Skip to main content
rb043
rb043
Explorer
May 5, 2023
Question

SSLVPN Password Reset over LDAP not working via GUI

  • May 5, 2023
  • 2 replies
  • 3323 views

I've followed this guide meticulously for our LDAP configuration on our Fortigate 80F. See below:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-expired-password-LDAP-renewal-with-Active/ta-p/191879#:~:text=On%20the%20%27Users%20and%20Groups,and%20then%20select%20%27Next%27.

 

The authentication and group assignment is working perfectly, including the CLI commands for diagnosing the delegation and confirming you can change a user password from Fortigate, command example below:
dia test authserver ldap testdomain jdoe OldPassword1234#

 

However, when using the web gui to get to admin and subsequently an account which is set to reset on next logon,  get the change password screen and copy/paste the old and new passwords (to ensure I'm not getting it wrong!), but I consistently get an error saying "Invalid Old Password" - but I know the password is correct and if I immediately go to the CLI and run the diagnose command above, it works perfect. So I know it's not an LDAP issue or an issue in the config of the LDAP server on Forti. 

 

Any ideas on this one? For further clarification the password has special characters both before and after, and also adheres to the password policy both before and after. 

 

Aside from this, LDAP authentication is working perfect.

2 replies

ndumaj
Staff
ndumaj
Staff
May 5, 2023

Hi,

What is your FGT version?
There is a ticket ID 782158 - "The ç character is not accepted by an LDAPS password change" - that means that pass change doesn't work if your pass contains non-ASCII characters, and the issue is solved on v7.2.1.
https://docs.fortinet.com/document/fortigate/7.2.1/fortios-release-notes/289806/resolved-issues

BR

    rb043
    rb043Author
    Explorer
    May 5, 2023

    We're on 7.0.10, although contemplating patching it anyway as I had a feeling this would be the case! 

    That's a good find, thank you. I searched high and low but couldn't find anything related. I think I'll confirm it by changing the policy temporarily to allow all ascii, then get the update in. 

    I'm guessing there's no update available for the 7.0 range (e.g. take to 7.0.11), and instead I need to stage it right through to 7.2.1?

    ndumaj
    Staff
    ndumaj
    Staff
    May 5, 2023

    Hi,
    Unfortunately at the moment there is no fix available on 7.0.x, the fix is only available on v7.2.1 and above.
    BR

      rb043
      rb043Author
      Explorer
      May 5, 2023

      That's a shame - but a good excuse to upgrade! 

      I've confirmed it now between another site (7.2.1+) and it's consistent, works fine. 

      Upgrade incoming... Thanks for your help

      Terms & ConditionsAccessibility statement