Is it possible to test an LDAP login on a Fortigate and have it report back the users associated group memberships.
The web based option only reports if the credentials are correct or incorrect.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey SMC-IT,
yes, you can test via CLI:
(#config vdom
#edit <vdom>)
#dia test authserver ldap <LDAP server name> <username> <password>
Hope that helps!
I get an authentication failed using that command even though using the GUI it succeeds.
There are a few known issues with the GUI credential test, depending on firmware version; it can sometimes report an authentication as successful even if it fails.
The CLI command is generally more reliable.
I would suggest some debug:
#dia de reset
#dia de app fnbamd -1
#dia de en
-> then do the 'dia test authserver' command again
-> the debug should dump some output regarding FortiGate contacting the LDAP server, binding to it, checking the user credentials via user bind, then performing a memberOf lookup, including the reply from LDAP.
-> It should give you an idea at what stage the authentication fails (contacting LDAP, user bind, DN search, memberOf query...)
To end the output:
#dia de dis
#dia de reset
If you want, you can share some of the fnbamd debug here for me to look over; if you would prefer some more detailed troubleshooting as to why the authentication is failing when testing via CLI, I would suggest a ticket with Technical Support.
Hi Debbie
Are you able to explain what each fo the commands so, I am just hesitant to run commands on a live unit when I am unsure what they do.
Thanks so much for your help so far!
I know you resolved the issue, but an explanation of the commands anyway :)
-> none of the commands I provided should impact the FortiGate's operations in any way; all they do is turn on and off some specific debug
1. 'dia de reset'
-> resets any previous debug commands to ensure there is no additional debug output beyond what we want to see
2. 'dia de app fnbamd -1'
-> enables debugging of the 'fnbamd' daemon and sets debug level to -1 (all); this one handles user authentication against local, LDAP, RADIUS, TACACS+ for non-proxy authentication (VPN, IPv4 policy, etc)
3. 'dia de en'
-> enable debug; debug will be printed in CLI after this command if the daemon(s) we set a debug level for see any activity
4. 'dia de dis'
-> disable debug; no further debug will be printed in CLI
5. 'dia de reset'
-> reset debug settings again, meaning removing debug levels from daemons (this undoes the 'dia de app fnbamd -1', which 'dia de dis' does NOT undo)
I resolved my issue thanks, it turns out my provider was having an issue with secure LDAP.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.