- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LDAP Credentials fail to some users.
I have a fortigate 100E. I recently replaced an Domain Controller (it crashed) that the fortigate was connected to through LDAP. I have updated the LDAP settings to the new Domain Controller. It passes the "test connectivity" test.
However going to "Users and Authenication"->"Ldap Servers"-> select LDAP server-> click "Test Users Credentials"; the some users cannot get the credentials validated. it is weird, I can't figure out why some people (like myself) can get "User Credentials Successful" and some users get "User Credentials Invalid Credentials"
The Common Name Identifier is SAMAccountName
Any thoughts how to correct this?
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello 6sITdept,
As I understand, your LDAP connection status shows Successful. However, unable to validate the user credentials even if it is right. Error > User credentials Invalid credentials.
Next Action Plan to identify the issue:
Follow the below link on how to collect logs using putty.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-log-file-of-a-session-usin...
Putty 1 :
diagnose debug app fnbamd -1
diagnose debug enable
Follow the same steps to reproduce the issue: Go to >>Users and Authentication"->"Ldap Servers"-> select LDAP server-> click "Test Users Credentials
Use the below command to disable debug:
di de di
Simultaneously on Putty 2 :
diagnose sniffer packet any "host x.x.x.x" 6 0 l
Here x.x.x.x is the ldap server IP.
Use ctrl+C keys to stop the sniffer
Regards,
Shilpa C.P
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Shilpa. I have done this. is there something that I am looking for?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello 6sITdept,
fnbamd is the authentication daemon that will show any LDAP and RADIUS authentication that FortiGate creates and the results of it. Failed authentications will show there.
You might only want to add a timestamp to the log:
diag debug console timestamp enable
diag debug app fnbamd -1
diag debug enable
How they exactly looks like depend on the setup. There will be a binding with the bindDN you are using and another bind with the user you try to authenticate. After that you typically should see a memberof query. That again depends on the setup.
Best regards,
Markus
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I may have solved the problem but want your opinion. on our Active Directory, we set the "Log on To" which restricts which computers the user can log on to. when I removed it (ie no restriction). the user was able to connect the LDAP. and then VPN started working again. Anyone have an opinion on this? would this be the issue? is there a work around so I can restrict computers?