Created on 09-24-2008 11:28 AM
Created on 06-23-2010 06:20 AM
ORIGINAL: Gopinath hi , i tired with diagnose test authserver ldap 19.168.1.50 user password i am getting " 192.168.1.50 is not a vaild ldap server name"indeed, you need provide to diagnose command the object `name of your ldap server, not it´s IP number run CLI command: " show user ldap" to get the ldap´s server name., thereafter test your connection with diag test authserver ldap " ldapservername" user passwd regards
regards
/ Abel
Company_Fortigate_~ (LDAPSERVER) # Company_Fortigate_~ (LDAPSERVER) # show config user ldap edit " LDAPSERVER" set server " LDAPSERVER.DOMAIN.local" set cnid " sAMAccountName" set dn " OU=Company,DC=DOMAIN,DC=local" set type regular set username " ldapforti" set password ENC xXNEEZwa7UWa9j0EW8KnPplqfJ7blLDuj5y8xFFZOMSl8ZXEKaW1TzXVBeElUwpEV088Kc0Nhv3432430hLAEIs3Sn23v3PPPsG2LuG+XpE7td5ZqS87fL set group " CN=VPN-Company-Konsulent,OU=Company,DC=DOMAIN,DC=local" set filter " (&(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=DOMAIN,DC=local)(member=*))" next endAnd I' ve triple checked the username, OU name and everything else. I' ve made a wireshark dump of the traffic between the firewall and the LDAP server, and three things are puzzling me 1. The name of the group, VPN-Company-Konsulent, is no where to be found 2. All LDAP binds are listed as " simple" as opposed to " regular" 3. initially I had made an error in the filter domain name, and all authentication worked just fine (too well - everyone was allowed access). please advise - this is driving me nuts! Sincerely Mikkel Andreasen
config user ldap edit " DC01-RDP Users" set server " 192.168.xxx.xxx" set cnid " samaccountname" set dn " dc=ad,dc=domain,dc=tld" set type regular set username " cn=fortigate,cn=users,dc=ad,dc=domain,dc=tld" set password ENC /////+ <blah-blah-blah> set group " cn=RDP Users,cn=users,dc=ad,dc=domain,dc=tld" next endI left the filter at the default. Works like a charm. FGT vers. 4.0.4. Your mileage may vary.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
COMPANY_Fortigate_~ # diagnose debug enable COMPANY_Fortigate_~ # fnbamd_fsm.c[846] handle_req-Rcvd auth req 49938439 for USERNAME in LDAPSERVER opt=27 prot=0 fnbamd_ldap.c[375] resolve_ldap_FQDN-Resolved address LDAPSERVER.DOMAIN.local, result 172.16.1.21 fnbamd_ldap.c[144] start_search_dn-base:DC=DOMAIN,dc=local filter:sAMAccountName=USERNAME fnbamd_ldap.c[674] fnbamd_ldap_get_result-Going to SEARCH state fnbamd_fsm.c[1040] poll_auth-Continue pending for req 49938439 fnbamd_ldap.c[172] get_all_dn-Found DN 1:CN=FULL NAME,OU=OUNAME,OU=COMPANY,DC=DOMAIN,DC=local fnbamd_ldap.c[188] get_all_dn-Found 1 DN' s fnbamd_ldap.c[214] start_next_dn_bind-Trying DN 1:CN=FULL NAME,OU=OUNAME,OU=COMPANY,DC=DOMAIN,DC=local fnbamd_ldap.c[589] fnbamd_ldap_get_result-Going to REBIND state fnbamd_fsm.c[1040] poll_auth-Continue pending for req 49938439 fnbamd_ldap.c[697] fnbamd_ldap_get_result-Auth accepted fnbamd_ldap.c[769] fnbamd_ldap_get_result-Going to DONE state res=0 fnbamd_auth.c[1356] fnbamd_auth_poll-Result for ldap svr LDAPSERVER.DOMAIN.local is SUCCESS fnbamd_comm.c[129] fnbamd_comm_send_result-Sending result 0 for req 49938439Disallowed user (i.e. not in any groups)
COMPANY_Fortigate_~ # fnbamd_fsm.c[846] handle_req-Rcvd auth req 49938441 for vpn in LDAPSERVER opt=27 prot=0 fnbamd_ldap.c[375] resolve_ldap_FQDN-Resolved address LDAPSERVER.DOMAIN.local, result 172.16.1.21 fnbamd_ldap.c[144] start_search_dn-base:DC=DOMAIN,dc=local filter:sAMAccountName=vpn fnbamd_ldap.c[674] fnbamd_ldap_get_result-Going to SEARCH state fnbamd_fsm.c[1040] poll_auth-Continue pending for req 49938441 fnbamd_ldap.c[172] get_all_dn-Found DN 1:CN=vpn,OU=COMPANY,DC=DOMAIN,DC=local fnbamd_ldap.c[188] get_all_dn-Found 1 DN' s fnbamd_ldap.c[214] start_next_dn_bind-Trying DN 1:CN=vpn,OU=COMPANY,DC=DOMAIN,DC=local fnbamd_ldap.c[589] fnbamd_ldap_get_result-Going to REBIND state fnbamd_fsm.c[1040] poll_auth-Continue pending for req 49938441 fnbamd_ldap.c[697] fnbamd_ldap_get_result-Auth accepted fnbamd_ldap.c[769] fnbamd_ldap_get_result-Going to DONE state res=0 fnbamd_auth.c[1356] fnbamd_auth_poll-Result for ldap svr LDAPSERVER.DOMAIN.local is SUCCESS fnbamd_comm.c[129] fnbamd_comm_send_result-Sending result 0 for req 49938441According to http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=13141&sliceId=1&d... I should be seeing references to both the group name and memberstate... Bloddy odd! Sincerely Mikkel
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
config user ldap edit " LDAP-COMPANY-Konsulent" set server " IP.ADDRESS.OF.DC" set cnid " sAMAccountName" set dn " DC=DOMAIN,dc=local" set type regular set username " CN=Ldapforti,OU=COMPANY,DC=DOMAIN,DC=local" set password ENCODEDPASSWORD set group " CN=VPNGROUP,OU=COMPANY,DC=DOMAIN,DC=local" next ENDWhich I thought I had attempted several times, but apparently took a while to finally nail down... live and learn. Actually very simple, but I was focusing on the " set filter" part when in reality I should have left it at default. /mikkel
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.