question

stylus avatar image
0 Likes"
stylus asked

What are the recommended settings for configuring LDAPS?

FortiOSLDAP
10 |600

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

·
Tomcat Silver avatar image
0 Likes"
Tomcat Silver answered

1. use openssl s_client to dump keying material while connecting to target site like ldap://
2. start sniffer
3. make next attempt to use LDAPS, for example to load user
4. make next openssl + s_client connection to the site and reuse keying data from 1st session
5. use opensll and reuse session id and session keying material, hope you hit abre handshake and this session is to check if we do have correct pair of session id and keys for session captured in sniffer from step 2.

Alt. set environment variable .. something like "export SSLKEYLOGFILE=<path-to-file> " .
Then start sniffer and browser and access LDAPS. Keying material will be dumped to file set in variable.

HOWEVER .. What is it good for?
As if you do have problems with LDAP(S) on FortiOS, then better way IMHO is to use CLI ...

diag debug reset
diag debug application fnbamd 7
diag debug enable

... to start debug level 7 for daemon responsible for outer authentication connections on FortiOS.
Then access LDAP(S) simply from FortiOS GUI , or use Test button inside LDAP(S) server configuration on FortiOS GUI.
Alternatively run "diag test auth ldap <serverName> <userName> <userPassword>" to trigger authentication test right from CLI.

This way you will get intel on why FortiOS have any issue with set LDAP(S) and what might be wrong. Without hassle with Wireshark, keying material, session .. snifs etc.

10 |600

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Welcome to FortiAnswers

FortiAnswers is the space dedicated to FortiSASE and FortiOS questions and suggestions.

  • Please review the Community guidelines
  • If you are a moderator, please refer to the Moderation guidelines
  • If something in the above guidelines is unclear, please post your question to the Community Feedback space or the Moderators' space