Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aw-sysadmin
New Contributor II

LDAPS issue, 'Can't contact LDAP server'

I am trying to enable LDAPS on our Fortigate 60F. We currently have LDAP to a DC working, but when I enable LDAPS over port 636 and click 'Test Connectivity' I get the error message 'Can't contact LDAP server'. This is before selecting a certificate.

I have imported a certificate from the Microsoft Intermediate CA in our domain, tried binding that to the setting but get the same error. I ran a packet sniffer to confirm the Fortigate is sending and receiving traffic to the DC over port 636.

I also ran ldp.exe to the DC over port 636 and the connection was successful.

 

What else could cause the error message? Any advice would be helpful as I am new to Fortigate administration, thank you.

16 REPLIES 16
funkylicious
SuperUser
SuperUser

I think that you need the server certificate of the AD server, exported and imported on the FGT and that should be selected as cert to secure the connection to the AD over 636.

As per, https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-LDAP-over-SSL-LDAPS/ta-p/18997... , 

Configure LDAPS on the Microsoft Windows Certificate Authority server:

---------------------------
geek
---------------------------
---------------------------geek---------------------------
aw-sysadmin

From another forum post, I read that enabling LDAPS without defining a cert will still work, and that an error at that stage indicates a problem connecting to the LDAPS server over port 636, before indicating it's a problem with the certificate. However, I tried selecting the cert (exported from Intermediate CA) to secure the connection as well, and got the same error

dbu

Yes it is correct that LDAPS can work without defining a certificate.
Can you share output of command :

config user ldap

 edit "LDAP" 

  show

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
aw-sysadmin
New Contributor II

Here is the output:

 

config user ldap
edit "LDAP"
set cnid "cn"
next
end

dbu

edit "LDAP" is the name of my LDAP server .
Replace the name with the one of your LDAP server or do:

config user ldap

show

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
aw-sysadmin
New Contributor II

That makes more sense, here is the output for the LDAP server, sanitized:

 

config user ldap

    edit "LDAPSERVER"

        set server "LDAPSERVERFQDN"

        set server-identity-check disable

        set cnid "sAMAccountName"

        set dn "dc=DOMAINNAME,dc=com"

        set type regular

        set username "LDAPSERVICEACCOUNTNAME"

        set password ENC PASSWORD

        set secure ldaps

        set ca-cert "CA_Cert_3"

        set port 636

    next

end

dbu

Can you set the username in different format for example : 

set username "CN=LDAPSERVICEACCOUNTNAME,CN=Users,DC=yourdomain,DC=com"
Specify the hole path as above. 

 

Or try like :

domain\LDAPSERVICEACCOUNTNAME

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
aw-sysadmin
New Contributor II

Update on this, when setting the LDAPS setting before in the GUI, I had never clicked the 'OK' button to save the configuration, because I didn't want to break the current LDAP configuration during business hours. When I set the LDAPS setting (no certificate selected), and clicked 'Test Connectivity', I got the error message.

However, after saving the configuration anyways after business hours and leaving the 'Edit LDAP server' page, and going back to it, the connection status says 'Successful'.

So it appears that the 'Test Connectivity' safeguard that is put in place to prevent saving a non-working configuration, is bugged. It would have worked if I ignored the 'Can't contact LDAP server' and saved the configuration anyways.  This should be submitted as an issue to be fixed, I am on the current firmware 7.0.15.

dbu

Thank you for your update. It would be nice to document this through a ticket if you have active support, so it can be fixed .

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors