LDAP Auth User Group

SMC-IT · ‎04-04-2022

Is it possible to test an LDAP login on a Fortigate and have it report back the users associated group memberships.

The web based option only reports if the credentials are correct or incorrect.

Debbie_FTNT · ‎04-05-2022

Hey SMC-IT,

yes, you can test via CLI:

(#config vdom

#edit <vdom>)
#dia test authserver ldap <LDAP server name> <username> <password>

Hope that helps!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

SMC-IT · ‎04-05-2022

I get an authentication failed using that command even though using the GUI it succeeds.

Debbie_FTNT · ‎04-05-2022

There are a few known issues with the GUI credential test, depending on firmware version; it can sometimes report an authentication as successful even if it fails.

The CLI command is generally more reliable.

I would suggest some debug:

#dia de reset

#dia de app fnbamd -1

#dia de en

-> then do the 'dia test authserver' command again

-> the debug should dump some output regarding FortiGate contacting the LDAP server, binding to it, checking the user credentials via user bind, then performing a memberOf lookup, including the reply from LDAP.

-> It should give you an idea at what stage the authentication fails (contacting LDAP, user bind, DN search, memberOf query...)

To end the output:
#dia de dis

#dia de reset

If you want, you can share some of the fnbamd debug here for me to look over; if you would prefer some more detailed troubleshooting as to why the authentication is failing when testing via CLI, I would suggest a ticket with Technical Support.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

SMC-IT · ‎04-05-2022

Hi Debbie

Are you able to explain what each fo the commands so, I am just hesitant to run commands on a live unit when I am unsure what they do.

Thanks so much for your help so far!

Debbie_FTNT · ‎04-06-2022

I know you resolved the issue, but an explanation of the commands anyway :)

-> none of the commands I provided should impact the FortiGate's operations in any way; all they do is turn on and off some specific debug
1. 'dia de reset'
-> resets any previous debug commands to ensure there is no additional debug output beyond what we want to see

2. 'dia de app fnbamd -1'
-> enables debugging of the 'fnbamd' daemon and sets debug level to -1 (all); this one handles user authentication against local, LDAP, RADIUS, TACACS+ for non-proxy authentication (VPN, IPv4 policy, etc)
3. 'dia de en'
-> enable debug; debug will be printed in CLI after this command if the daemon(s) we set a debug level for see any activity
4. 'dia de dis'
-> disable debug; no further debug will be printed in CLI
5. 'dia de reset'
-> reset debug settings again, meaning removing debug levels from daemons (this undoes the 'dia de app fnbamd -1', which 'dia de dis' does NOT undo)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

SMC-IT · ‎04-05-2022

I resolved my issue thanks, it turns out my provider was having an issue with secure LDAP.

LDAP Auth User Group

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website