This article describes the changes in LDAPS authentication behavior introduced in v7.4.4.
Scope
FortiGate v7.4.4.
Solution
After upgrading to v7.4.4, attempts to authenticate using LDAPS are unsuccessful. This issue can be confirmed by running a packet sniffer for the LDAPS server’s IP address and executing the debug commands mentioned below:
di de application fnbamd -1 di de console time enable di de en
To start the sniffer, navigate to Network > Diagnostics and select ‘New Packet Capture‘.
The packet sniffer can be stopped after a failed authentication attempt and saved to the local machine.
From the debug command logs, FortiGate fails to validate the server certificate:
Using the Wireshark tool, the saved sniffer file can be viewed, but FortiGate (10.21.7.38) fails to validate the server certificate.
FortiOS 7.4.4 enhances the security standards for LDAPS by requiring that the server certificate be trusted by FortiOS during the TLS handshake. To comply with this requirement, CA certificate of the LDAP server must be imported into the FortiGate.
In this example, the LDAP Servers (10.21.0.100) certificate is issued by the CA ‘WIN-LT4LK9KDT21-CA’. This CA certificate ‘WIN-LT4LK9KDT21-CA’ must be imported into FortiGate.
Import the CA certificate by following the steps outlined below:
Step 1: Enable ‘Certificates‘ options in GUI:
Step 2: Navigate to System > Certificates, select ‘Create/Import‘ and select ‘CA Certificate‘.
Step 3: Select ‘File‘ and upload the CA Certificate:
It is possible to verify if the LDAP authentication is working by following these steps:
Navigate to User & Authentication > LDAP Servers, edit the LDAPS server, and select ‘Test User Credentials‘. Provide the User credentials and select ‘Test‘.
