I am trying to enable LDAPS on our Fortigate 60F. We currently have LDAP to a DC working, but when I enable LDAPS over port 636 and click 'Test Connectivity' I get the error message 'Can't contact LDAP server'. This is before selecting a certificate.
I have imported a certificate from the Microsoft Intermediate CA in our domain, tried binding that to the setting but get the same error. I ran a packet sniffer to confirm the Fortigate is sending and receiving traffic to the DC over port 636.
I also ran ldp.exe to the DC over port 636 and the connection was successful.
What else could cause the error message? Any advice would be helpful as I am new to Fortigate administration, thank you.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I think that you need the server certificate of the AD server, exported and imported on the FGT and that should be selected as cert to secure the connection to the AD over 636.
Configure LDAPS on the Microsoft Windows Certificate Authority server:
From another forum post, I read that enabling LDAPS without defining a cert will still work, and that an error at that stage indicates a problem connecting to the LDAPS server over port 636, before indicating it's a problem with the certificate. However, I tried selecting the cert (exported from Intermediate CA) to secure the connection as well, and got the same error
Yes it is correct that LDAPS can work without defining a certificate.
Can you share output of command :
config user ldap
edit "LDAP"
show
Here is the output:
config user ldap
edit "LDAP"
set cnid "cn"
next
end
edit "LDAP" is the name of my LDAP server .
Replace the name with the one of your LDAP server or do:
config user ldap
show
That makes more sense, here is the output for the LDAP server, sanitized:
config user ldap
edit "LDAPSERVER"
set server "LDAPSERVERFQDN"
set server-identity-check disable
set cnid "sAMAccountName"
set dn "dc=DOMAINNAME,dc=com"
set type regular
set username "LDAPSERVICEACCOUNTNAME"
set password ENC PASSWORD
set secure ldaps
set ca-cert "CA_Cert_3"
set port 636
next
end
Can you set the username in different format for example :
set username "CN=LDAPSERVICEACCOUNTNAME,CN=Users,DC=yourdomain,DC=com"
Specify the hole path as above.
Or try like :
domain\LDAPSERVICEACCOUNTNAME
Update on this, when setting the LDAPS setting before in the GUI, I had never clicked the 'OK' button to save the configuration, because I didn't want to break the current LDAP configuration during business hours. When I set the LDAPS setting (no certificate selected), and clicked 'Test Connectivity', I got the error message.
However, after saving the configuration anyways after business hours and leaving the 'Edit LDAP server' page, and going back to it, the connection status says 'Successful'.
So it appears that the 'Test Connectivity' safeguard that is put in place to prevent saving a non-working configuration, is bugged. It would have worked if I ignored the 'Can't contact LDAP server' and saved the configuration anyways. This should be submitted as an issue to be fixed, I am on the current firmware 7.0.15.
Thank you for your update. It would be nice to document this through a ticket if you have active support, so it can be fixed .
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.