By default, FortiGate automatically starts connecting to the LDAP server once the LDAP server is configured on FortiGate or FortiProxy till the LDAP connection is successful. This behavior can be changed by the 'obtain-user-info' setting in ldap config.

The option 'obtain-user-info' is enabled by default. When 'obtain-user-info' is disabled, FortiGate or FortiProxy will connect to the LDAP server only in the following conditions:

• Whenever an LDAP user is supposed to be authenticated on FortiGate, for instance if an LDAP user group is enabled on any of the firewall policies
• If an LDAP user is trying to connect to the VPN.
• When the LDAP connection is tested via the 'test connectivity' option on the LDAP settings via the GUI:

FGT # config user ldap
FGT (ldap) # edit ldap.server
FGT (ldap.server) # set obtain-user-info disable

FGT (ldap.server) # end

Packet capture can be taken to verify if LDAP traffic is leaving FortiGate or not:

diagnose sniff packet any 'host x.x.x.x and port 389' 6 0 l <----- Where x.x.x.x is the LDAP server IP.

Packet capture can also be taken directly from the GUI under Network -> Diagnostics.