Troubleshooting Tip: How to fix 'Admin Reset Password Failed: Insufficient Access' during Password Reset in Self-Service Portal (Pre-Login Services)

Description

This article describes how to resolve 'Admin Reset Password Failed: Insufficient Access' when resetting a password in the Self-Service Portal Pre-Login Services.

Scope

FortiAuthenticator.

Solution

When 'Password Reset' is enabled for Pre-Login Services in the Self-service Portal, users can reset passwords by selecting 'Forgot password'. In this scenario, a remote LDAP user is being used.

However, while changing the password, the following error may appear: 'Password change failed. Please contact your system administrator.'

Analysis of the raw logs in FortiAuthenticator confirms that the LDAP bind user lacks the required permissions to perform password reset operations, as shown below: 

Failed to change LDAP user 'CN=test_user,OU=IT,OU=Users,OU=Security_team,DC=test,DC=local' password: admin reset password failed: Insufficient access

After providing the required permissions to the LDAP bind user, a remote user can reset their password in the Self-Service Portal Pre-Login Services. 

Furthermore, FortiAuthenticator requires a specific configuration to support password change operations for remote LDAP users, as detailed in Technical Tip: Requirements for user password change with FortiAuthenticator as user database and Technical Tip: How to allow an LDAP user to change password at first logon or renew an expired password With FortiAuthenticator as Radius server.