Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek_OLD
New Contributor

Cannot connect to AD LDAPS

Hi,

I would to configure LDAPS connection to my domain controller, installed cert on AD, installed CA cert on Fortigate,

from any windows PC using ldap.exe I have secure connection to DC on port 636.

Domain controller name is resolved by FQDN from Fortigate, but when I create connection using secure option I get error : " Can't contact LDAP server" 

 

26 REPLIES 26
marchand
New Contributor III

To configure the secure LDAP, you first need to install and configure Certificate Authority on our Domain Controller.

Tutek_OLD

I don't need local CA, we use public commercial certificate.

marchand
New Contributor III

 

Ok ! I'm using self signed certificates .

 

Then check if your certificat meets the requirements

 

Setup LDAPS (LDAP over SSL)

The Certificate to be used for LDAPS must satisfy the following 3 requirements: • Certificate must be valid for the purpose of Server Authentication. This means that it must also contains the Server Authentication object identifier (OID): 1.3.6.1.5.5.7.3.1 • The Subject name or the first name in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the host machine. For more information, see How to add a Subject Alternative Name to a secure LDAP certificate . • The host machine account must have access to the private key

 

 

Tutek_OLD

I have generated public certificate with CN=FQDN of domain server, there is also key extension in certificate with: server auth (OID: 1.3.6.1.5.5.7.3.1), certificate CSR was done on domain controller then imported newly issued certificate into computer account certificates.

Then I have imported also CA_root certificate to Fortigate.

As I told from my pc when use application like lpdadmin I can connect to FQDN of my domain controller on port 636, I then confirm this on domain controller by command netstat -an | find ":636" that connection is established. If I choose IP address on lpadmin instead of FQDN domain controller, then I cannot connect on 636 port, so I think this provide that LDAPS is working correctly.

But on Fortigate side, when connecting using secure connection with 636 port, I cannot connect.

 
marchand
New Contributor III

Tutek_OLD

yes I followed exactly this microsoft guide 

Magion

Have you tried to connect to ldap instead of ldaps, to validate connection and basic settings?

Tutek_OLD

yes, connection on 389 port is working 

maybe there are any debug commands that I could use to check if there is any problem with ssl connection?

Magion

The screenshot is from my FGT. The certificate is imported as a remote CA certificate (not sure if this is important).

Did you enable access to port 636 for your Fortigate?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors