FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
carabhavi
Staff
Staff
Article Id 196248

Description


This article discusses about secondary LDAP server IP configuration.

 

Scope

 

FortiGate.

Solution
If there are two AD servers in the network and using one as primary and as secondary, it is possible to configure the same in a single LDAP server configuration.

 

config user ldap
    edit "MyLDAP"
        set server "10.34.11.83"
        set secondary-server "10.34.11.84"
        set tertiary-server ''
        set source-ip 0.0.0.0
        set cnid "sAMAccountName"
        set dn "cn=fortinet,cn=.com"
        set type simple
        set two-factor disable
        set group-member-check user-attr
        set group-search-base ''
        set group-filter ''
        set secure disable
        set port 389
        set password-expiry-warning disable
        set password-renewal disable
        set member-attr "memberOf"
        set account-key-processing same
        unset search-type
        set obtain-user-info enable
        set user-info-exchange-server ''
    next
end

 

In the above example, notice there is a single LDAP server configuration 'MyLDAP' and in that, 10.34.11.83 has been configured as the primary LDAP server and 10.34.11.83 as a secondary IP address.
So there is a primary server down FortiGate which will try multiple times to reach the primary server and if it will not  get any reply it will reach the secondary server IP configured for authentication.

Below are the commands to configure the secondary LDAP server IP and this is CLI only option:

 

config user ldap
    edit LDAPServerName                          <----- LDAP server name.
        set secondary-server x.x.x.x
end

 

Note:

In the LDAP server, a third server can also be added. It is termed a 'tertiary server'. Having multiple servers can help to implement redundant LDAP servers.

spoojary_0-1727208882243.png