Skip to main content
renatoconeglian
renatoconeglian
New Member
August 12, 2022
Solved

Fortigate LDAP Expired Password Reset + Google Cloud Directory Sync not working

  • August 12, 2022
  • 1 reply
  • 2441 views

Hi friends! How are you?

 

We are following a tutorial:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-expired-password-LDAP-renewal-with-Active/ta-p/191879

 

But we found an issue with GCDS. We use Active Directory and Google Cloud Directory, and our LDAP syncs with Google via Google Cloud Directory Sync (GCDS).

 

Using Remote Desktop to the Active Directory server, when we right-click an AD user and select Reset Password and change it, GCDS runs as well and change the user's password on Google Cloud Directory.

 

But we tried using the steps described on that tutorial but Google Cloud Directory seems to not activate when the user changes It's password via FortiClient VPN GUI.

 

FortiClient is able to detect that the password expired and must be changed on next logon, it pop's the new password window, the user applies it, the password changes at Active Directory but GCDS doesn't get activated, so the user will now have 2 passwords, 1 for AD and 1 for Google... Do you guys have any guess on what we should do to fix that?

 

Thanks a lot in advance!

Best answer by renatoconeglian

Hi @Anonymous thanks for the reply and sorry for the delay on our response. We were trying solutions for this theme and for now, we are testing a solution:
We have 2 instances of Active Directory (one is a redundant instance) and we found out that we do need one GCDS installation but 2 password sync installations, and we had one.

 

Now we are operating with password sync running on both Active Directories and looks like the GCDS is working fine with Forticlient now.

1 reply

A
Anonymous_User
Contributor
August 15, 2022

Hello @renatoconeglian,

 

                    Thanks for reaching Fortinet Community.

Could you let us know if this is a new set up or the issue started post a firmware upgrade? From the description it seems like the password change request has been sent through to the remote devices.

Could you perform a packet capture on the firewall and replicate the issue? This could give us more details.

 

Thanks and regards,

renatoconeglian
renatoconeglianAuthorAnswer
New Member
October 7, 2022

Hi @Anonymous thanks for the reply and sorry for the delay on our response. We were trying solutions for this theme and for now, we are testing a solution:
We have 2 instances of Active Directory (one is a redundant instance) and we found out that we do need one GCDS installation but 2 password sync installations, and we had one.

 

Now we are operating with password sync running on both Active Directories and looks like the GCDS is working fine with Forticlient now.

Terms & ConditionsAccessibility statement