Troubleshooting the LDAP configuration
This section covers basic and advanced troubleshooting.
Basic troubleshooting
To test the LDAP object and see if it is working properly, use the following CLI command:
#FPX# diagnose test authserver ldap <LDAP server_name> <user name> <password>
Where:
<LDAP server_name> is the name of LDAP object on FortiProxy unit (not the actual LDAP server name).
For the user name and password, use any from the AD. However, Fortinet recommends (at least at the first stage) to test the credentials used in the LDAP object itself. If these credentials fail, any other credentials will fail as well, and the FortiProxy unit will not be able to bind to the LDAP server.
CLI example:
#FPX# diagnose test authserver ldap LDAP_SERVER user1 password
Advanced troubleshooting
To get more information regarding the reason of authentication failure, run the following commands from the CLI:
FPX# diagnose debug enable
FPX# diagnose debug application fnbamd 255
To stop the debugging output:
FPX# diagnose debug application fnbamd 0
Then run an LDAP authentication test:
FPX# diagnose test authserver ldap <LDAP server_name> <user name> <password>
Check the following lines in boldface:
FPX_MASTER (root) # diagnose test authserver ldap AD_LDAP user1 password [2274] handle_req-Rcvd auth req 237259201 for user1 in AD_LDAP opt=0000001b prot=0 [398] __compose_group_list_from_req-Group 'AD_LDAP' [614] fnbamd_pop3_start-user1 [1042] __fnbamd_cfg_get_ldap_list_by_server-Loading LDAP server 'AD_LDAP' [1662] fnbamd_ldap_init-search filter is: sAMAccountName=user1 <----- User name and base DN for LDAP search [1671] fnbamd_ldap_init-search base is: dc=test,dc=local [1019] __fnbamd_ldap_dns_cb-Resolved AD_LDAP(idx 0) to 192.168.1.10 [1087] __fnbamd_ldap_dns_cb-Still connecting. [557] create_auth_session-Total 1 server(s) to try [969] __ldap_connect-tcps_connect(192.168.1.10) is established. [843] __ldap_rxtx-state 3(Admin Binding) <----- Admin bind [204] __ldap_build_bind_req-Binding to 'Administrator' [925] fnbamd_ldap_send-sending 32 bytes to 192.168.1.10 [937] fnbamd_ldap_send-Request is sent. ID 1 [843] __ldap_rxtx-state 4(Admin Bind resp) [968] __fnbamd_ldap_read-Read 8 [1074] fnbamd_ldap_recv-Leftover 2 [968] __fnbamd_ldap_read-Read 14 [1148] fnbamd_ldap_recv-Response len: 16, svr: 192.168.1.10 [829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind [864] fnbamd_ldap_parse_response-ret=0 <----- Admin bind successful [910] __ldap_rxtx-Change state to 'DN search' [843] __ldap_rxtx-state 11(DN search) [592] fnbamd_ldap_build_dn_search_req-base:'dc=test,dc=local' filter:sAMAccountName=user1 <----- Starting next step [925] fnbamd_ldap_send-sending 75 bytes to 192.168.1.10 [937] fnbamd_ldap_send-Request is sent. ID 2 [843] __ldap_rxtx-state 12(DN search resp) [968] __fnbamd_ldap_read-Read 8 [1074] fnbamd_ldap_recv-Leftover 2 [968] __fnbamd_ldap_read-Read 52 [1148] fnbamd_ldap_recv-Response len: 54, svr: 192.168.1.10 [829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry [864] fnbamd_ldap_parse_response-ret=0 [1180] __fnbamd_ldap_dn_entry-Get DN 'CN=user1,CN=Users,DC=TEST,DC=LOCAL' [91] ldap_dn_list_add-added CN=user1,CN=Users,DC=TEST,DC=LOCAL [910] __ldap_rxtx-Change state to 'User Binding' [843] __ldap_rxtx-state 5(User Binding) [437] fnbamd_ldap_build_userbind_req-Trying DN 'CN=user1,CN=Users,DC=TEST,DC=LOCAL' [204] __ldap_build_bind_req-Binding to 'CN=user1,CN=Users,DC=TEST,DC=LOCAL' [925] fnbamd_ldap_send-sending 91 bytes to 192.168.1.10 [937] fnbamd_ldap_send-Request is sent. ID 3 [843] __ldap_rxtx-state 6(User Bind resp) [968] __fnbamd_ldap_read-Read 8 [1074] fnbamd_ldap_recv-Leftover 2 [968] __fnbamd_ldap_read-Read 14 [1148] fnbamd_ldap_recv-Response len: 16, svr: 192.168.1.10 [829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind [864] fnbamd_ldap_parse_response-ret=0 [910] __ldap_rxtx-Change state to 'Attr query' [843] __ldap_rxtx-state 7(Attr query) [490] fnbamd_ldap_build_attr_search_req-Adding attr 'memberOf' [502] fnbamd_ldap_build_attr_search_req-base:'CN=user1,CN=Users,DC=TEST,DC=LOCAL' filter:cn=* [925] fnbamd_ldap_send-sending 113 bytes to 192.168.1.10 [937] fnbamd_ldap_send-Request is sent. ID 4 [843] __ldap_rxtx-state 8(Attr query resp) [968] __fnbamd_ldap_read-Read 8 [1074] fnbamd_ldap_recv-Leftover 2 [968] __fnbamd_ldap_read-Read 290 [1148] fnbamd_ldap_recv-Response len: 292, svr: 192.168.1.10 [829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-entry [864] fnbamd_ldap_parse_response-ret=0 [553] __get_member_of_groups-Get the memberOf groups. [519] __retrieve_group_values-Get the memberOf groups. [530] __retrieve_group_values- attr='memberOf', found 3 values [91] ldap_dn_list_add-added CN=GROUP1,CN=Users,DC=TEST,DC=LOCAL [539] __retrieve_group_values-val[0]='CN=GROUP1,CN=Users,DC=TEST,DC=LOCAL' [91] ldap_dn_list_add-added CN=GROUP2,CN=Users,DC=TEST,DC=LOCAL [539] __retrieve_group_values-val[1]='CN=GROUP2,CN=Users,DC=TEST,DC=LOCAL' [91] ldap_dn_list_add-added CN=GROUP3,CN=Users,DC=TEST,DC=LOCAL [539] __retrieve_group_values-val[2]='CN=GROUP3,CN=Users,DC=TEST,DC=LOCAL' [1148] fnbamd_ldap_recv-Response len: 16, svr: 192.168.1.10 [829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-result [864] fnbamd_ldap_parse_response-ret=0 [1260] __fnbamd_ldap_attr_next-Entering CHKPRIMARYGRP state [910] __ldap_rxtx-Change state to 'Primary group query' [843] __ldap_rxtx-state 13(Primary group query) [526] fnbamd_ldap_build_primary_grp_search_req-starting primary group check... ... [925] fnbamd_ldap_send-sending 121 bytes to 192.168.1.10 [937] fnbamd_ldap_send-Request is sent. ID 5 [843] __ldap_rxtx-state 14(Primary group query resp) [968] __fnbamd_ldap_read-Read 8 [1074] fnbamd_ldap_recv-Leftover 2 [968] __fnbamd_ldap_read-Read 110 [1148] fnbamd_ldap_recv-Response len: 112, svr: 192.168.1.10 [829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:search-entry [864] fnbamd_ldap_parse_response-ret=0 [91] ldap_dn_list_add-added CN=Domain Users,CN=Users,DC=TEST,DC=LOCAL [470] __get_one_group-group: CN=Domain Users,CN=Users,DC=TEST,DC=LOCAL …. [1386] __fnbamd_ldap_primary_grp_next-Auth accepted [910] __ldap_rxtx-Change state to 'Done' [843] __ldap_rxtx-state 23(Done) [925] fnbamd_ldap_send-sending 7 bytes to 192.168.1.10 [937] fnbamd_ldap_send-Request is sent. ID 6 [753] __ldap_stop-svr 'AD_LDAP' [53] ldap_dn_list_del_all-Del CN=user1,CN=Users,DC=TEST,DC=LOCAL [3064] fnbamd_ldap_result-Result for ldap svr 192.168.1.10 is SUCCESS …
LDAP common problems
Incorrect admin bind
FPX_MASTER (root) # diagnose test authserver ldap AD_LDAP user1 password
[2274] handle_req-Rcvd auth req 237259384 for user1 in AD_LDAP opt=0000001b prot=0
[398] __compose_group_list_from_req-Group 'AD_LDAP'
[614] fnbamd_pop3_start-user1
[1042] __fnbamd_cfg_get_ldap_list_by_server-Loading LDAP server 'AD_LDAP'
[1662] fnbamd_ldap_init-search filter is: sAMAccountName=user1
[1671] fnbamd_ldap_init-search base is: dc=test,dc=local
[1019] __fnbamd_ldap_dns_cb-Resolved AD_LDAP(idx 0) to 192.168.1.10
[1087] __fnbamd_ldap_dns_cb-Still connecting.
[557] create_auth_session-Total 1 server(s) to try
[969] __ldap_connect-tcps_connect(192.168.1.10) is established.
[843] __ldap_rxtx-state 3(Admin Binding)
[204] __ldap_build_bind_req-Binding to 'Administrator'
[925] fnbamd_ldap_send-sending 27 bytes to 192.168.1.10
[937] fnbamd_ldap_send-Request is sent. ID 1
[843] __ldap_rxtx-state 4(Admin Bind resp)
...
[1148] fnbamd_ldap_recv-Response len: 104, svr: 192.168.1.10
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[851] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839) <-- LDAP error for invalid credentials
[864] fnbamd_ldap_parse_response-ret=49
[753] __ldap_stop-svr 'AD_LDAP'
[182] fnbamd_comm_send_result-Sending result 1 (error 0, nid 0) for req 237259384
authenticate 'user1' against 'AD_LDAP' failed!
To check the bind name, use the following Windows commands:
#dsquery user -name <admin full user name> #dsquery user -samid <admin login name> #Check the admin password
User not found
… <output omitted> ... [592] fnbamd_ldap_build_dn_search_req-base:'dc=test,dc=local' filter:sAMAccountName=user1 <----- User account [925] fnbamd_ldap_send-sending 73 bytes to 192.168.1.10 [937] fnbamd_ldap_send-Request is sent. ID 2 [843] __ldap_rxtx-state 12(DN search resp) [968] __fnbamd_ldap_read-Read 8 [1074] fnbamd_ldap_recv-Leftover 2 [968] __fnbamd_ldap_read-Read 78 [1148] fnbamd_ldap_recv-Response len: 80, svr: 192.168.1.10 ... [829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result [864] fnbamd_ldap_parse_response-ret=0 [1198] __fnbamd_ldap_dn_next-No DN is found. <----- Unable to locate user DN …. [753] __ldap_stop-svr 'AD_LDAP' [182] fnbamd_comm_send_result-Sending result 1 (error 0, nid 0) for req 237259385 authenticate 'user1' against 'AD_LDAP' failed!
If a user is not found, check the following:
- If the common name identifier is “
sAMAccountName”, try using the login name. - If the common name identifier is “
cn”, try the userʼs full name. - Double-check the userʼs full DN by entering the following Windows command:
#dsquery user -name <full-user-name>
Incorrect user password
...<output omitted>... [910] __ldap_rxtx-Change state to 'User Binding' [843] __ldap_rxtx-state 5(User Binding) [437] fnbamd_ldap_build_userbind_req-Trying DN 'CN=user1,CN=Users,DC=test,DC=LOCAL' [204] __ldap_build_bind_req-Binding to 'CN=user1,CN=Users,DC=test,DC=LOCAL' [925] fnbamd_ldap_send-sending 90 bytes to 192.168.1.10 ... [1148] fnbamd_ldap_recv-Response len: 104, svr: 192.168.1.10 [829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind [851] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839) <----- Invalid credentials [864] fnbamd_ldap_parse_response-ret=49 [910] __ldap_rxtx-Change state to 'Done' [843] __ldap_rxtx-state 23(Done) [925] fnbamd_ldap_send-sending 7 bytes to 192.168.1.10 [937] fnbamd_ldap_send-Request is sent. ID 4 [753] __ldap_stop-svr 'AD_LDAP' [53] ldap_dn_list_del_all-Del CN=user1,CN=Users,DC=test,DC=LOCAL [182] fnbamd_comm_send_result-Sending result 1 (error 0, nid 0) for req 237259387
authenticate 'user1' against 'AD_LDAP' failed!
Groups not found
The following error indicates that no user group information has been found during the LDAP response based on the configured attribute (memberOf is the default value)
get_member_of_groups-attr=<attribute_name> found 0 values
Password expired
… <output omitted> ... [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
[799] fnbamd_ldap_parse_response-ret=0 [882] __ldap_rxtx-Change state to 'User Binding' [815] __ldap_rxtx-state 5(User Binding) [437] fnbamd_ldap_build_userbind_req-Trying DN 'CN=user1,DC=test,DC=LOCAL' [204] __ldap_build_bind_req-Binding to 'CN=user1,DC=test,DC=LOCAL' [860] fnbamd_ldap_send-sending 116 bytes to 192.168.1.182 . . . [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind [786] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error, data 532, v3839) <----- Logon failure: the specified account password has expired. [799] fnbamd_ldap_parse_response-ret=49 [882] __ldap_rxtx-Change state to 'Done' [815] __ldap_rxtx-state 21(Done) [860] fnbamd_ldap_send-sending 7 bytes to 192.168.1.182 [872] fnbamd_ldap_send-Request is sent. ID 4 [725] __ldap_stop-svr 'AD_LDAP' [53] ldap_dn_list_del_all-Del CN=user1,DC=test,DC=LOCAL [181] fnbamd_comm_send_result-Sending result 1 (error 0, nid 0) for req 300967187 authenticate 'user1' against 'AD_LDAP' failed! <-----