Description

This article describes the operation of the LDAP cache in FortiManager, how to manually delete the LDAP cache and how to modify the LDAP cache timeout.

Scope

FortiManager

Solution

FortiManager uses an embedded LDAP browser to allow administrators to select Active Directory objects, like users and groups, as members of firewall user groups, which can be pushed to the managed FortiGates.

The same LDAP browser is also used for selecting FSSO groups within the respective connectors.

The first time FortiManager connects to the LDAP server, it retrieves and caches the users and groups in a dedicated directory on the disk.

By default, the LDAP cache timeout is set to 24h, meaning that a newly added Active Directory group would not be visible in FortiManager until the next day.

The following CLI command can be used to manually delete the LDAP cache without changing the global timeout setting:

diagnose report clean ldap-cache

The following CLI setting defines the LDAP cache timeout in seconds (range 1 - 31536000, or 0 to disable the cache):

config system global
set ldap-cache-timeout 60
end

Note:

In FortiManager, there is usually no problem to completely disable the LDAP cache (timeout 0 seconds), as the LDAP searches are performed only when new groups need to be selected for the FortiGates or in case of LDAP administrator login.

However, in FortiAnalyzer (or FortiManager with FortiAnalyzer features), the number of LDAP queries may be significantly larger, for example, if an LDAP filter is used in the reports, which can unnecessarily increase the network bandwidth and potentially cause issues on the LDAP server side.