Skip to main content
georgeinva2004
georgeinva2004
New Member
September 24, 2015
Solved

Cannot replace/Delete LDAP/Active Directory server using GUI

  • September 24, 2015
  • 3 replies
  • 16352 views

Hi,

We need to decommission an Active Directory domain controller and are having difficulty removing it from our SSO configuration.  In the Users and Device>>Authentication>>LDAP Servers page, the option to delete the LDAP server is greyed out.  There's no option under the Single Sign-on page to disassociate an LDAP server from the Local SSO agent.  I can't seem to find anything online on using the CLI to remove a server either (lots of info on adding them).  Any help would be appreciated.

 

We're running FortiOS 5.2.4, and are using the Local SSO agent in polling mode.

    Best answer by denache

    To narrow your searches run:

    diagnose sys checkused user.ldap.

    may be used by table user.fsso.ldap-server
    may be used by table user.fsso-polling.ldap-server
    may be used by table user.local.ldap-server
    may be used by table user.peer.ldap-server
    may be used by table user.group.member.name
    may be used by table user.group.match.server-name

    So all entries from  User - LDAP might be used only in the above tables.

     

    3 replies

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    September 29, 2015

    Hello,

     

    there are probably dependences GUI is not aware of. Go CLI and check content of relevant configs.

    Like:

    show user adgrp <-- in there see used server and polling-id which might refer to local poller record

    show user fsso-polling

    show user group

     

    In short, LDAP is used in poller, poller creates adgrp, adgrp is used in groups, groups are used in policies. So follow the dependency path from LDAP down and check the chain.

     

    Best regards, Tomas

      denache
      denacheAnswer
      New Member
      September 29, 2015

      To narrow your searches run:

      diagnose sys checkused user.ldap.

      may be used by table user.fsso.ldap-server
      may be used by table user.fsso-polling.ldap-server
      may be used by table user.local.ldap-server
      may be used by table user.peer.ldap-server
      may be used by table user.group.member.name
      may be used by table user.group.match.server-name

      So all entries from  User - LDAP might be used only in the above tables.

       

        georgeinva2004
        georgeinva2004Author
        New Member
        September 29, 2015

        It was a dependency.  However, the fix was basically to remove the entire dependency tree and start over.  A little time consuming, but we got there.  We also learned something new.  In the latest version of code, an ADGRP can only be defined on one LDAP server.  Somehow, the decommissioned DC and another DC both had the same ADGRP's defined.    I think that was the conflict that forced deleting everything and starting over.  Not sure how we got there to begin with, but I think we're all set now...

          Terms & ConditionsAccessibility statement