LDAP authentication debugging

Chapter 3 Authentication for FortiOS 5.0 : Authentication servers : LDAP servers : Troubleshooting LDAP : LDAP authentication debugging

For a more in-depth test, you can use a diag debug command. The sample output from a shows more information about the authentication process that may prove useful if there are any problems.

Ensure the “Allow Dial-in” attribute is still set to “TRUE” and run the following CLI command. fnbamd is the Fortinet non-blocking authentication daemon.

FGT# diag debug enable

FGT# diag debug reset

FGT# diag debug application fnbamd –1

FGT# diag debug enable

The output will look similar to:

get_member_of_groups-Get the memberOf groups.

get_member_of_groups- attr='msNPAllowDialin', found 1 values

get_member_of_groups-val[0]='TRUE'

fnbamd_ldap_get_result-Auth accepted

fnbamd_ldap_get_result-Going to DONE state res=0

fnbamd_auth_poll_ldap-Result for ldap svr 192.168.201.3 is SUCCESS

fnbamd_auth_poll_ldap-Passed group matching

If the “Allow Dial-in” attribute is not set but it is expected, the last line of the above output will instead be:

fnbamd_auth_poll_ldap-Failed group matching