Technical Tip: Best practices for LDAP configuration
Description
This article describes best practices when integrating LDAP Directories.
Scope
FortiNAC.
Solution
In the Administration UI, navigate to System -> Settings -> Authentication -> LDAP
 
Connection Tab:
- Do not utilize a domain name unless configuring multiple directories for separate domains.
- Include a Backup LDAP server (Secondary IP) in the event that communication fails to the Primary LDAP server.
- The Backup server should have the same configuration and user records as the Primary. The same Directory configuration is used when communicating with the Secondary Server IP address (Connection, Search Branches, etc.).
- Servers being used as Secondary should only be added as a pingable device. They should not be added as a separate directory in the directory list.
Search Branches Tab - User Search Branches:
- Be granular with the search branches. It is not recommended to have a single search branch beginning at the root (i.e., dc=domain,dc=com).
- Order Client Search Branches with the most used first (at the top) and least used last. This will speed up lookups.
Search Branches Tab - Group Search Branches:
- Configure Group Search Branches only if it is intended to utilize group membership to assign Network Access or Endpoint Compliance policies. If there is no intention to utilize LDAP group membership, do not configure group search branches.
- Search branches should not begin at the root, but begin at the location in the tree where the security groups exist.
- If security groups exist in multiple OUs, configure multiple search branches.
Related articles:
Technical Tip: Performance issue and some general recommendations
Technical Tip: How to Configure Secure LDAPS communication with FortiNAC
Technical Tip: Assign Roles based on User LDAP Directory Attributes