LDAP lookup fails to match computer
There can be many ways for LDAP lookup to fail. Following are some scenarios:
- LDAP looks up the wrong attribute: By default, LDAP queries using the filter
(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
. This looks up the UPN attribute of the computers within the LDAP directory.However, the matching may need to occur on a different attribute, such as the name of the computer. Therefore, ensure the filter is defined correctly to look for the proper attribute, and that the attribute on the computer on Active Directory is defined properly.
-
The subject alternate name (SAN) field and the value of the attribute of the computer do not match completely. See as follows:
[448] __cert_ldap_query-UPN = 'WIN10-01.fortiad.info'
[1718] fnbamd_ldap_init-search filter is: (&(name=WIN10-01.fortiad.info)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
In this example, the FortiGate retrieves the certificate DNS name, which is WIN10-01.fortiad.info. However, the computer name attribute of the computer is WIN10-01. So, this mismatch results in the computer not being matched during LDAP lookup.
Resolving the issue may require a new certificate. You can also configure a different filter on the FortiGate’s
user.ldap.account-key-filter
setting to look up a different attribute.