Technical Tip: Newly created Active Directory groups are not immediately visible in FortiManager

Description

This article describes the operation of the LDAP cache in FortiManager, how to manually delete the LDAP cache, and how to modify the LDAP cache timeout.

Scope

FortiManager.

Solution

FortiManager uses an embedded LDAP browser to allow administrators to select Active Directory objects, like users and groups, as members of firewall user groups, which can be pushed to the managed FortiGates.

The same LDAP browser is also used for selecting FSSO groups within the respective connectors.

The first time FortiManager connects to the LDAP server, it retrieves and caches the users and groups in a dedicated directory on the disk.

By default, the LDAP cache timeout is set to 24h, meaning that a newly added Active Directory group would not be visible in FortiManager until the next day.

The following CLI command can be used to manually delete the LDAP cache without changing the global timeout setting:

diagnose report clean ldap-cache

The following CLI setting defines the LDAP cache timeout in seconds (range 1 - 31536000):

config system global set ldap-cache-timeout 60 end

Note:

In FortiManager, there is usually no problem setting a very low value for the LDAP cache, as the LDAP searches are performed only when new groups need to be selected for the FortiGates or in case of LDAP administrator login.

However, in FortiAnalyzer (or FortiManager with FortiAnalyzer features), the number of LDAP queries may be significantly larger; for example, if an LDAP filter is used in the reports, it can unnecessarily increase the network bandwidth and potentially cause issues on the LDAP server side.