Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek_OLD
New Contributor

Cannot connect to AD LDAPS

Hi,

I would to configure LDAPS connection to my domain controller, installed cert on AD, installed CA cert on Fortigate,

from any windows PC using ldap.exe I have secure connection to DC on port 636.

Domain controller name is resolved by FQDN from Fortigate, but when I create connection using secure option I get error : " Can't contact LDAP server" 

 

26 REPLIES 26
orech
New Contributor

You probably use IP address of LDAP server. Try to use DNS name of LDAP server instead of IP address. This was my case but I didn't read carefully "name is resolved by FQDN from Fortigate". 

FG_MS
New Contributor

In my case this helped. I had exactly the same porblem. I changed the IP to FQDN and it works.

 

warshad
Staff
Staff

Hi Tutek,

 

Please make sure if you receiving any traffic at Fortigate interface. You can test it in a different way.

 

Does the ping work?

If not, run a sniffer as follows:

diag sniffer packet any 'host <LDAP-IP>' 4 0 a

It will show you, if there is traffic, on which interface this is leaving and what traffic this might be. ICMP should at least leave the FortiGate (and hopefully getting a response as well).

If you are sure which interface, the traffic must exit:

diag sniffer packet <interface> 4 0 a

Then leave this running for some time. You might see arp requests for the IP that are not getting responses.

 

 

Waqas Arshad
Fortinet
ahmadswa
New Contributor II

Hi All,

 

i am facing the same issue, has anyone figured it out?

 

 

warshad
Staff
Staff

Hi,

 

Do you see any traffic at Fortigate interface? Please run siniffer as follows:

diag sniffer packet any 'host <LDAP-IP>' 4 0 a

 

Waqas Arshad
Fortinet
ahmadswa
New Contributor II

Hi Wardshad,

 

Thank you for your reply, there is a traffc since i have already connected it by LDAP

only LDAPS is not working properly

i have uploaded the CA Certificate of the Domain Controller on the firewall, Although setting the Certificate option to "Empty" results in "Can't contact LDAP server"

 

find screenshots below

 

Thanks in advance2022-07-04_093748.jpg2022-07-04_093634.jpg2022-07-04_093615.jpg

2022-07-04_094158.jpg

manitc
New Contributor

In my case, the DC was behind a firewall. I had to open ports tcp/636 and 3269. 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors