This article describes what are the requirements for LDAP password change.
Windows AD users can conveniently change their passwords without provision changes being made to the network by a Windows AD system administrator.
There are three ways FortiAuthenticator supports a password change: RADIUS login, GUI user login, and GUI user portal.
RADIUS login:
For the method to work, ALL the following conditions must be met:
- FortiAuthenticator has joined the Windows AD domain.
- RADIUS client has been configured to 'Use Windows AD domain authentication'.
- RADIUS authentication request uses MS-CHAPv2.
- RADIUS client must also support MS-CHAPv2 password change.
A 'change password' response is produced that FortiAuthenticator will recognize, which allows cooperation between the NAS and the Windows AD server that will result in a password change.
GUI user login:
For this method to work, ONE of the following conditions must be met:
- FortiAuthenticator has joined the Windows AD domain.
- Secure LDAP is enabled and the LDAP admin (i.e. regular bind) has the permissions to reset user passwords.
Log in via the GUI portal. FortiAuthenticator will validate the user password against a Windows AD server. The Windows AD server returns with a change password response. If that happens, the user is prompted to enter a new password.
GUI user portal:
For this method to work, ONE of the following conditions must be met:
- FortiAuthenticator has joined the Windows AD domain.
- Secure LDAP is enabled.
After successfully logging into the GUI, the user has access to the user portal. If desired, the user can change their password in the user portal.
|
