Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JuddTracy
New Contributor

Issue with SSL-VPN + Certificate + LDAP

I have a LDAP connection setup with a Domain Controller on the network and have setup a LDAP User that when added to the VPN Users (local firewall) group  can authenticate with the SSL-VPN.  I have also created a PKI User, with their subject and CA Cert specified and added to the VPN Users (local firewall) group that can authenticate with the SSL-VPN.

 

When I change the PKI user to specify the ldap-server and ldap-mode it will ask for the certificate, prompt for username and password but fail to authenticate with the server.

 

Debugging the authentication I can see on the fortigate that it tries to verify the account but does not fill in the samaccountname

[584] fnbamd_ldap_build_dn_search_req-base:'dc=<correct>,dc=<correct>,dc=<correct>' filter:samaccountname=

I also ran a packet capture of the ldap between the firewall and the AD server and it shows the same issue about the filter having a NULL value for samaccountname.

 

I am trying to figure out what I haven't configured correctly, any help would be appreciated.

 

config user ldap
edit "Domain Controller"
set server "<DC IP>"
set secondary-server ''
set tertiary-server ''
set source-ip 0.0.0.0
set cnid "userPrincipalName"
set dn "dc=<correct>,dc=<correct>,dc=<correct>"
set type regular
set username "CN=Fortigate Service Account,CN=Managed Service Accounts,DC=<correct>,DC=<correct>,DC=<correct>"
set password <password>
set group-member-check user-attr
set group-search-base ''
set group-filter ''
set secure disable
set port 389
set password-expiry-warning disable
set password-renewal disable
set member-attr "memberOf"
set account-key-processing same
set account-key-name "userPrincipalName"
next
end

 

config user peer
edit "testuser"
set mandatory-ca-verify enable
set ca "CA_Cert_2"
set subject "testuser"
set cn ''
set cn-type string
set ldap-server "Domain Controller"
set ldap-username ''
set ldap-password <password, did not explicitly set one>
set ldap-mode password
set ocsp-override-server ''
set two-factor disable
next
end

 

 

Hardware: FortiWifi 90D

Firmware: v5.6.7 build1653 (GA)

1 REPLY 1
dan5481
New Contributor

Hi Judd,

 

I use this style of configuration and have the below line in the ldap configuration:

 

        set cnid "sAMAccountName"

 

Under the user group the pki user and ldap are both referenced and this works as expected.

 

Dan

Labels
Top Kudoed Authors