Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers

Multiple LDAP servers can be configured in Kerberos keytabs and agentless NTLM domain controllers for multi-forest deployments.

To use multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers:
  1. Add multiple LDAP servers:

    config user ldap
        edit "ldap-kerberos"
            set server "172.16.200.98"
            set cnid "cn"
            set dn "dc=fortinetqa,dc=local"
            set type regular
            set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
            set password xxxxxxxxx
        next
        edit "ldap-two"
            set server "172.16.106.128"
            set cnid "cn"
            set dn "OU=Testing,DC=ad864r2,DC=com"
            set type regular
            set username "cn=Testadmin,cn=users,dc=AD864R2,dc=com"
            set password xxxxxxxxx
        next
    end
  2. Configure a Kerberos keytab entry that uses both LDAP servers:

    config user krb-keytab
        edit "http_service"
            set pac-data disable
            set principal "HTTP/FGT.FORTINETQA.LOCAL@FORTINETQA.LOCAL"
            set ldap-server "ldap-kerberos" "ldap-two" 
            set keytab xxxxxxxxx
        next
    end
  3. Configure a domain controller that uses both LDAP servers:

    config user domain-controller
        edit "dc1"
            set ip-address 172.16.200.98
            set ldap-server "ldap-two" "ldap-kerberos"
        next
    end