LDAPS issue, 'Can't contact LDAP server'

aw-sysadmin · ‎04-25-2024

I am trying to enable LDAPS on our Fortigate 60F. We currently have LDAP to a DC working, but when I enable LDAPS over port 636 and click 'Test Connectivity' I get the error message 'Can't contact LDAP server'. This is before selecting a certificate.

I have imported a certificate from the Microsoft Intermediate CA in our domain, tried binding that to the setting but get the same error. I ran a packet sniffer to confirm the Fortigate is sending and receiving traffic to the DC over port 636.

I also ran ldp.exe to the DC over port 636 and the connection was successful.

What else could cause the error message? Any advice would be helpful as I am new to Fortigate administration, thank you.

funkylicious · ‎04-25-2024

I think that you need the server certificate of the AD server, exported and imported on the FGT and that should be selected as cert to secure the connection to the AD over 636.

As per, https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-LDAP-over-SSL-LDAPS/ta-p/18997... ,

Configure LDAPS on the Microsoft Windows Certificate Authority server:

geek

aw-sysadmin · ‎04-25-2024

From another forum post, I read that enabling LDAPS without defining a cert will still work, and that an error at that stage indicates a problem connecting to the LDAPS server over port 636, before indicating it's a problem with the certificate. However, I tried selecting the cert (exported from Intermediate CA) to secure the connection as well, and got the same error

dbu · ‎04-25-2024

Yes it is correct that LDAPS can work without defining a certificate.
Can you share output of command :

config user ldap

edit "LDAP"

show

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.

aw-sysadmin · ‎04-25-2024

Here is the output:

config user ldap
edit "LDAP"
set cnid "cn"
next
end

dbu · ‎04-25-2024

edit "LDAP" is the name of my LDAP server .
Replace the name with the one of your LDAP server or do:

config user ldap

show

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.

aw-sysadmin · ‎04-25-2024

That makes more sense, here is the output for the LDAP server, sanitized:

config user ldap

edit "LDAPSERVER"

set server "LDAPSERVERFQDN"

set server-identity-check disable

set cnid "sAMAccountName"

set dn "dc=DOMAINNAME,dc=com"

set type regular

set username "LDAPSERVICEACCOUNTNAME"

set password ENC PASSWORD

set secure ldaps

set ca-cert "CA_Cert_3"

set port 636

dbu · ‎04-26-2024

Can you set the username in different format for example :

set username "CN=LDAPSERVICEACCOUNTNAME,CN=Users,DC=yourdomain,DC=com"
Specify the hole path as above.

Or try like :

domain\LDAPSERVICEACCOUNTNAME

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.

aw-sysadmin · ‎04-26-2024

Update on this, when setting the LDAPS setting before in the GUI, I had never clicked the 'OK' button to save the configuration, because I didn't want to break the current LDAP configuration during business hours. When I set the LDAPS setting (no certificate selected), and clicked 'Test Connectivity', I got the error message.

However, after saving the configuration anyways after business hours and leaving the 'Edit LDAP server' page, and going back to it, the connection status says 'Successful'.

So it appears that the 'Test Connectivity' safeguard that is put in place to prevent saving a non-working configuration, is bugged. It would have worked if I ignored the 'Can't contact LDAP server' and saved the configuration anyways. This should be submitted as an issue to be fixed, I am on the current firmware 7.0.15.

dbu · ‎04-26-2024

Thank you for your update. It would be nice to document this through a ticket if you have active support, so it can be fixed .

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.