Description
This article discusses about secondary LDAP server IP configuration.
Scope
FortiGate.
Solution
If there are two AD servers in the network and using one as primary and as secondary, it is possible to configure the same in a single LDAP server configuration.
config user ldap
edit "MyLDAP"
set server "10.34.11.83"
set secondary-server "10.34.11.84"
set tertiary-server ''
set source-ip 0.0.0.0
set cnid "sAMAccountName"
set dn "cn=fortinet,cn=.com"
set type simple
set two-factor disable
set group-member-check user-attr
set group-search-base ''
set group-filter ''
set secure disable
set port 389
set password-expiry-warning disable
set password-renewal disable
set member-attr "memberOf"
set account-key-processing same
unset search-type
set obtain-user-info enable
set user-info-exchange-server ''
next
end
In the above example, notice there is a single LDAP server configuration 'MyLDAP' and in that, 10.34.11.83 has been configured as the primary LDAP server and 10.34.11.83 as a secondary IP address.
So there is a primary server down FortiGate which will try multiple times to reach the primary server and if it will not get any reply it will reach the secondary server IP configured for authentication.
Below are the commands to configure the secondary LDAP server IP and this is CLI only option:
config user ldap
edit LDAPServerName <----- LDAP server name.
set secondary-server x.x.x.x
end
Note:
In the LDAP server, a third server can also be added. It is termed a 'tertiary server'. Having multiple servers can help to implement redundant LDAP servers.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.