External Connector FSSO Agent on Windows AD

Agree, 1 minute interval is nonsense ..
1. you are going to overload LDAP with periodical queries.

2. once the LDAP starts to have load issues and start to react slowly, your queries stockpile and will just increase the load with non-responded queries queued.

3. once there will be issue connecting to that LDAP (DoS / network outage / load on server), then FortiGate will start to stockpile non-responded queries in queue which is memory, so you will possibly overload FortiGate as well.

4. seriously, how often do you change group membership of the users and how fast you need to sync this "promotion" through all connected systems?

You just need to find a balance between sync time and for how long you can keep possibly older group membership info, versus some reasonable auto-update interval.

Besides that, if group cache record times out, then on next login spotted by FSSO there will be fresh LDAP group membership query anyway.

In summary, I do not see any reason to knock on LDAP's door extremely often.
Short intervals like 30 minutes are fine. And even longer update periods like few hours might be OK as well, as said it depends mainly on frequency of your group membership changes.

Hello Bpozdena,

TAC found your post for me on a similar case.  I'm very interested to know how you are able to determine that "user.adgrp" is the object in the maximum values table that's most relevant to this?  I was hoping the max val table would have links to descriptions for each object but havent come across documentation on these objects yet in our search.