Redundant LDAP Remote Auth. Servers

Forum|Forum|6 years ago
December 6, 2019
1 reply
2607 views

We have just implemented a new FortiGate and FortiAuthenticator setup and I am looking at the LDAP Remote Auth. configuration.

In the FortiAuthenticator Administrators Guide it states "FortiAuthenticator supports multiple Windows AD server forests, with a maximum of 20 remote LDAP servers with Windows AD enabled."

We currently support two Windows Forests and have setup an "LDAP Server" under "Remote Auth. Servers / LDAP" for each.

I am wondering, is it better to setup a single "LDAP Server" for each forest with a "Primary server" and "Secondary server" or, setup multiple "LDAP Servers" for each forest for redundancy, which will allow me to setup three servers for each forest?

Thanks in advance!

6.0

xsilver_FTNT

Staff

It's completely up to you.

But consider fact that for example for RADIUS or Syslog based SSO sources those LDAP servers are possibly used for user group verification. Similarly in Remote User Sync Rules you are choosing single LDAP Remote Auth. Server configuration object. So in such cases it is beneficial having Primary and Secondary server inside a single object. As in case of failure of the Primary Server from within the object, those services like RADIUS/Syslog SSO or mentioned automatic LDAP sync, will keep working through Secondary server.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded