DescriptionUnable to validate credentials for a directory under System > Settings > Authentication > LDAP using valid LDAP account credentials. The following message is displayed:
"Connection: Failed to connect to directory"
ScopeVersion: 8.xSolutionIf "Connect by name" is enabled, check the following:
- Appliance is able to resolve the hostname of the LDAP server listed in the LDAP configuration. One way to
verify is by pinging the name populated in the Name field. In the
Control Server CLI, type
ping <hostname>
Example:
> ping WIN-QSH73DPRRK6.SupportLAB.fortinac.com
PING WIN-QSH73DPRRK6.SupportLAB.fortinac.com (10.12.240.10) 56(84) bytes of data.
64 bytes from 10.12.240.10 (10.12.240.10): icmp_seq=1 ttl=128 time=0.067 ms
If not resolving the name to an IP address, add the hostname of the LDAP server to the production DNS server.
- If Security protocol = none, deselect Connect by name. The IP address will be used to connect to the LDAP server instead of the name.
If Security Protocol option = SSL or STARTTLS check the following:
- LDAP server has a valid SSL certificate installed. The certificate will not be trusted by the appliance if expired or otherwise invalid.
- Connect by name is selected in the LDAP Server configuration under System > Settings > Authentication > LDAP.
- Hostname of the LDAP server listed is resolvable and matches the name on the certificate.
- If required by the LDAP server, a client certificate has been imported to the keystore under /bsc/campusMgr/ of the appliance.
Note: The requirement for the client certificate is dependent upon the directory configuration. Refer to the applicable vendor documentation.
If client certificate is required, Create a keystore to import certificate. For instructions, see section Create a keystore for SSL or TLS of the Administration Guide in the Fortinet Document Library.
For additional LDAP configuration information, see section Configuration of the Administration Guide in the Fortinet Document Library.
Related Articles
Technical Note: LDAP server SSL and TLS connections require trusted name