Fortinet black logo

Administration Guide

Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers

Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers

Multiple LDAP servers can be configured in Kerberos keytabs and agentless NTLM domain controllers for multi-forest deployments.

To use multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers:
  1. Add multiple LDAP servers:

    config user ldap
        edit "ldap-kerberos"
            set server "172.16.200.98"
            set cnid "cn"
            set dn "dc=fortinetqa,dc=local"
            set type regular
            set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
            set password xxxxxxxxx
        next
        edit "ldap-two"
            set server "172.16.106.128"
            set cnid "cn"
            set dn "OU=Testing,DC=ad864r2,DC=com"
            set type regular
            set username "cn=Testadmin,cn=users,dc=AD864R2,dc=com"
            set password xxxxxxxxx
        next
    end
  2. Configure a Kerberos keytab entry that uses both LDAP servers:

    config user krb-keytab
        edit "http_service"
            set pac-data disable
            set principal "HTTP/FGT.FORTINETQA.LOCAL@FORTINETQA.LOCAL"
            set ldap-server "ldap-kerberos" "ldap-two" 
            set keytab xxxxxxxxx
        next
    end
  3. Configure a domain controller that uses both LDAP servers:

    config user domain-controller
        edit "dc1"
            set ip-address 172.16.200.98
            set ldap-server "ldap-two" "ldap-kerberos"
        next
    end

Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers

Multiple LDAP servers can be configured in Kerberos keytabs and agentless NTLM domain controllers for multi-forest deployments.

To use multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers:
  1. Add multiple LDAP servers:

    config user ldap
        edit "ldap-kerberos"
            set server "172.16.200.98"
            set cnid "cn"
            set dn "dc=fortinetqa,dc=local"
            set type regular
            set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
            set password xxxxxxxxx
        next
        edit "ldap-two"
            set server "172.16.106.128"
            set cnid "cn"
            set dn "OU=Testing,DC=ad864r2,DC=com"
            set type regular
            set username "cn=Testadmin,cn=users,dc=AD864R2,dc=com"
            set password xxxxxxxxx
        next
    end
  2. Configure a Kerberos keytab entry that uses both LDAP servers:

    config user krb-keytab
        edit "http_service"
            set pac-data disable
            set principal "HTTP/FGT.FORTINETQA.LOCAL@FORTINETQA.LOCAL"
            set ldap-server "ldap-kerberos" "ldap-two" 
            set keytab xxxxxxxxx
        next
    end
  3. Configure a domain controller that uses both LDAP servers:

    config user domain-controller
        edit "dc1"
            set ip-address 172.16.200.98
            set ldap-server "ldap-two" "ldap-kerberos"
        next
    end