Troubleshooting Tip: LDAP Configuration lost after Policy Package push from FortiManager

Description

This article describes an issue where LDAP configurations on newly added FortiGate devices get removed after a policy package push from FortiManager.

Scope

FortiGate, FortiManager.

Solution

FortiGate is added in FortiManager, and the connection status is up:

Spoke-B # diagnose fdsm central-mgmt-status
Connection status: Up
Registration status: Registered
Serial: FMGVMSTMXXXXXX

LDAP Config present on the FortiGate before policy package push:

When a new policy is created and pushed, the installation preview logs indicate that the LDAP server configuration is removed.

=== Preview result ===
config firewall policy
    edit 2
        set uuid 7871aefe-9a1d-51f0-040b-44845032de40
        set action accept
        set srcintf "port3"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

config user ldap
purge
end

On the FortiGate, the LDAP configuration is missing as it has already been deleted.

System event logs can also be seen in FortiGate, where the LDAP config has been purged from FortiManager.

FortiManager removes the LDAP server configuration if it is not referenced in any firewall policy. During a policy package installation, LDAP configurations with no references are expected to be cleared. The suggested method is to configure the LDAP server directly on FortiManager, link it to the appropriate policy package, and then deploy it to the FortiGate using the Install Wizard.