Helpful ReplyHot!LDAP Lab - Error ldap_-5

Author
jfgagnon@synovatec.com
New Member
  • Total Posts : 17
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/04/06 09:41:35
  • Status: offline
2018/06/29 06:43:07 (permalink)
0

LDAP Lab - Error ldap_-5

Hi!
 
I'm working on a lab with a Windows 2012R2 and a Fortigate VM64-KVM (trial version) running version 6 (tried 5.6 as well).
When adding the LDAP server to the Fortigate, I always get error LDAP_-5 in red. And I can't get to query against it.
 
When I debug, I can authenticate against it:

FortiGate-VM64-KVM # diagnose test authserver ldap "LDAP DC-01" user1 testpassword
authenticate 'user1' against 'LDAP DC-01' succeeded!
Group membership(s) - CN=Domain Admins,CN=Users,DC=fgtad,DC=local
CN=Domain Users,CN=Users,DC=fgtad,DC=local
 
Config:
 

config user ldap
edit "LDAP DC-01"
set server "10.10.10.11"
set cnid "cn"
set dn "dc=fgtad,dc=local"
set type regular
set username "LDAPconnect"
set password ENC ceUtrzALEk7sWZhJjrw1JElXiACZiRxwHScw9Spf2i2Fmr/FGSis8dpC0JyAuuAya/kZ91ECVenukLlLy8xfFyfJZ6hGqheLG5PCIhjVF8aLQxaeWlb8XnPJvR/ZBSIArzHDq+bD34X9fuUO0oraXOJbhOZfshPzCpZzvgJT04fVKhvWtZ3A56yCmgS2VjSVmMh45g==
next
end
 
Any ideas?
 
Thanks!
 
#1
emnoc
Expert Member
  • Total Posts : 5393
  • Scores: 355
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: LDAP Lab - Error ldap_-5 2018/06/29 09:06:11 (permalink)
0
Can you run a  ldapsearch from the  ldp-server ( ldp.exe or ldpexplorer  or via  ldapserach  tool )?
 
Since you  can authenticate that means the bind and baseDN are correct. 
 
Also did you run the  diagnose commands on the  fgt
 
  diagnose debug application fnbamd 255
  diag enable
  diag test autherver ldap-direct
  diag disable
  curl -k --tlsv1.2  --verbose -u "mydomain\kfelix" ldaps://10.1.1.2/DC=example,DC=com
 

PCNSE 
NSE 
StrongSwan  
#2
jfgagnon@synovatec.com
New Member
  • Total Posts : 17
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/04/06 09:41:35
  • Status: offline
Re: LDAP Lab - Error ldap_-5 2018/06/29 10:09:41 (permalink)
0

FortiGate-VM64-KVM # diagnose test authserver ldap-direct 10.10.10.11
LDAP server '10.10.10.11' status is OK
 
Where do you run curl from ?
#3
emnoc
Expert Member
  • Total Posts : 5393
  • Scores: 355
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: LDAP Lab - Error ldap_-5 2018/06/29 11:27:21 (permalink) ☄ Helpfulby neonbit 2018/06/30 02:08:33
0
A linux or  Windows host :)
 
e.g
 
curl.exe  -k -v -u  "kfelix@example.com"  "ldaps://1.1.1.1:636/DC=example,DC=com?cn,objectClass?sub?"
 
Place your credentials and make sure it pass, make sure a list of  DNs are given
post edited by emnoc - 2018/06/29 11:41:09

PCNSE 
NSE 
StrongSwan  
#4
Adam789
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/07/22 10:00:20
  • Status: offline
Re: LDAP Lab - Error ldap_-5 2018/07/22 11:26:00 (permalink)
0
if your windows server is running in VM and its network adapter is bridged to physical adapter( getting ip address from your router DHCP pool) and your FGT-VM is also having ip from the same DHCP. 
Here i think the problem is, some ports are blocked by your Router and you can not contact your ldap server.
 
If you want to practice with it try to use GNS3 VM by installing Wind12or16 and FGT KVM and use lan interface between Wind and FGT.
 
you can also try to use in field  of  userid "username@domain.adds"
 
 
 
#5
Fullmoon
Platinum Member
  • Total Posts : 868
  • Scores: 13
  • Reward points: 0
  • Joined: 2010/08/02 18:02:10
  • Status: offline
Re: LDAP Lab - Error ldap_-5 2018/07/22 22:12:37 (permalink)
0
Kindly try the ff changes.
 
jfgagnon@synovatec.com
 
config user ldap
edit "LDAP DC-01"
set server "10.10.10.11"
set cnid "sAMAccountName"
set dn "dc=fgtad,dc=local"
set type regular
set username "LDAPconnect@fgtad.local"-----ldapconnect is a username having admin rights?
set password ENC ceUtrzALEk7sWZhJjrw1JElXiACZiRxwHScw9Spf2i2Fmr/FGSis8dpC0JyAuuAya/kZ91ECVenukLlLy8xfFyfJZ6hGqheLG5PCIhjVF8aLQxaeWlb8XnPJvR/ZBSIArzHDq+bD34X9fuUO0oraXOJbhOZfshPzCpZzvgJT04fVKhvWtZ3A56yCmgS2VjSVmMh45g==
next
end
 





Fortigate Newbie
#6
Pham Phu Cuong
Bronze Member
  • Total Posts : 27
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/05/24 17:19:17
  • Status: offline
Re: LDAP Lab - Error ldap_-5 2018/08/20 17:27:33 (permalink)
0
I'm having the same problem with the ldap_-5. And this happens after an upgrade of a 90D from 5.2.x to 5.6.4.
First the existing ldap gives "Invalid credentials", then after I added a new Ldap, the ldap_-5 shows.
 
Does anyone else experience this? Is this a bug of 5.6.4 (FGT-90D)?
 
Thanks!
#7
Jeff_FTNT
Gold Member
  • Total Posts : 228
  • Scores: 21
  • Reward points: 0
  • Joined: 2005/06/14 16:27:00
  • Status: offline
Re: LDAP Lab - Error ldap_-5 2018/08/21 11:17:13 (permalink)
0
Try to re-setup ldap password. FOS52 and FOS5.6 use different encryption to save config files.
#8
mseyda
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/24 06:15:43
  • Status: offline
Re: LDAP Lab - Error ldap_-5 2019/04/10 07:50:01 (permalink)
0
We're are experiencing the same issue. We upgraded from 5.6 to 6.0 and are now receiving the ldap_-5 error. Did anyone resolve this issue?
#9
Harmonikas
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/05/14 08:06:21
  • Status: offline
Re: LDAP Lab - Error ldap_-5 2019/05/14 08:23:00 (permalink)
0
Hi
 
I have Fortinet 90D and last OS version 6.0.4 installed. After update from 6.0.3 my sync LDAP is not working from GUI. What is even more strange everything is working fine from CLI.
 
This is list of test I run from CLI:
 
1. execute ping ldap.server OK
2. execute telenet ldap.server 389 OK
3. diagnose test authserver ldap ..... OK
4. Set connection time out to 5000 (default 500) Done
5. diag sniffer packet any "port 636 or 389" .... OK
 
Config example:
 
Name: sync
Server IP: x.x.x.x
Server port: 389
Common Name Identifier: sAMAccountName
Distinguished Name: DC=yo,DC=local
Bind Type: Regular
Username: yoyoyo
Password: yoyoyo
Secure Connection: no
Connection Status: ldap_-5
 
But when i run connection test from GUI, I get same error like other users said in more then one topic on this forum. Are you going to fix this issue and when?
 
Thanks
 
#10
Alivo_ FTNT
Silver Member
  • Total Posts : 74
  • Scores: 22
  • Reward points: 0
  • Joined: 2013/04/30 12:42:47
  • Location: Fortinet TAC Prague
  • Status: offline
Re: LDAP Lab - Error ldap_-5 2019/05/15 00:46:57 (permalink)
0
Hello,
it should be fixed in release 6.0.5
 
#11
Harmonikas
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/05/14 08:06:21
  • Status: offline
Re: LDAP Lab - Error ldap_-5 2019/05/15 15:17:08 (permalink)
0
Hi,
 
Thanks for update, but that only fixed LDAP(S) issue, but not basic LDAP configuration issue from GUI that we all mentioned before. This is annoying
post edited by Harmonikas - 2019/05/15 22:52:15
#12
Aron1
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/03 08:58:35
  • Location: Roseville, MN
  • Status: offline
Re: LDAP Lab - Error ldap_-5 2019/09/27 12:43:05 (permalink)
0
6.2.1 on a 60E. New location for a client. Having above issue.
 
diag test authserver ldap ****** username password works on a cli.
 
Test Credentials gets the ldap_-5

Ignotum per ignotius...
#13
Jump to:
© 2019 APG vNext Commercial Version 5.5