Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JuddTracy
New Contributor

Created on ‎04-09-2019 11:42 AM

Issue with SSL-VPN + Certificate + LDAP

I have a LDAP connection setup with a Domain Controller on the network and have setup a LDAP User that when added to the VPN Users (local firewall) group  can authenticate with the SSL-VPN.  I have also created a PKI User, with their subject and CA Cert specified and added to the VPN Users (local firewall) group that can authenticate with the SSL-VPN.

 

When I change the PKI user to specify the ldap-server and ldap-mode it will ask for the certificate, prompt for username and password but fail to authenticate with the server.

 

Debugging the authentication I can see on the fortigate that it tries to verify the account but does not fill in the samaccountname

[584] fnbamd_ldap_build_dn_search_req-base:'dc=<correct>,dc=<correct>,dc=<correct>' filter:samaccountname=

I also ran a packet capture of the ldap between the firewall and the AD server and it shows the same issue about the filter having a NULL value for samaccountname.

 

I am trying to figure out what I haven't configured correctly, any help would be appreciated.

 

config user ldap
    edit "Domain Controller"
        set server "<DC IP>"
        set secondary-server ''
        set tertiary-server ''
        set source-ip 0.0.0.0
        set cnid "userPrincipalName"
        set dn "dc=<correct>,dc=<correct>,dc=<correct>"
        set type regular
        set username "CN=Fortigate Service Account,CN=Managed Service Accounts,DC=<correct>,DC=<correct>,DC=<correct>"
        set password <password>
        set group-member-check user-attr
        set group-search-base ''
        set group-filter ''
        set secure disable
        set port 389
        set password-expiry-warning disable
        set password-renewal disable
        set member-attr "memberOf"
        set account-key-processing same
        set account-key-name "userPrincipalName"
    next
end

 

config user peer
    edit "testuser"
        set mandatory-ca-verify enable
        set ca "CA_Cert_2"
        set subject "testuser"
        set cn ''
        set cn-type string
        set ldap-server "Domain Controller"
        set ldap-username ''
        set ldap-password <password, did not explicitly set one>
        set ldap-mode password
        set ocsp-override-server ''
        set two-factor disable
    next
end

 

 

Hardware: FortiWifi 90D

Firmware: v5.6.7 build1653 (GA)

Labels:
3915
0 Kudos
1 REPLY 1
dan5481
New Contributor

Created on ‎09-30-2019 12:08 PM

Hi Judd,

 

I use this style of configuration and have the below line in the ldap configuration:

 

        set cnid "sAMAccountName"

 

Under the user group the pki user and ldap are both referenced and this works as expected.

 

Dan

1557
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.