Skip to main content
mvlasak
Staff
mvlasak
Staff
March 31, 2026

Technical Tip: Disabling LDAP group polling and switching to collector agent in FSSO

  • March 31, 2026
  • 0 replies
  • 92 views
Description This article describes how to configure Fortinet Single Sign-On (FSSO) on FortiManager when LDAP-based group polling is initially used to retrieve user groups directly from Active Directory. For performance or architectural reasons, LDAP polling may be disabled, and the User Group Source switched to use the Collector Agent directly.
Scope FortiManager v7.4.x, v7.6.x.
Solution

Prerequisites:

  • A functioning FSSO Collector Agent (e.g., FortiAuthenticator or Windows Collector Agent) is added to the Fabric Connectors.
  • Proper ADOM lock management when Workspace mode is enabled.

 

Configuration procedure:

  1. Identify the FSSO Object in the ADOM database.
    Before changes are applied, the CLI console can be used to retrieve the FSSO object list:

 

execute fmpolicy print-adom-object <ADOM_ID> 321 all

 

Note: '321' is the object ID for FSSO/User SSO. To identify the specific object name, e.g., 'FSSO-CEC', from the list.

 

  1. To display details for a specific agent:


execute fmpolicy print-adom-object <ADOM_ID> 321 <Agent_Name>


Example configuration output:


config user fsso
    edit "FSSO-CEC"
        set server "10.64.43.187"
        set password ********
        set ldap-server "AD_LDAP"
        set ldap-poll enable
        set interface-select-method specify
        set interface "port3"
        set _gui_meta "%7B%22agentType%22%3A%22agent%22%2C%22ldapType%22%3A0%7D"

 

  1. Modify settings via CLI configurations.
    Since changes performed through the Fabric Connector GUI may not persist, modification via CLI database configuration is supported.

  • GUI Tools -> CLI Configurations contains the relevant configuration database.
  • The search function can be used to locate fsso.
  • The user -> FSSO (or fsso-polling, depending on firmware version) section contains the relevant objects.
  • The specific FSSO agent (e.g., FSSO-CEC) is edited within the configuration pane.

Required configuration changes:

  • user-source-method is set to Specify or Collector Agent (depending on available options).
  • ldap-poll is set to disable.
  • ldap-server value is removed (unset/empty).
  • Change is saved via OK confirmation.
  • A change note entry is recorded for tracking purposes (e.g., 'Disabling LDAP polling and switching to Collector Agent').


Verification.
After applying the configuration changes, verification can be performed using:

 

execute fmpolicy print-adom-object <ADOM_ID> 321 <Agent_Name>

 

Expected output:

 

edit "FSSO-CEC"
    set server "10.64.43.187"

    set ldap-poll disable

    unset ldap-server

    set user-source-method collector-agent

next
    Terms & ConditionsAccessibility statement