After updating some firewalls to FortiOS 7.4.4 I am no longer able to log onto them using LDAP authentication. Local accounts are not affected.
I have tested my credentials on the LDAP server screen and confirmed that I can authenticate, so this looks like a bug in 7.4.4.
Anyone else experiencing this issue?
Hi Magnitude_8,
Good day!
Could you try to run below debug commands if you encounter an issue:
# diag debug reset
# diag debug console timestamp enable
# diag debug application fnbamd -1
# diag de enable
Regards,
Can you try recreate on FG one of the affected admins and try again?
I had the same issue, could not login to the FG using LDAP account, but also my SSL VPN stopped working because of the same reason since LDAP accounts are used...
I also tried testing my credentials on the LDAP server screen which was a success, I than tried disabling the option "Secure Connection" (I was using LDAPS) and after i disabled "Secure Connection" it started working again.
I am now again able to login to FG and my SSL VPN is working.
But I still want to use LDAPS, currently only plain LDAP is working for me on 7.4.4.
My educated guess would be that maybe the CLI-only option "set server-identity-check" was reset to "enable" state, and that triggered failures due to the LDAP server's certificate either being outdated (SHA1, expired, etc.), or not matching the configured address (The LDAP server address configured on the FGT, be it IP or FQDN, must be included in the SAN field of the certificate to be considered a valid match).
Review of the fnbamd outputs (as noted in an earlier comment) + cross-checking against the "config user ldap" settings should help.
Created on 05-22-2024 06:57 AM Edited on 05-22-2024 09:54 AM
good guess and good idea, I went in there to check this, but its still set to "disable" as it was before the upgrade to 7.4.4
PS.
Also if I remember correctly in the past when the issue was "server-identity-check" than even the LDAP tests that I was doing while in the LDAP server screen where failing. In this case they where all successful.
Hey HrM,
FortiOS 7.4.4 enforces the LDAPS server cerificate check more stringently (it wasn't before): https://community.fortinet.com/t5/FortiGate/Technical-Tip-LDAPS-certificate-issuer-enforcement/ta-p/...
You could be running afoul of that? Double-check that the CA certificate which issued the LDAP server's certificate is trusted on FortiGate.
Cheers,
Deborah
That did it :)
This was my issue. Up until now there was no need to add our local CA certificate into FG certificate store, LDAPS worked regardless.
I added our local CA into the FG certificate store as in the example you linked and now LDAPS is working again.
Thanks for the tip :)
Great that it works now, and I'm happy I was able to help.
All the best!
Debbie
Thanks, I had a similar issue
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.