Solved: How do I fix LDAP error message ‘fnbamd_ldap_parse_response-Error 10’?

This article describes how to resolve LDAP Error Code 10 – ‘fnbamd_ldap_parse_response-Error 10’

Solution

The LDAP server is configured as below

When the credential is tested out with debug enabled as below, the LDAP error 10 code is received in the debug logs

# diagnose debug enable
# diagnose debug application fnbamd 255
# diagnose test authserver ldap Test-LDAP AD.local\asmith Password1

[1906] handle_req-Rcvd auth req 2072354468 for AD.local\asmith in Test-LDAP opt=0000001b prot=0
[466] __compose_group_list_from_req-Group 'Test-LDAP ', type 1
[616] fnbamd_pop3_start-johndoe
[989] __fnbamd_cfg_get_ldap_list_by_server-
[995] __fnbamd_cfg_get_ldap_list_by_server-Loaded LDAP server 'Test-LDAP '
[1150] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 1
[1717] fnbamd_ldap_init-search filter is: SAMAccountName=AD.local\asmith
[1727] fnbamd_ldap_init-search base is: DC=AD,DC=local\3B <----- Username and base DN for LDAP search
[1149] __fnbamd_ldap_dns_cb-Resolved Test-LDAP:192.168.1.20 to 192.168.1.20, cur stack size:1
[924] __fnbamd_ldap_get_next_addr-
[1154] __fnbamd_ldap_dns_cb-Connection starts Test-LDAP :192.168.1.20, addr 192.168.1.20
[879] __fnbamd_ldap_start_conn-Still connecting 192.168.1.20.
[633] create_auth_session-Total 1 server(s) to try
[1107] __ldap_connect-tcps_connect(192.168.0.72) is established.
[985] __ldap_rxtx-state 3(Admin Binding)
[363] __ldap_build_bind_req-Binding to 'AD.local\johndoe' <------- Admin bind
[1083] fnbamd_ldap_send-sending 37 bytes to 192.168.1.20
[1096] fnbamd_ldap_send-Request is sent. ID 1
[985] __ldap_rxtx-state 4(Admin Bind resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 14
[1306] fnbamd_ldap_recv-Response len: 16, svr: 192.168.1.20
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type: bind
[1023] fnbamd_ldap_parse_response-ret=0 <-------- Admin bind successful
[1052] __ldap_rxtx-Change state to 'DN search'
[985] __ldap_rxtx-state 11(DN search)
[750] fnbamd_ldap_build_dn_search_req-base:'DC=AD,DC=local\3B' filter:SAMAccountName=AD.local\asmith <--------Next step
[1083] fnbamd_ldap_send-sending 79 bytes to 192.168.1.20
[1096] fnbamd_ldap_send-Request is sent. ID 2
[985] __ldap_rxtx-state 12(DN search resp)
[1127] __fnbamd_ldap_read-Read 8
[1233] fnbamd_ldap_recv-Leftover 2
[1127] __fnbamd_ldap_read-Read 136
[1306] fnbamd_ldap_recv-Response len: 138, svr: 192.168.1.20
[987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
[1009] fnbamd_ldap_parse_response-Error 10(0000202B: RefErr: DSID-03100808, data 0, 1 access points ref 1: 'AD.local;'

Symptoms of this issue after configuring the LDAP server are that the ‘Test Connectivity’ is successful but the ‘Test user credentials’ fails and when the admin tries to pull the users from the LDAP directory, it is unsuccessful.

This issue occurs because of an invalid base DN in the LDAP configuration in the FortiGate, which could include typo errors or non-existent base DN. Therefore, make sure that the LDAP configuration is correct.

In the above example, while configuring DN, a typo, semi-colon (;) is introduced mistakenly after ‘dc=local;’. This is evident from the ‘fnbamd debug log’ snippet (below) as ‘3B’ in hexadecimal is a semi-colon.

fnbamd_ldap_init-search base is: DC=AD,DC=local\3B

Removing the semi-colon from the configuration fixes the error message. The user is successfully able to authenticate, and user data can also be pulled from the LDAP server.