Helpful ReplyHot!Resolving LDAPS Server Name on Fortigate

Author
Gunnerman
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/10 18:37:24
  • Status: offline
2020/03/12 10:10:28 (permalink) 6.2
0

Resolving LDAPS Server Name on Fortigate

Hello,
 
We have an LDAP connection to our DC setup on our Fortigate 60E (v6.2.2 build1010). We connect to the domain controller over a S2S VPN. Insecure connections on port 389 connect just fine. However, when I attempt to turn on LDAPS, and issue command:
diagnose test authserver ldap SDC_LDAP <username> <password>
I get
authenticate '<username>' against 'SDC_LDAP' failed!

I have imported a CA cert into the Fortigate that is in the trusted CA store of the DC (SDC_LDAP) as well.
 
After a bit of troubleshooting, I believe I cannot connect via LDAPS because the Fortigate does not resolve the fqdn of the LDAP server IP, thus causing a cert validation failure. Entering in the fqdn of the DC into the server field does not work because the Fortigate does not resolve the name to an IP address (a DNS resolution failure). 
 
Using the Ldp utility from my desktop I get a similar result, I can connect via LDAPS just fine if and only if I use the DC hostname/fqdn. (The LDAPS Cookbook guide uses an IP address just fine. I am not using AD CS, I generated the root key pair via OpenSSL on a different box so I am kind of curious what might be different here. Adding the IP to the cert seems a little janky to me)
 
How do I best go about getting the Fortigate to resolve the name? I have changed the Fortigate's network DNS to use our DNS to no avail. Any help would be appreciated. 
 
Thanks.
#1
Alivo_ FTNT
Expert Member
  • Total Posts : 121
  • Scores: 61
  • Reward points: 0
  • Joined: 2013/04/30 12:42:47
  • Location: Fortinet TAC Prague
  • Status: offline
Re: Resolving LDAPS Server Name on Fortigate 2020/03/13 01:34:26 (permalink) ☄ Helpfulby dstainebze 2021/01/14 10:20:19
5 (3)
Hello,
in fnbamd - 1 debug you probably see similar line to this:
 
failed: ssl_connect() failed: 5 (error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed).
 
Issue is likely that the SubjectAltName of the certificate does not have IP address which you are connecting to.
It is the IP or FQDN which you would use in config user ldap > set server ....
 
Fix (workaround):
If you edit ldap in FortiGate:
 
config user ldap
edit <your ldap>
set server-identity-check disable
end
 
The check will be disabled and LDAPS will work. Authentication will not be affected at all.
By default, in 6.2, when you select certificate for LDAPS, the option "set server-identity-check" is enabled.

Best Regards,
Alivo
 
 
#2
Gunnerman
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/10 18:37:24
  • Status: offline
Re: Resolving LDAPS Server Name on Fortigate 2020/03/16 13:44:55 (permalink)
0
Hi, and thanks for the reply.
Issue is likely that the SubjectAltName of the certificate does not have IP address which you are connecting to.
It is the IP or FQDN which you would use in config user ldap > set server ....
Correct. I do not have the IP in the certificate. I would like to use the FQDN (to bypass not having the ip in the cert) however I am having a hard time getting the Fortigate to resolve the FQDN. I have setup the Fortigate as a slave dns server and pointed the Fortigate system dns to itself and pings still fail to the fqdn from cli. 
 
I have enabled your workaround for now.
 
Thanks again.
#3
dstainebze
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/01/14 10:19:00
  • Status: offline
Re: Resolving LDAPS Server Name on Fortigate 2021/01/14 10:21:36 (permalink)
0
Alivo,

Thanks for that tip worked well for me. 
 
Regards,
 
 
#4
Huey
Bronze Member
  • Total Posts : 31
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/01/18 07:17:09
  • Status: offline
Re: Resolving LDAPS Server Name on Fortigate 2021/05/14 08:34:23 (permalink)
0
Gunnerman
Hi, and thanks for the reply.
Issue is likely that the SubjectAltName of the certificate does not have IP address which you are connecting to.
It is the IP or FQDN which you would use in config user ldap > set server ....
Correct. I do not have the IP in the certificate. I would like to use the FQDN (to bypass not having the ip in the cert) however I am having a hard time getting the Fortigate to resolve the FQDN. I have setup the Fortigate as a slave dns server and pointed the Fortigate system dns to itself and pings still fail to the fqdn from cli. 
 
I have enabled your workaround for now.
 
Thanks again.


Are you still having this issue?  I have the same issue but resolved the ping by setting the source address of the ping to the internal interface IP address (exec ping-options source x.x.x.x).  However the sutrhentication still fails, even with the server-identity-check disabled.
#5
TecnetRuss
Silver Member
  • Total Posts : 54
  • Scores: 20
  • Reward points: 0
  • Joined: 2017/02/27 13:14:44
  • Status: offline
Re: Resolving LDAPS Server Name on Fortigate 2021/05/14 13:39:53 (permalink)
0
Under Network / DNS you need to have your FortiGate pointing at your internal DNS IP (e.g. DC's IP) and have your internal DNS suffix entered there too for internal name resolution to work, assuming that you're using an internal CA-generated certificate for LDAPS.  Your Fortigate then should be able to ping your internal DC or LDAPS server by the same internal FQDN as that name on the LDAPS certificate issued by the internal CA.  If the ping works, configure the LDAP server with the same internal FQDN (e.g. DC1.yourdomain.local or DC1.corp.yourdomain.com) and everything should work with server-identity-check enabled.
 
Russ
NSE7
#6
Jump to:
© 2021 APG vNext Commercial Version 5.5