I have a MWG performing Kerberos for authentication and LDAPS for group membership information. I followed the steps to set up LDAPS to pull group information, but still cannot establish the connection with the LDAPS server.
When running a tcpdump on the MWG I receive "Unknown CA" errors from the MWG. Is there somewhere I am missing a certificate on the device or within the configuration? Should all certificates in the chain be placed in the LDAPS configuration?
The certs must be base64 pem encoded. The the section in the kerberos guide:
You also need to make sure that the name you specify for the LDAPS server matches that which is on the certificate.
So if you put an IP, you'll probably need to change it. I would also advise making sure everything works with LDAP first, then change to LDAPS to make sure it is truley an LDAPS issue.
Was running into a similar problem with getting LDAP/S to work. I was able to resolve the issue by dropping the certificate(s) directly into the /etc/ssl/certs directory on the Web Gateway.
I did an openssl -showcerts connection from the web gateway to my LDAP server and copy and pasted the certificates from the response into .pem files into that directory. After that, LDAP/S worked perfectly.
Don't forget to set the permissions on the new pem files.
hope that helps,
That may work, but I have no guarantee for how long. That directory could be wiped out or updated with an upgrade.
The supported method would be to import it into the MWG UI to ensure this doesnt happen.