Blog · FortiGate

FortiOS 7.4 silently breaks LDAPS against self-signed CAs

Setting ca-cert now auto-enables server-identity-check. Two-line fix; thirty-minute root cause.

Posted 2026-05-18 · FortiOS 7.4 / LDAPS / identity hardening

The symptom

You move a working FortiGate LDAPS configuration from 7.2 to 7.4 (or freshly stage a new one), and admin authentication starts failing silently. diagnose test authserver ldap returns success against your DCs from CLI, but real logins via SSL VPN, SSO, or admin login fail without a useful log line.

The cause

On 7.4, setting set ca-cert <name> on an LDAP server now automatically enables server-identity-check. If your AD environment uses self-signed CAs (very common in OT), the CA signature is fine but the subject of the DC certificate won't match the LDAP server's server value once strict identity check kicks in, and the bind fails.

On 7.2 you could set the CA without identity-check coming along for the ride. On 7.4 they are coupled by default. This is documented, but only in the release notes -- not in the LDAPS configuration guide most people read.

The fix

Explicitly disable the identity check in the same edit block:

config user ldap
    edit "AD-LDAPS"
        set server "192.168.236.3"
        set secure ldaps
        set ca-cert "LDAP_CA"
        set server-identity-check disable
    next
end

The right fix (eventually)

Move off self-signed -- either by issuing DC certificates from an internal CA whose subject matches the LDAP server value, or by load-balancing LDAPS through a FortiGate VIP with a matching cert. Then leave server-identity-check enabled.

← Back to blog

Talk to an engineer →