Skip to main content
echo
echo
Explorer II
November 3, 2015
Solved

LDAP auth and password change over VPN

  • November 3, 2015
  • 1 reply
  • 38622 views

Hello! Who can make sense of these two pieces of information?

 

FortiOS Handbook: Authentication for FortiOS 5.2, PDF file, page 28:

password-expiry-warning and password-renewal In SSLVPN, when an LDAP user is connecting to the LDAP server it is possible for them to receive any pending password expiry or renewal warnings. When the password renewal or expiry warning exists, SSLVPN users will see a prompt allowing them to change their password. password-expiry-warning allows FortiOS to detect from the LDAP server when a password is expiring or has expired using server controls or error codes. password-renewal allows FortiOS to perform the online LDAP password renewal operations the LDAP server expects.

 

Fortigate-cli-5.2.pdf, page 720:

FortiGate LDAP support does not extend to proprietary functionality, such as notification of password expiration, that is available from some LDAP servers. FortiGate LDAP support does not supply information to the user about why authentication failed.

 

And below this, there are options:

config user ldap

edit <server_name>

set password-expiry-warning {disable | enable}

set password-renewal {disable | enable}

...

end

 

Now why I am asking this is that I enabled these two options and set my own account in a state where I should change my password in next logon which I did with VPN (with Windows AD). FortiClient really tells me that I have to change my password but when I do this by entering new password twice, I just get Permission denied (-455) or something like that and that's it. What is wrong here? I even added the internal user that authenticates LDAP to Domain Admins group but that didn't help to really password successfully and log in. When I checked from AD server which password actually works, old or the entered new one, it turned out that the password wasn't actually changed.

 

Any hints or experience with this?

Thank you.

    Best answer by xsilver_FTNT

    Hello,

     

    both pieces are true, however can be stated in more clear form that password renewal/warning stated by LDAP server is processed by FortiGate and user is prompted accordingly. BUT that feature has two pre-requisities:

     

    1) works with Microsoft AD server ONLY !

    so second statement page 720 (as mentioned, I haven't checked page content) is true as those do not support similar functionalities for other LDAP servers in wild (Oracle, IBM, OpenLDAP just examples). Feature was desined completely around MS AD. If you need that for other servers, please contact our sales representatives and open New Feature Request.

     

    2) LDAP server on FortiGate has to be LDAP(S) !

    As password expiry and renewal is bond to credentials handshakes it has to be encrypted connection. It is NOT supported on plain unencrypted LDAP config.

     

    Hope it clarified info a bit.

     

    Kind regards, Tomas

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNTAnswer
    Staff
    November 3, 2015

    Hello,

     

    both pieces are true, however can be stated in more clear form that password renewal/warning stated by LDAP server is processed by FortiGate and user is prompted accordingly. BUT that feature has two pre-requisities:

     

    1) works with Microsoft AD server ONLY !

    so second statement page 720 (as mentioned, I haven't checked page content) is true as those do not support similar functionalities for other LDAP servers in wild (Oracle, IBM, OpenLDAP just examples). Feature was desined completely around MS AD. If you need that for other servers, please contact our sales representatives and open New Feature Request.

     

    2) LDAP server on FortiGate has to be LDAP(S) !

    As password expiry and renewal is bond to credentials handshakes it has to be encrypted connection. It is NOT supported on plain unencrypted LDAP config.

     

    Hope it clarified info a bit.

     

    Kind regards, Tomas

    echo
    echoAuthor
    Explorer II
    November 3, 2015

    Little bit further trying after your information and I got it working.

    It is also written in the Handbook at page 28 that "When changing passwords on a Windows AD system, the connection must be SSL-protected." -- which wasn't immediately clear to me that SSL goes for LDAP connection, it rather looked like a general note about changing passwords and I am already dealing with SSL-VPN. Now I changed the LDAP connection to Secure (LDAPS) _and_ added the user name that is being used for LDAP queries to domain admins group and then I could really change the password.

    Thank you very much for information!

    pvarlien
    pvarlien
    New Member
    October 6, 2016

    It is sufficient for the user name that is being used for LDAP queries to be a member of the "Account Operators" group for the password change dialogue to work.

     

    It may be that this will work if this user has even fewer priviledges than those conferred by the "Account Operators" group, but I haven't researched this. I just totally recoiled from the idea that an account like this should have "Domain Administrator" priviledges, and picked something more restricted, that would do the job.

    Terms & ConditionsAccessibility statement