I’ve been working on integrating LDAP with FortiClient EMS server v7.4.0 build1793 running on Ubuntu 22.04 but am getting "Auth Method Not Supported" when trying to add LDAP authentication server.
In the EMS web console, when I go to Administration > Authentication Servers, I select "ADDS" from the dropdown, enter localhost and the admin creds, but when I hit "Test", I get an "Auth Method Not Supported" error.
slapd is running and listening:
# netstat -aptn |grep LIST |grep 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 326786/slapd
tcp6 0 0 :::389 :::* LISTEN 326786/slapd
And doing a tcpdump, I can see the traffic (although not the username and passwd being passed):
17:30:52.956097 lo In IP (tos 0x0, ttl 64, id 42008, offset 0, flags [DF], proto TCP (6), length 115)
127.0.0.1.41008 > 127.0.0.1.389: Flags [P.], cksum 0xfe67 (incorrect -> 0x25f2), seq 1:64, ack 1, win 512, options [nop,nop,TS val 3342323866 ecr 3342323866], length 63
E..s..@.@..j.........0.......d[......g.....
.7...7..0=...`8......1NTLMSSP......... . .(.......1...........127.0.0.1
In /var/log/forticlientems/adconnector_2024-08-09.log, I see the same:
2024-08-09T17:30:52.956Z ERROR connector/auth_hdlr.go:81 Failed to auth user admin for domain 127.0.0.1: LDAP Result Code 7 "Auth Method Not Supported": unknown authentication method
I also tried using 386-ds as the LDAP server but got the same result.
According to the documentation, there should be an option to add a host by IP but I don't see where that's possible.
https://docs.fortinet.com/document/forticlient/7.4.0/ems-administration-guide/417920/configuring-use...
To add the LDAP server to EMS:
1. Go to Administration > Authentication Servers.
2. Click Add.
3. In the IP address/Hostname field, enter the server IP address.
4. In the Username and Password fields, provide the credentials required to access the LDAP server.
5. Enable LDAPS connection and upload a certificate authority certificate or server certificate file in PEM or DER format.
6. If needed, configure other fields.
7. Click Test.
8. After the test succeeds, click Save. After a few minutes, EMS imports devices from the LDAP server.
The "NTLMSSP" in the pcap also tells me that it's trying an Active Directory authentication method (which makes sense since it's ADDS), but I don't see where you can add an LDAP server by IP.
Does anyone have any suggestions?
Thanks!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
you add either IP address or hostname of the LDAP server in the "IP address/Hostname" field. But it has to be Windows AD, not other LDAP server like OpenLDAP based or other.
I don't find anywhere that FCT EMS supports integration with LDAP other than Windows AD.
Thanks for your reply!
I was reading the following document which is titled "Configuring user verification with an LDAP server for authentication"
But it says to add it by IP and I just see ADDS and Azure as the only two options available.
Thanks again!
But it
you add either IP address or hostname of the LDAP server in the "IP address/Hostname" field. But it has to be Windows AD, not other LDAP server like OpenLDAP based or other.
Ah! Gotcha. Well, that's very unfortunate but thank you so much for the clarification. It would be nice if the documentation was more precise and referred to it as Active Directory rather than LDAP but thank you again. I really appreciate your help!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1666 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.