- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: Setting up a redundant connection t...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
Try to set up for redundancy two individual LDAP entries pointing to the same domain and with the same settings can cause authentication issues.
This article describes how the FortiGate needs to be set up for redundant LDAP access.
Solution
When setting up two identical LDAP entries for redundancy, there can occur various authentication issues, especially in more complex environments as both LDAP servers would be set in a usergroup with the same group filter.
For example, with the following setup:
In most cases when the credentials are correctly entered, this will work and the user will be authenticated successfully.
However, if the credentials are not correctly entered then the FortiGate will send the same incorrect credentials twice (or more, depending on the number of LDAP entries added to the group) and it can lock the user’s AD account with just one single logon attempt via the FortiGate:
The solution to avoid such scenarios is to implement redundant LDAP setup properly, within one LDAP entry. Two redundant LDAP servers can be specified, secondary and tertiary one:
With this setup the secondary LDAP server will only be contacted if the primary is not reachable.
This can however prolong the time needed for the authentication as the first LDAP server needs to time out before the second one is contacted.
config user ldap
edit "dc01"
set server "10.0.0.10"
set secondary-server "10.0.0.11"
set cnid "sAMAccountName"
set dn "dc=mt-test,dc=local"
set type regular
set username "mt-test\\ldapadmin"
set password <password>
next
end
Try to set up for redundancy two individual LDAP entries pointing to the same domain and with the same settings can cause authentication issues.
This article describes how the FortiGate needs to be set up for redundant LDAP access.
Solution
When setting up two identical LDAP entries for redundancy, there can occur various authentication issues, especially in more complex environments as both LDAP servers would be set in a usergroup with the same group filter.
For example, with the following setup:
# config user ldapWhen checking for a user this will cause the FortiGate to check at the same time on both domain controllers for the same credentials.
edit "dc01"
set server "10.0.0.10"
set cnid "sAMAccountName"
set dn "dc=mt-test,dc=local"
set type regular
set username "mt-test\\ldapadmin"
set password <password>
next
edit "dc02"
set server "10.0.0.11"
set cnid "sAMAccountName"
set dn "dc=mt-test,dc=local"
set type regular
set username "mt-test\\ldapadmin"
set password <password>
next
end
# config user group
edit "maximal"
set member "dc01" "dc02"
config match
edit 1
set server-name "dc01"
set group-name "CN=maximal,CN=Users,DC=mt-test,DC=local"
next
edit 2
set server-name "dc02"
set group-name "CN=maximal,CN=Users,DC=mt-test,DC=local"
next
end
next
end
In most cases when the credentials are correctly entered, this will work and the user will be authenticated successfully.
However, if the credentials are not correctly entered then the FortiGate will send the same incorrect credentials twice (or more, depending on the number of LDAP entries added to the group) and it can lock the user’s AD account with just one single logon attempt via the FortiGate:
[2245] handle_req-Rcvd auth req 976192257 for testuser in maximal opt=00000500 prot=10Solution.
[397] __compose_group_list_from_req-Group 'maximal'
[614] fnbamd_pop3_start-testuser
[341] radius_start-Didn't find radius servers (0)
[718] auth_tac_plus_start-Didn't find tac_plus servers (0)
[1109] __fnbamd_cfg_get_ldap_list_by_group-Loading LDAP server 'dc01' for usergroup 'maximal' (3)
[1109] __fnbamd_cfg_get_ldap_list_by_group-Loading LDAP server 'dc02' for usergroup 'maximal' (3)
[1607] fnbamd_ldap_init-search filter is: sAMAccountName=testuser
[1616] fnbamd_ldap_init-search base is: dc=mt-test,dc=local
[991] __fnbamd_ldap_dns_cb-Resolved dc01(idx 0) to 10.0.0.10
[1059] __fnbamd_ldap_dns_cb-Still connecting.
[1607] fnbamd_ldap_init-search filter is: sAMAccountName=testuser
[1616] fnbamd_ldap_init-search base is: dc=mt-test,dc=local
[991] __fnbamd_ldap_dns_cb-Resolved dc02(idx 0) to 10.0.0.11
[1059] __fnbamd_ldap_dns_cb-Still connecting.
[556] create_auth_session-Total 2 server(s) to try
[941] __ldap_connect-tcps_connect(10.0.0.10) is established.
[815] __ldap_rxtx-state 1(StartTLS)
[860] fnbamd_ldap_send-sending 31 bytes to 10.0.0.10
[872] fnbamd_ldap_send-Request is sent. ID 1
[941] __ldap_connect-tcps_connect(10.0.0.11) is established.
[815] __ldap_rxtx-state 3(Admin Binding)
[204] __ldap_build_bind_req-Binding to 'mt-test\ldapadmin'
[860] fnbamd_ldap_send-sending 38 bytes to 10.0.0.11
[872] fnbamd_ldap_send-Request is sent. ID 1
[815] __ldap_rxtx-state 2(StartTLS resp)
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 38
[1083] fnbamd_ldap_recv-Response len: 40, svr: 10.0.0.10
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:extended-result
[799] fnbamd_ldap_parse_response-ret=0
[882] __ldap_rxtx-Change state to 'Connecting'
[941] __ldap_connect-tcps_connect(10.0.0.10) is established.
[815] __ldap_rxtx-state 3(Admin Binding)
[204] __ldap_build_bind_req-Binding to 'mt-test\ldapadmin'
[860] fnbamd_ldap_send-sending 38 bytes to 10.0.0.10
[872] fnbamd_ldap_send-Request is sent. ID 2
[815] __ldap_rxtx-state 4(Admin Bind resp)
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 14
[1083] fnbamd_ldap_recv-Response len: 16, svr: 10.0.0.11
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[799] fnbamd_ldap_parse_response-ret=0
…
[1083] fnbamd_ldap_recv-Response len: 104, svr: 10.0.0.10
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:bind
[786] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839)
[799] fnbamd_ldap_parse_response-ret=49
[882] __ldap_rxtx-Change state to 'Done'
[815] __ldap_rxtx-state 21(Done)
[860] fnbamd_ldap_send-sending 7 bytes to 10.0.0.10
[872] fnbamd_ldap_send-Request is sent. ID 5
[725] __ldap_stop-svr 'dc01'
[53] ldap_dn_list_del_all-Del CN=Test User,OU=Users,DC=mt-test,DC=local
[3012] fnbamd_ldap_result-Continue pending for req 976192257
[815] __ldap_rxtx-state 6(User Bind resp)
[903] __fnbamd_ldap_read-Read 8
[1009] fnbamd_ldap_recv-Leftover 2
[903] __fnbamd_ldap_read-Read 102
[1083] fnbamd_ldap_recv-Response len: 104, svr: 10.0.0.11
[764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind
[786] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C0903D3, comment: AcceptSecurityContext error, data 52e, v3839)
[799] fnbamd_ldap_parse_response-ret=49
[882] __ldap_rxtx-Change state to 'Done'
[815] __ldap_rxtx-state 21(Done)
[860] fnbamd_ldap_send-sending 7 bytes to 10.0.0.11
[872] fnbamd_ldap_send-Request is sent. ID 4
[725] __ldap_stop-svr 'dc02'
[53] ldap_dn_list_del_all-Del CN=Test User,OU=Users,DC=mt-test,DC=local
[182] fnbamd_comm_send_result-Sending result 1 (error 0, nid 0) for req 976192257
[710] destroy_auth_session-delete session 976192257
The solution to avoid such scenarios is to implement redundant LDAP setup properly, within one LDAP entry. Two redundant LDAP servers can be specified, secondary and tertiary one:
secondary-server <----- Secondary LDAP server CN domain name or IP.
tertiary-server <----- Tertiary LDAP server CN domain name or IP.
With this setup the secondary LDAP server will only be contacted if the primary is not reachable.
This can however prolong the time needed for the authentication as the first LDAP server needs to time out before the second one is contacted.
config user ldap
edit "dc01"
set server "10.0.0.10"
set secondary-server "10.0.0.11"
set cnid "sAMAccountName"
set dn "dc=mt-test,dc=local"
set type regular
set username "mt-test\\ldapadmin"
set password <password>
next
end
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.