Description
Scope
Solution
This article describes the steps to configure and includes troubleshooting of Simple Bind Authentication with Window Active Directory.
LDAP support 3 types of authentication (Binding): anonymous, simple and SASL authentication.
LDAP support 3 types of authentication (Binding): anonymous, simple and SASL authentication.
Scope
All FortiOS
Solution
Setting On FortiGate:
1. Access User>Remote>LDAP , Choose Create New
2. Fill in Name, Server Name/IP, Select Bind Type to Regular and Fill in User DN and Password. Keep other setting as default.
Note: User DN is required to be member of Domain Admins
3. Click “Query Distinguished Name”, You should be able to see LDAP directory
If you see Message Query failed, or appear only one line of DN with 0 Entries, then Please Go to
Verify setting on Window Server
Verify setting on Window Server
1. Verify that User DN is member of Domain Admin
2. Verify ldapserverintegrity
· Click the Start button and select Run...
· Within the Run dialog window's text box, type regedt32 and click the OK button to open the Registry Editor (Regedt32.exe).
· Open HKLM\System\CurrentControlSet\Services\NTDS, verify ldapserverintegrity have value = 1
Note:
This value is used to determine the LDAP server handling of LDAP bind command requests as follows.
· 1 (default) or not defined: The AD's LDAP agent always supports LDAP client request for LDAP traffic signing when handling a LDAP bind command request which specifies a SASL authentication mechanism.
· 2: The ADs LDAP agent only supports SASL in a LDAP bind command request unless the incoming request is already protected with TLS/SSL. It rejects the LDAP bind command request if other types of authentication are used. If the LDAP bind command request does not come in via TLS/SSL, it requires the LDAP traffic signing option in the client security context.
1. Verify LDAP server signing requirements.
· Click Start, click Run, type mmc.exe , and then click OK
· On the File menu, click Add/Remove Snap-in.
· In the Add or Remove Snap-ins dialog box, click Group Policy Management Editor, click Add.
· In the Select Group Policy Object dialog box, click Browse
· In the Browse for a Group Policy Object dialog box, click Default Domain Policy under the Domains, OUs and linked Group Policy Objects area, and then click OK.
· Click Finish
· Click OK.
· Expand Default Domain Controller Policy, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
· In the Domain controller: LDAP server signing requirements Properties dialog box, Your Server may already enable the “Require Signing” option:
· Right-click Domain controller: LDAP server signing requirements, and then click Properties. click to select “None” in the Define this policy setting drop-down list, and then click OK.
· Click Yes in the Confirm Setting Change dialog box.
· Click “Query Distinguished Name” on Fortigate again, You should be able to see LDAP directory.
