Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SMC-IT
New Contributor

Created on ‎04-04-2022 09:40 PM

LDAP Auth User Group

Is it possible to test an LDAP login on a Fortigate and have it report back the users associated group memberships. 

 

The web based option only reports if the credentials are correct or incorrect. 

Labels:
1416
0 Kudos
6 REPLIES 6
Debbie_FTNT
Staff
Staff

Created on ‎04-05-2022 12:18 AM

Hey SMC-IT,

yes, you can test via CLI:

(#config vdom

#edit <vdom>)
#dia test authserver ldap <LDAP server name> <username> <password>

Debbie_FTNT_1-1649143096754.png

Debbie_FTNT_0-1649143074789.png

Hope that helps!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1376
0 Kudos
SMC-IT
New Contributor
In response to Debbie_FTNT

Created on ‎04-05-2022 12:30 AM

I get an authentication failed using that command even though using the GUI it succeeds. 

1375
0 Kudos
Debbie_FTNT
Staff
Staff
In response to SMC-IT

Created on ‎04-05-2022 02:30 AM

There are a few known issues with the GUI credential test, depending on firmware version; it can sometimes report an authentication as successful even if it fails.

The CLI command is generally more reliable.

I would suggest some debug:

#dia de reset

#dia de app fnbamd -1

#dia de en

-> then do the 'dia test authserver' command again

-> the debug should dump some output regarding FortiGate contacting the LDAP server, binding to it, checking the user credentials via user bind, then performing a memberOf lookup, including the reply from LDAP.

-> It should give you an idea at what stage the authentication fails (contacting LDAP, user bind, DN search, memberOf query...)

To end the output:
#dia de dis

#dia de reset

 

If you want, you can share some of the fnbamd debug here for me to look over; if you would prefer some more detailed troubleshooting as to why the authentication is failing when testing via CLI, I would suggest a ticket with Technical Support.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1366
0 Kudos
SMC-IT
New Contributor
In response to Debbie_FTNT

Created on ‎04-05-2022 01:06 PM

Hi Debbie

 

Are you able to explain what each fo the commands so, I am just hesitant to run commands on a live unit when I am unsure what they do. 

 

Thanks so much for your help so far!

1355
0 Kudos
Debbie_FTNT
Staff
Staff
In response to SMC-IT

Created on ‎04-06-2022 12:11 AM

I know you resolved the issue, but an explanation of the commands anyway :)

-> none of the commands I provided should impact the FortiGate's operations in any way; all they do is turn on and off some specific debug
1. 'dia de reset'
-> resets any previous debug commands to ensure there is no additional debug output beyond what we want to see

2. 'dia de app fnbamd -1'
-> enables debugging of the 'fnbamd' daemon and sets debug level to -1 (all); this one handles user authentication against local, LDAP, RADIUS, TACACS+ for non-proxy authentication (VPN, IPv4 policy, etc)
3. 'dia de en'
-> enable debug; debug will be printed in CLI after this command if the daemon(s) we set a debug level for see any activity
4. 'dia de dis'
-> disable debug; no further debug will be printed in CLI
5. 'dia de reset'
-> reset debug settings again, meaning removing debug levels from daemons (this undoes the 'dia de app fnbamd -1', which 'dia de dis' does NOT undo)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1338
0 Kudos
SMC-IT
New Contributor

Created on ‎04-05-2022 03:39 PM

I resolved my issue thanks, it turns out my provider was having an issue with secure LDAP. 

1344
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.