Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎08-12-2019 12:52 AM Edited on ‎09-30-2024 12:39 AM By Community Manager

Article Id 197729

Technical Tip: FortiGate LDAP configuration - Network connectivity options

Description


This article provides a detailed look into the LDAP configuration options in FortiOS, focusing on network connectivity, and gives some examples for their usage.
The article focuses on the options as they are presented in the CLI.

 

Scope

 

FortiGate.

Solution


All of the options discussed below are accessible in

 

config user ldap
    edit “<my-ldap-server>”
        set server <IP | FQDN>
        set secondary-server <IP | FQDN>
        set tertiary-tertiary server <IP | FQDN>

 

The secondary- and tertiary- addresses can be added as backup servers. The servers are always contacted in this exact order: server, secondary-server, tertiary-server. The backups are only considered if the previous one is not responding.


Note:

This is the preferred way to set up redundancy for LDAP authentication. Multiple separate LDAP objects for the same domain should not be configured.

 

set port <389>

 

The standard ports are TCP/389 for LDAP and TCP/636 for LDAPS. This option is automatically changed when changing the secure option (explained further down).

 

set source-ip <IP>

 

This specifies which IP has to be used as the source of the packet when FortiGate contacts the LDAP server. As with other source-ip options in FortiOS configuration, this must be an IP of one of the FortiGate’s interfaces, arbitrary IPs are not allowed. Egress interface for the packets is decided based on the routing table.
This is typically configured when the LDAP server is reachable over an IPsec tunnel. By default, newly created IPsec tunnel interfaces do not have an IP address set. This can create an ambiguous situation (egress interface does not have an IP → unclear which source IP to use). Setting a source-IP in the LDAP server configuration is one way to resolve this ambiguity.

Exception: When HA is configured and ha-direct option is enabled (config system ha → set ha-direct enable), each cluster unit will use its individual management interface for its LDAP traffic. This overrides the source-ip option!

 

set secure disable | starttls | ldaps

 

This option controls encryption of the LDAP traffic.

disable – uses plaintext, unencrypted LDAP. Useful for initial testing and troubleshooting
starttls – uses startTLS to establishing an SSL/TLS session (LDAP extended request for LDAP_START_TLS_OID is sent, followed by SSL/TLS handshake)
ldaps – uses LDAPS (LDAP over a standard SSL/TLS connection)

Note:

Switching from disable to ldaps automatically changes the port to 636, and vice versa. This point is important if non-standard ports are used, as the port number may need to be set again.

The below two options become available when secure is set to either starttls or ldaps.

 

set ssl-min-proto-version default | SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2

 

This option controls the minimum acceptable version of the SSL/TLS protocol. If the LDAP server offers a weaker version than what is configured here, FortiGate will abort the connection.
The default option defers the decision to the global SSL/TLS setting, configurable in config system global → set ssl-min-proto-version (as of FortiOS 6.0.6/6.2.1, the globally pre-set minimum is TLS version 1.2).
Under normal conditions this option should be left unchanged. The accepted SSL/TLS version should only be lowered as a workaround when the LDAP server does not support TLS version 1.2 and connectivity needs to be allowed.

 

set ca-cert <certificate>

 

This option sets which CA certificate is acceptable for the SSL/TLS connection. If the LDAP server presents itself with a certificate signed by a different CA, FortiGate will abort the connection.
This CA certificate should be imported beforehand into the 'External CA certificates' list in System → Certificates. (CLI: config vpn certificate ca)

Global configurations affecting LDAP connectivity

 

config system global → set remoteauthtimeout <1~300; default 5; in seconds>

 

This option controls the maximum time allowed for processing a single authentication attempt against a remote authentication server (LDAP, RADIUS, TACACS+).
This may need to be increased when the connection to the LDAP server, or the LDAP server itself, is slow.

 

config system global → set ldapconntimeout <1~300000; default 500; in milliseconds>

 

This options controls how long the FortiGate is willing to wait for the session to the LDAP server to be established. In case of plain LDAP or startTLS, the limit applies to the establishment of the TCP session; for LDAP this includes the SSL/TLS handshake as well.
As with the previous option, this value may need to be increased when the network connection or the LDAP server is slow.

The CLI command to verify the LDAP connection:


diagnose test authserver ldap <server_name> <username> <password>

29778
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.