Issue with SSL-VPN + Certificate + LDAP
I have a LDAP connection setup with a Domain Controller on the network and have setup a LDAP User that when added to the VPN Users (local firewall) group can authenticate with the SSL-VPN. I have also created a PKI User, with their subject and CA Cert specified and added to the VPN Users (local firewall) group that can authenticate with the SSL-VPN.
When I change the PKI user to specify the ldap-server and ldap-mode it will ask for the certificate, prompt for username and password but fail to authenticate with the server.
Debugging the authentication I can see on the fortigate that it tries to verify the account but does not fill in the samaccountname
 fnbamd_ldap_build_dn_search_req-base:'dc=<correct>,dc=<correct>,dc=<correct>' filter:samaccountname=
I also ran a packet capture of the ldap between the firewall and the AD server and it shows the same issue about the filter having a NULL value for samaccountname.
I am trying to figure out what I haven't configured correctly, any help would be appreciated.
config user ldap
edit "Domain Controller"
set server "<DC IP>"
set secondary-server ''
set tertiary-server ''
set source-ip 0.0.0.0
set cnid "userPrincipalName"
set dn "dc=<correct>,dc=<correct>,dc=<correct>"
set type regular
set username "CN=Fortigate Service Account,CN=Managed Service Accounts,DC=<correct>,DC=<correct>,DC=<correct>"
set password <password>
set group-member-check user-attr
set group-search-base ''
set group-filter ''
set secure disable
set port 389
set password-expiry-warning disable
set password-renewal disable
set member-attr "memberOf"
set account-key-processing same
set account-key-name "userPrincipalName"
config user peer
set mandatory-ca-verify enable
set ca "CA_Cert_2"
set subject "testuser"
set cn ''
set cn-type string
set ldap-server "Domain Controller"
set ldap-username ''
set ldap-password <password, did not explicitly set one>
set ldap-mode password
set ocsp-override-server ''
set two-factor disable
Hardware: FortiWifi 90D
Firmware: v5.6.7 build1653 (GA)