1. use openssl s_client to dump keying material while connecting to target site like ldap://
2. start sniffer
3. make next attempt to use LDAPS, for example to load user
4. make next openssl + s_client connection to the site and reuse keying data from 1st session
5. use opensll and reuse session id and session keying material, hope you hit abre handshake and this session is to check if we do have correct pair of session id and keys for session captured in sniffer from step 2.
Alt. set environment variable .. something like "export SSLKEYLOGFILE=<path-to-file> " .
Then start sniffer and browser and access LDAPS. Keying material will be dumped to file set in variable.
HOWEVER .. What is it good for?
As if you do have problems with LDAP(S) on FortiOS, then better way IMHO is to use CLI ...
diag debug reset
diag debug application fnbamd 7
diag debug enable
... to start debug level 7 for daemon responsible for outer authentication connections on FortiOS.
Then access LDAP(S) simply from FortiOS GUI , or use Test button inside LDAP(S) server configuration on FortiOS GUI.
Alternatively run "diag test auth ldap <serverName> <userName> <userPassword>" to trigger authentication test right from CLI.
This way you will get intel on why FortiOS have any issue with set LDAP(S) and what might be wrong. Without hassle with Wireshark, keying material, session .. snifs etc.
FortiAnswers is the space dedicated to FortiSASE and FortiOS questions and suggestions.
2 People are following this question.