Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Magnitude_8
New Contributor III

LDAP authentication for admins not working after FortiOS 7.4.4 update

After updating some firewalls to FortiOS 7.4.4 I am no longer able to log onto them using LDAP authentication. Local accounts are not affected.

 

I have tested my credentials on the LDAP server screen and confirmed that I can authenticate, so this looks like a bug in 7.4.4.

 

Anyone else experiencing this issue?

22 REPLIES 22
navellano
Staff
Staff

Hi Magnitude_8, 

 

Good day! 

 

Could you try to run below debug commands if you encounter an issue: 

 

# diag debug reset

# diag debug console timestamp enable

# diag debug application fnbamd -1

# diag de enable

 

Regards,

AEK
SuperUser
SuperUser

Can you try recreate on FG one of the affected admins and try again?

 
AEK
AEK
HrM
New Contributor II

I had the same issue, could not login to the FG using LDAP account, but also my SSL VPN stopped working because of the same reason since LDAP accounts are used...

I also tried testing my credentials on the LDAP server screen which was a success, I than tried disabling the option "Secure Connection" (I was using LDAPS) and after i disabled "Secure Connection" it started working again.
I am now again able to login to FG and my SSL VPN is working.

But I still want to use LDAPS, currently only plain LDAP is working for me on 7.4.4.

pminarik

My educated guess would be that maybe the CLI-only option "set server-identity-check" was reset to "enable" state, and that triggered failures due to the LDAP server's certificate either being outdated (SHA1, expired, etc.), or not matching the configured address (The LDAP server address configured on the FGT, be it IP or FQDN, must be included in the SAN field of the certificate to be considered a valid match).

 

Review of the fnbamd outputs (as noted in an earlier comment) + cross-checking against the "config user ldap" settings should help.

[ corrections always welcome ]
HrM
New Contributor II

good guess and good idea, I went in there to check this, but its still set to "disable" as it was before the upgrade to 7.4.4

 

PS.

Also if I remember correctly in the past when the issue was "server-identity-check" than even the LDAP tests that I was doing while in the LDAP server screen where failing. In this case they where all successful.

Debbie_FTNT

Hey HrM,

FortiOS 7.4.4 enforces the LDAPS server cerificate check more stringently (it wasn't before): https://community.fortinet.com/t5/FortiGate/Technical-Tip-LDAPS-certificate-issuer-enforcement/ta-p/...

You could be running afoul of that? Double-check that the CA certificate which issued the LDAP server's certificate is trusted on FortiGate.

 

Cheers,

Deborah

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
HrM
New Contributor II

That did it :)

This was my issue. Up until now there was no need to add our local CA certificate into FG certificate store, LDAPS worked regardless.

I added our local CA into the FG certificate store as in the example you linked and now LDAPS is working again.

Thanks for the tip :)

Debbie_FTNT

Great that it works now, and I'm happy I was able to help.

All the best!

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Techie10

Thanks, I had a similar issue

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors