We have an LDAP connection to our DC setup on our Fortigate 60E (v6.2.2 build1010). We connect to the domain controller over a S2S VPN. Insecure connections on port 389 connect just fine. However, when I attempt to turn on LDAPS, and issue command:
diagnose test authserver ldap SDC_LDAP <username> <password>
authenticate '<username>' against 'SDC_LDAP' failed!
I have imported a CA cert into the Fortigate that is in the trusted CA store of the DC (SDC_LDAP) as well.
After a bit of troubleshooting, I believe I cannot connect via LDAPS because the Fortigate does not resolve the fqdn of the LDAP server IP, thus causing a cert validation failure. Entering in the fqdn of the DC into the server field does not work because the Fortigate does not resolve the name to an IP address (a DNS resolution failure).
Using the Ldp utility from my desktop I get a similar result, I can connect via LDAPS just fine if and only if I use the DC hostname/fqdn. (The LDAPS Cookbook guide uses an IP address just fine. I am not using AD CS, I generated the root key pair via OpenSSL on a different box so I am kind of curious what might be different here. Adding the IP to the cert seems a little janky to me)
How do I best go about getting the Fortigate to resolve the name? I have changed the Fortigate's network DNS to use our DNS to no avail. Any help would be appreciated.