FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
kiri
Staff
Staff
Article Id 222278
Description This article describes what are the requirements for LDAP password change.

 

Windows AD users can conveniently change passwords without provisioning changes being made to the network by a Windows AD system administrator.

 

There are three ways FortiAuthenticator supports a password change: RADIUS login, GUI user login, and GUI user portal.

 

RADIUS login (for example SSLVPN):

For the method to work, ALL the following conditions must be met:

 

  • FortiAuthenticator has joined the Windows AD domain.
  • The RADIUS client has been configured to 'Use Windows AD domain authentication'.
  • RADIUS authentication request uses MS-CHAPv2.
  • The RADIUS client must also support MS-CHAPv2 password change.

 

A 'change password' response is produced that FortiAuthenticator will recognize and forward, which allows cooperation between the end user on the NAS and the Windows AD server that will result in a password change.

 

GUI user login:

For this method to work, ONE of the following conditions must be met (both will lead to the user communication to be transported encrypted)

 

  • FortiAuthenticator has joined the Windows AD domain.
  • Secure LDAP is enabled and the LDAP admin (i.e. regular bind) has the permissions to reset user passwords.

 

Log in via the GUI portal. FortiAuthenticator will validate the user password against a Windows AD server. The Windows AD server returns with a change password response. If that happens, the user is prompted to enter a new password.

 

GUI user portal:

For this method to work, ONE of the following conditions must be met (both will lead to the user communication to be transported encrypted):

 

  • FortiAuthenticator has joined the Windows AD domain.
  • Secure LDAP (LDAPS) is enabled on the LDAP server configuration in FortiAuthenticator.

 

After successfully logging into the GUI, the user has access to the user portal. If desired, the user can change their password in the user portal.

Scope FortiAuthenticator 6.X.
Solution

Choosing to join the domain instead of LDAPS will cover all 3 use cases:

RADIUS login, GUI user login, and GUI user portal.


LDAPS will only cover 2 of the use cases, GUI user login and GUI user portal.

Password change over Radius will not be possible with LDAPS only.
For security and user experience, it is recommended to join the domain and use LDAPS (encrypted).

Additionally, for the domain-join, note that the FortiAuthenticator system time must be correct (use NTP, ideally) and the FortiAuthenticator must be able to resolve '_ldap' SRV records from the DNS server. Typically this will have to be the domain's DNS server.