.

 

Russ

NSE7

Labels
Top Kudoed Authors