LDAP authentication for admins not working after FortiOS 7.4.4 update

Magnitude_8 · ‎05-21-2024

After updating some firewalls to FortiOS 7.4.4 I am no longer able to log onto them using LDAP authentication. Local accounts are not affected.

I have tested my credentials on the LDAP server screen and confirmed that I can authenticate, so this looks like a bug in 7.4.4.

Anyone else experiencing this issue?

Crimedefender · ‎05-23-2024

100% Correct i tested it without Secure Connection and its working. I open a ticket fortigate support the answer was go back to 7.2.8 great. Feature means for me new features they can be buggy but the basics should work. Fortigate should use words like "Beta" "Experimental" maybe better

DoubleP · ‎05-31-2024

I am having the same issue after upgrading to 7.4.4

freddiedavis · ‎05-31-2024

Same issue here using Google LDAPS - has anyone had any luck getting it to work on 7.4.4 with Google? Turning off secure connection didn't solve it. Thanks

Debbie_FTNT · ‎06-03-2024

Hey freddiedivas,

if you have the issue even after disabling secure connection, that sounds like something else might be going on.

I would suggest that you do the following in FortiGate CLI:

1. Enable this debug:
#dia de reset
#dia de app fnbamd -1
#dia de en
2. In a separate CLI connection, run this command:
#dia test authserver ldap <LDAP server name> <user> <password>
It should look something like this ("win-server" is what the LDAP-server is called in my FortiGate config):

3. In the first SSH session, you should get some output about FortiGate trying to connect to the LDAP. This might give you some error messages (like SSL connect failed, or admin bind failed, or user bind failed, or similar).

-> I would suggest sharing the output here for us to look over, or opening a support case to have a FortiGate support engineer look the debug over and provide details on whatever error your FortiGate encounters.

4. To end the debug output:
#dia de disable
#dia de reset

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

Magnitude_8 · ‎06-03-2024

None of the suggestions provided so far have worked for me, which included installing a CA cert and disabling security. I feel like this is a bug introduced in 7.4.4.

At the very least, I would expect that any issues with LDAP auth would be identified when running a test in the web GUI.

pminarik · ‎06-04-2024

I'd normally ask for a pcap + full fnbamd debug, but since those will most likely contain sensitive information, you're be better off opening a support ticket to get things sorted out.

[ corrections always welcome ]

freddiedavis · ‎06-04-2024

Thanks @Debbie_FTNT, I did manage to fix this in the end - not sure if it will work for you @Magni_IT but might be worth a try, my issue was related to LDAP timeout, increasing the timeout by running the below fixed it for me;

config sys global
set remoteauthtimeout 10
set ldapconntimeout 999
end

more details here - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Increase-the-LDAP-query-timeout/ta-p/18940...