Issues adding an LDAP server with FortiClient EMS v7.4.0 build1793

nopethanks · ‎08-13-2024

I’ve been working on integrating LDAP with FortiClient EMS server v7.4.0 build1793 running on Ubuntu 22.04 but am getting "Auth Method Not Supported" when trying to add LDAP authentication server.

In the EMS web console, when I go to Administration > Authentication Servers, I select "ADDS" from the dropdown, enter localhost and the admin creds, but when I hit "Test", I get an "Auth Method Not Supported" error.

slapd is running and listening:

# netstat -aptn |grep LIST |grep 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 326786/slapd
tcp6 0 0 :::389 :::* LISTEN 326786/slapd

And doing a tcpdump, I can see the traffic (although not the username and passwd being passed):

17:30:52.956097 lo In IP (tos 0x0, ttl 64, id 42008, offset 0, flags [DF], proto TCP (6), length 115)
127.0.0.1.41008 > 127.0.0.1.389: Flags [P.], cksum 0xfe67 (incorrect -> 0x25f2), seq 1:64, ack 1, win 512, options [nop,nop,TS val 3342323866 ecr 3342323866], length 63
E..s..@.@..j.........0.......d[......g.....
.7...7..0=...`8......1NTLMSSP......... . .(.......1...........127.0.0.1

In /var/log/forticlientems/adconnector_2024-08-09.log, I see the same:

2024-08-09T17:30:52.956Z ERROR connector/auth_hdlr.go:81 Failed to auth user admin for domain 127.0.0.1: LDAP Result Code 7 "Auth Method Not Supported": unknown authentication method

I also tried using 386-ds as the LDAP server but got the same result.

According to the documentation, there should be an option to add a host by IP but I don't see where that's possible.

https://docs.fortinet.com/document/forticlient/7.4.0/ems-administration-guide/417920/configuring-use...

To add the LDAP server to EMS:
1. Go to Administration > Authentication Servers.
2. Click Add.
3. In the IP address/Hostname field, enter the server IP address.
4. In the Username and Password fields, provide the credentials required to access the LDAP server.
5. Enable LDAPS connection and upload a certificate authority certificate or server certificate file in PEM or DER format.
6. If needed, configure other fields.
7. Click Test.
8. After the test succeeds, click Save. After a few minutes, EMS imports devices from the LDAP server.

The "NTLMSSP" in the pcap also tells me that it's trying an Active Directory authentication method (which makes sense since it's ADDS), but I don't see where you can add an LDAP server by IP.

Does anyone have any suggestions?

Thanks!

Sx11 · ‎08-14-2024

Hello @nopethanks

checking https://www.ietf.org/rfc/rfc4511.txt for LDAP we have the following in the Bind Request section:

Fields of the BindRequest are:
.
.
.

- authentication: Information used in authentication.  This type is
     extensible as defined in Section 3.7 of [RFC4520].  Servers that do
     not support a choice supplied by a client return a BindResponse
     with the resultCode set to authMethodNotSupported.

Then:

If the client sends a BindRequest with the sasl mechanism field as an
   empty string, the server MUST return a BindResponse with the
   resultCode set to authMethodNotSupported.  This will allow the client
   to abort a negotiation if it wishes to try again with the same SASL
   mechanism.

In this case can you check what is EMS sending as parameter in the sasl mechanism?

It looks like whatever that value is, it is not supported in your Server.

Regards

sx11

nopethanks · ‎08-14-2024

Thank you so much for your response!

Here's the full tcpdump of EMS communicating with the LDAP server. It looks like i's not getting the point where it's passing creds -- it's hitting OpenLDAP and failing with "unknown authentication method":

# tcpdump -i any -nnvvA port 389
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes

14:54:09.111499 lo In IP (tos 0x0, ttl 64, id 44792, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.30226 > 127.0.0.1.389: Flags [S], cksum 0xfe30 (incorrect -> 0x132d), seq 3950828162, win 65495, options [mss 65495,sackOK,TS val 3764920021 ecr 0,nop,wscale 7], length 0
E..<..@.@...........v....|...........0.........
.h..........
14:54:09.111507 lo In IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.389 > 127.0.0.1.30226: Flags [S.], cksum 0xfe30 (incorrect -> 0x337e), seq 728085766, ack 3950828163, win 65483, options [mss 65495,sackOK,TS val 3764920021 ecr 3764920021,nop,wscale 7], length 0
E..<..@.@.<...........v.+e...|.......0.........
.h...h......
14:54:09.111513 lo In IP (tos 0x0, ttl 64, id 44793, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.30226 > 127.0.0.1.389: Flags [.], cksum 0xfe28 (incorrect -> 0x5a3a), seq 1, ack 1, win 512, options [nop,nop,TS val 3764920021 ecr 3764920021], length 0
E..4..@.@...........v....|..+e.......(.....
.h...h..
14:54:09.111608 lo In IP (tos 0x0, ttl 64, id 44794, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.30226 > 127.0.0.1.389: Flags [F.], cksum 0xfe28 (incorrect -> 0x5a38), seq 1, ack 1, win 512, options [nop,nop,TS val 3764920022 ecr 3764920021], length 0
E..4..@.@...........v....|..+e.......(.....
.h...h..
14:54:09.111645 lo In IP (tos 0x0, ttl 64, id 64108, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.30238 > 127.0.0.1.389: Flags [S], cksum 0xfe30 (incorrect -> 0x1f77), seq 41334578, win 65495, options [mss 65495,sackOK,TS val 3764920022 ecr 0,nop,wscale 7], length 0
E..<.l@.@.BM........v....v.2.........0.........
.h..........
14:54:09.111651 lo In IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.389 > 127.0.0.1.30238: Flags [S.], cksum 0xfe30 (incorrect -> 0x387b), seq 895005279, ack 41334579, win 65483, options [mss 65495,sackOK,TS val 3764920022 ecr 3764920022,nop,wscale 7], length 0
E..<..@.@.<...........v.5X._.v.3.....0.........
.h...h......
14:54:09.111656 lo In IP (tos 0x0, ttl 64, id 64109, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.30238 > 127.0.0.1.389: Flags [.], cksum 0xfe28 (incorrect -> 0x5f37), seq 1, ack 1, win 512, options [nop,nop,TS val 3764920022 ecr 3764920022], length 0
E..4.m@.@.BT........v....v.35X.`.....(.....
.h...h..
14:54:09.111905 lo In IP (tos 0x0, ttl 64, id 2456, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.389 > 127.0.0.1.30226: Flags [F.], cksum 0xfe28 (incorrect -> 0x5a36), seq 1, ack 2, win 512, options [nop,nop,TS val 3764920022 ecr 3764920022], length 0
E..4 .@.@.3*..........v.+e...|.......(.....
.h...h..
14:54:09.111918 lo In IP (tos 0x0, ttl 64, id 44795, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.30226 > 127.0.0.1.389: Flags [.], cksum 0xfe28 (incorrect -> 0x5a36), seq 2, ack 2, win 512, options [nop,nop,TS val 3764920022 ecr 3764920022], length 0
E..4..@.@...........v....|..+e.......(.....
.h...h..
14:54:09.115005 lo In IP (tos 0x0, ttl 64, id 64110, offset 0, flags [DF], proto TCP (6), length 115)
127.0.0.1.30238 > 127.0.0.1.389: Flags [P.], cksum 0xfe67 (incorrect -> 0xfa17), seq 1:64, ack 1, win 512, options [nop,nop,TS val 3764920025 ecr 3764920022], length 63
E..s.n@.@.B.........v....v.35X.`.....g.....
.h...h..0=...`8......1NTLMSSP......... . .(.......1...........LOCALHOST
14:54:09.115017 lo In IP (tos 0x0, ttl 64, id 8479, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.389 > 127.0.0.1.30238: Flags [.], cksum 0xfe28 (incorrect -> 0x5ef2), seq 1, ack 64, win 512, options [nop,nop,TS val 3764920025 ecr 3764920025], length 0
E..4!.@.@.............v.5X.`.v.r.....(.....
.h...h..
14:54:09.115158 lo In IP (tos 0x0, ttl 64, id 8480, offset 0, flags [DF], proto TCP (6), length 95)
127.0.0.1.389 > 127.0.0.1.30238: Flags [P.], cksum 0xfe53 (incorrect -> 0xf650), seq 1:44, ack 64, win 512, options [nop,nop,TS val 3764920025 ecr 3764920025], length 43
E.._! @.@..w..........v.5X.`.v.r.....S.....
.h...h..0)...a$
......unknown authentication method
14:54:09.115168 lo In IP (tos 0x0, ttl 64, id 64111, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.30238 > 127.0.0.1.389: Flags [.], cksum 0xfe28 (incorrect -> 0x5ec7), seq 64, ack 44, win 512, options [nop,nop,TS val 3764920025 ecr 3764920025], length 0
E..4.o@.@.BR........v....v.r5X.......(.....
.h...h..
14:54:09.115250 lo In IP (tos 0x0, ttl 64, id 64112, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.30238 > 127.0.0.1.389: Flags [F.], cksum 0xfe28 (incorrect -> 0x5ec6), seq 64, ack 44, win 512, options [nop,nop,TS val 3764920025 ecr 3764920025], length 0
E..4.p@.@.BQ........v....v.r5X.......(.....
.h...h..
14:54:09.115339 lo In IP (tos 0x0, ttl 64, id 8481, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.389 > 127.0.0.1.30238: Flags [F.], cksum 0xfe28 (incorrect -> 0x5ec5), seq 44, ack 65, win 512, options [nop,nop,TS val 3764920025 ecr 3764920025], length 0
E..4!!@.@.............v.5X...v.s.....(.....
.h...h..
14:54:09.115352 lo In IP (tos 0x0, ttl 64, id 64113, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.30238 > 127.0.0.1.389: Flags [.], cksum 0xfe28 (incorrect -> 0x5ec5), seq 65, ack 45, win 512, options [nop,nop,TS val 3764920025 ecr 3764920025], length 0
E..4.q@.@.BP........v....v.s5X.......(.....
.h...h..

Corresponding log in /var/log/forticlientems/adconnector-*.log:

2024-08-14T14:54:09.115Z ERROR connector/auth_hdlr.go:81 Failed to auth user admin for domain localhost: LDAP Result Code 7 "Auth Method Not Supported": unknown authentication method

Which might make sense if it is trying to use an AD connector to auth against OpenLDAP.

The documentation seems to indicate there's support for native LDAP but I'm not seeing it in the UI at least. Does anyone know if there's something I'm missing with my EMS implementation or is the documentation incorrect?

Thanks again!

siwetbak · ‎08-14-2024

Because I like to keep a wall between AD and other things, when doing this without a FortiAuth I setup NPS on the ADCs and did my auth via RADIUS instead of LDAP. That lets you run the EMS instance standalone or on domain, your pref for management https://speedtest.vet/ .

Issues adding an LDAP server with FortiClient EMS v7.4.0 build1793

Nominate a Forum Post for Knowledge Article Creation