Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Cannot autenticate with LDAP

I' ve read the doc about the config of VPN-SSL... I want to use the LDAP server to do the user auth since I' m not familliar with LDAP, let' s say I have an out of the box dc config.. that mean no special software or config, just typical setup... I already have a Sharp mega printer that use LDAP here is my config for the LDAP section of my printer sorry, it' S in french, but mainly field name are the same.. this LDAP config ask me for a password.. with the fortigate, what should I do ? here is the config I' ve done if I click on the query button, got a failed msg.. any advice ? let say my domain name on win2k3r2 is test.com and all my user are in users
8 REPLIES 8
Not applicable

you' ve got " failed message" because you' ve been entering " Distinguished Name" . Try to do this command on your Win2k3 server : C:\>dsquery user " CN=Administrator,CN=Users,DC=ctisvr123,DC=com" " CN=Guest,CN=Users,DC=ctisvr123,DC=com" " CN=IWAM_CTI-DC,CN=Users,DC=ctisvr123,DC=com" " CN=IUSR_CTI-DC,CN=Users,DC=ctisvr123,DC=com" " CN=krbtgt,CN=Users,DC=ctisvr123,DC=com" " CN=ata,CN=Users,DC=ctisvr123,DC=com" " CN=development,CN=Users,DC=ctisvr123,DC=com" " CN=top,CN=Users,DC=ctisvr123,DC=com" " CN=atatop,OU=Engineer,DC=ctisvr123,DC=com" then you can select the appropriate " Distinguished Name" , for example I use " CN=Users,DC=ctisvr123,DC=com" Then applied this user group on your top Firewall Policy.
Not applicable

I don' t really understand the purpose of the " Distinguished Name" considering It' s already at " CN=Users,DC=ctisvr123,DC=com" .... what can be problem then ? to test this I click the query button and I have a query failed every time
Not applicable

LDAP use distinguished name in order to identify " user" , so if you fill " Distinguished Name" , you always get query failed because you have filled it, if you left it blank then you can click " query button" , it will pop up with the querys.
Not applicable

thanks.. Now I understand.. the query is working.. however, I' m still unable to log onto the VPN-SLL I got a " Error:Unknown user " once I try to log on what I have done configuring LDAP, testing, Query run great... creating user, setting this user to authenticate with my LDAP server for the user group section I see my user twice, is it normal ? I' ve took both same user name, one in local, one in Ldap and I let them switch to the member group still don' t work any idea ? thanks
Not applicable

Have you put your SSL VPN policy on top other policy, for example : WAN>Internal?
Not applicable

yes... anyway if I use a local user, with forcing a password, it works.. so it' s not a vpn-ssl config... it' s ldap or user auth problem...
Not applicable

Which ones do you want to use, authentication with LDAP or local? If you want to use LDAP, so you must create new group on User Group and select " Type" >> SSL VPN. And on User>LDAP, you must use appropriate " Distinguished Name" , don' t leave it blank. I think you must test your LDAP authentication first in order to get this works or not. And afterthat you can add in on your SSL VPN user group.
Not applicable

In order to link the Fortigate to the LDAP server please configure the followings: Login to the FG unit using SSH. config user ldap edit " ldap-server" Name of the LDAP profile set server " 192.168.1.100" IP of your LDAP server set cnid " sAMAccountName" Copy As is set dn " CN=Users,DC=ctisvr123,DC=com" Where to search users set type regular To enable user/pass mode set username " CN=Administrator,CN=Users,DC=ctisvr123,DC=com" Your Administrator account set password 12345678 Your Administrator' s password Then create a new SSL-VPN group and add the ldap-server to the allowed users. Create a new firewall policy: From: ANY To: Your_Internal_Network_IP_Range Time: always Action: SSL-VPN If you are using MR5 and above you have to enable NAT also. Very strange but its works only with NAT enabled
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors