Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nopethanks
New Contributor II

Created on ‎08-13-2024 10:02 AM

Issues adding an LDAP server with FortiClient EMS v7.4.0 build1793

I’ve been working on integrating LDAP with FortiClient EMS server v7.4.0 build1793 running on Ubuntu 22.04 but am getting "Auth Method Not Supported" when trying to add LDAP authentication server.

In the EMS web console, when I go to Administration > Authentication Servers, I select "ADDS" from the dropdown, enter localhost and the admin creds, but when I hit "Test", I get an "Auth Method Not Supported" error.

slapd is running and listening:

# netstat -aptn |grep LIST |grep 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 326786/slapd
tcp6 0 0 :::389 :::* LISTEN 326786/slapd

And doing a tcpdump, I can see the traffic (although not the username and passwd being passed):

17:30:52.956097 lo In IP (tos 0x0, ttl 64, id 42008, offset 0, flags [DF], proto TCP (6), length 115)
127.0.0.1.41008 > 127.0.0.1.389: Flags [P.], cksum 0xfe67 (incorrect -> 0x25f2), seq 1:64, ack 1, win 512, options [nop,nop,TS val 3342323866 ecr 3342323866], length 63
E..s..@.@..j.........0.......d[......g.....
.7...7..0=...`8......1NTLMSSP......... . .(.......1...........127.0.0.1

In /var/log/forticlientems/adconnector_2024-08-09.log, I see the same:

2024-08-09T17:30:52.956Z ERROR connector/auth_hdlr.go:81 Failed to auth user admin for domain 127.0.0.1: LDAP Result Code 7 "Auth Method Not Supported": unknown authentication method

I also tried using 386-ds as the LDAP server but got the same result.

According to the documentation, there should be an option to add a host by IP but I don't see where that's possible.

https://docs.fortinet.com/document/forticlient/7.4.0/ems-administration-guide/417920/configuring-use...

To add the LDAP server to EMS:
1. Go to Administration > Authentication Servers.
2. Click Add.
3. In the IP address/Hostname field, enter the server IP address.
4. In the Username and Password fields, provide the credentials required to access the LDAP server.
5. Enable LDAPS connection and upload a certificate authority certificate or server certificate file in PEM or DER format.
6. If needed, configure other fields.
7. Click Test.
8. After the test succeeds, click Save. After a few minutes, EMS imports devices from the LDAP server.

The "NTLMSSP" in the pcap also tells me that it's trying an Active Directory authentication method (which makes sense since it's ADDS), but I don't see where you can add an LDAP server by IP. 

 

360d3d01-03ce-4166-800e-be1dec9c7050.png


Does anyone have any suggestions?

 

Thanks!

Labels:
965
0 Kudos
1 Solution
AEK
SuperUser
SuperUser
In response to nopethanks

Created on ‎08-15-2024 01:14 PM

you add either IP address or hostname of the LDAP server in the "IP address/Hostname" field. But it has to be Windows AD, not other LDAP server like OpenLDAP based or other.

AEK

View solution in original post

AEK
915
0 Kudos
4 REPLIES 4
AEK
SuperUser
SuperUser

Created on ‎08-15-2024 12:08 PM

I don't find anywhere that FCT EMS supports integration with LDAP other than Windows AD.

AEK
AEK
922
0 Kudos
nopethanks
New Contributor II
In response to AEK

Created on ‎08-15-2024 12:29 PM

Thanks for your reply!

 

I was reading the following document which is titled "Configuring user verification with an LDAP server for authentication"

 

https://docs.fortinet.com/document/forticlient/7.4.0/ems-administration-guide/417920/configuring-use...

 

But it says to add it by IP and I just see ADDS and Azure as the only two options available.

 

Thanks again!

 

But it 

920
0 Kudos
AEK
SuperUser
SuperUser
In response to nopethanks

Created on ‎08-15-2024 01:14 PM

you add either IP address or hostname of the LDAP server in the "IP address/Hostname" field. But it has to be Windows AD, not other LDAP server like OpenLDAP based or other.

AEK
AEK
916
0 Kudos
nopethanks
New Contributor II
In response to AEK

Created on ‎08-19-2024 09:14 AM

Ah! Gotcha. Well, that's very unfortunate but thank you so much for the clarification. It would be nice if the documentation was more precise and referred to it as Active Directory rather than LDAP but thank you again. I really appreciate your help!

843
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.