Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TobiasHan
New Contributor

Connect FortiGate over VPN with LDAP-Server

Hello,

 

i want to connect a FortiGate 101E in the "Branch Office" over a VPN-Tunnel with a LDAP Server in the "Main Office".

 

Over CLI i get a ping to the ldap-server, but over "User & Device" -> "LDAP-Servers" -> Edit LDAP Server -> and then "Browse" or "Test Connectivity" i only get "invalid credentials" bzw. "invalid ldap server". But the credentials are ok. And also the ldap server.

Does anyone had an idea, why i can't get a connection to the LDAP-Server?

 

If you need more information, please ask.

 

Kind regards

Tobias

1 Solution
Carl_Wallmark
Valued Contributor

Hi Tobias,

 

Yes, I think I know the problem.

You need to add "set source-ip x.x.x.x" inside the LDAP object, (must be done in CLI)

 

config user ldap

edit <name of ldap>

set source-ip 10.1.2.3 <- for example

end

 

By default the ldap connection will use the Interface IP when it leaves the firewall, and that should be the public ip, and that will not route through the tunnel. So set the IP of your internal interface in the ldap object instead.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

View solution in original post

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
5 REPLIES 5
Carl_Wallmark
Valued Contributor

Hi Tobias,

 

Yes, I think I know the problem.

You need to add "set source-ip x.x.x.x" inside the LDAP object, (must be done in CLI)

 

config user ldap

edit <name of ldap>

set source-ip 10.1.2.3 <- for example

end

 

By default the ldap connection will use the Interface IP when it leaves the firewall, and that should be the public ip, and that will not route through the tunnel. So set the IP of your internal interface in the ldap object instead.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
TobiasHan

Hi Selective,

 

i have configured the "set source-ip" in the ldap-object but it doesn't work.

 

I can't reach the ldap server over the web gui.

When i make a "diag test authserver ldap ldap-object username password" i get a "authenticate username against ldap object failed!

 

Is there a possilibity to test the connection over the cli?

 

Regards

 

 

Carl_Wallmark

hmm, and the IP you set is the internal IP of the firewall, and that IP is routable in the tunnel ?

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Markus

Hi Tobias I run also in an issue this year, but with radius. Can ping the host but verification fails. Enabling Nat on the Policy does the trick for me. Best,

Markus


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
nayarit

This worked, thank you Carl_Wallmark.

Labels
Top Kudoed Authors