LDAP Weirdness Since Upgrading to 4.3.10

TopJimmy · ‎09-20-2012

We upgraded our main firewall cluster of 620b' s from 4.2.12 to 4.3.10 yesterday. The only thing that is giving us issues is one of our user authentication processes isn' t working. We' ve got 3 of them and the other 2 work just fine. All 3 of them are using LDAP. 2 are using secure connections to AD to look and the 3rd is not secure. All 3 are different AD domains. Domain1: working. unsecure. Domain2: working. Secure. Cert from CA imported and everything is working normally like it was in 4.2.12 Domain3: not working. Secure. Cert from CA imported. This LDAP query worked when the firewall was at 4.2.12 After doing a debug fnbamd -1 I get these: Domain1 (working unsecure) ------------------------------------ 2012-09-20 10:38:13 fnbamd_fsm.c[1274] handle_req-Rcvd auth req 6619271 for UserX in Group1-AD opt=256 prot=9 2012-09-20 10:38:13 fnbamd_auth.c[228] radius_start-Didn' t find radius servers (0) 2012-09-20 10:38:13 fnbamd_auth.c[582] auth_tac_plus_start-Didn' t find tac_plus servers (0) 2012-09-20 10:38:13 fnbamd_ldap.c[637] resolve_ldap_FQDN-Resolved address host1.domain.com, result xxx.xxx.xxx.xxx 2012-09-20 10:38:13 fnbamd_ldap.c[232] start_search_dn-base:' DC=domain1,DC=name' filter:sAMAccountName=UserX ------------------------------------ Domain2 (working, secure) ------------------------------------ 2012-09-20 10:42:00 fnbamd_fsm.c[1274] handle_req-Rcvd auth req 6619272 for UserY in Group2-AD opt=256 prot=9 2012-09-20 10:42:00 fnbamd_auth.c[228] radius_start-Didn' t find radius servers (0) 2012-09-20 10:42:00 fnbamd_auth.c[582] auth_tac_plus_start-Didn' t find tac_plus servers (0) 2012-09-20 10:42:00 fnbamd_ldap.c[637] resolve_ldap_FQDN-Resolved address host2.domain.com, result xxx.xxx.xxx.xxx 2012-09-20 10:42:00 fnbamd_ldap.c[218] set_cacert_file-CA file: ' /etc/cert/ca/CA_Cert_4.cer' 2012-09-20 10:42:00 fnbamd_ldap.c[232] start_search_dn-base:' DC=domain2,DC=name' filter:sAMAccountName=UserY ------------------------------------ Domain 3 (not working, secure) ------------------------------------ 2012-09-20 10:36:59 fnbamd_fsm.c[1274] handle_req-Rcvd auth req 6619270 for UserZ in Group3-AD opt=256 prot=9 2012-09-20 10:36:59 fnbamd_auth.c[228] radius_start-Didn' t find radius servers (0) 2012-09-20 10:36:59 fnbamd_auth.c[582] auth_tac_plus_start-Didn' t find tac_plus servers (0) 2012-09-20 10:36:59 fnbamd_ldap.c[637] resolve_ldap_FQDN-Resolved address host3.domain.com, result xxx.xxx.xxx.xxx 2012-09-20 10:36:59 fnbamd_ldap.c[218] set_cacert_file-CA file: ' /etc/cert/ca/CA_Cert_5.cer' 2012-09-20 10:36:59 fnbamd_ldap.c[1117] fnbamd_ldap_start-Error in ldap_sasl_bind 2012-09-20 10:36:59 fnbamd_auth.c[356] ldap_start-Failed to start ldap request for host3.domain.com 2012-09-20 10:36:59 fnbamd_fsm.c[176] create_auth_session-Error starting authentication 2012-09-20 10:36:59 fnbamd_fsm.c[1287] handle_req-Error creating session 2012-09-20 10:36:59 fnbamd_comm.c[116] fnbamd_comm_send_result-Sending result 3 for req 6619270 ------------------------------------ Domain2 had it' s CA export a cert which was imported into the firewall and associated with LDAP server (/etc/cert/ca/CA_Cert_4.cer). Domain3 doesn' t have a CA (Windows Admins won' t tell me why so I have no idea) so the linux admin issued a cert on behalf of Domain3. This is where I think the process is broken at although I' m stumped as to why it' s not working now but had been working through all 12 versions of FortiOS in the 4.2 family. I opened a ticket with Fortinet but I thought I' d post this here to see if anybody else had an issue like this when they upgraded from 4.2 to 4.3. I' ll probably get a faster response here than with Support.

-TJ

ede_pfau · ‎09-21-2012

Simple bind or Regular bind? Could you try both?

Ede

"Kernel panic: Aiee, killing interrupt handler!"

TopJimmy · ‎09-21-2012

regular bind. The AD server requires authentication for LDAP lookups so I don' t think a simple bind wouldn' t work.

-TJ