Description | This article describes what are the requirements for LDAP password change.
Windows AD users can conveniently change passwords without provisioning changes being made to the network by a Windows AD system administrator.
There are three ways FortiAuthenticator supports a password change: RADIUS login, GUI user login, and GUI user portal.
RADIUS login (for example SSLVPN): For the method to work, ALL the following conditions must be met:
A 'change password' response is produced that FortiAuthenticator will recognize and forward, which allows cooperation between the end user on the NAS and the Windows AD server that will result in a password change.
GUI user login: For this method to work, ONE of the following conditions must be met (both will lead to the user communication to be transported encrypted)
Log in via the GUI portal. FortiAuthenticator will validate the user password against a Windows AD server. The Windows AD server returns with a change password response. If that happens, the user is prompted to enter a new password.
GUI user portal: For this method to work, ONE of the following conditions must be met (both will lead to the user communication to be transported encrypted):
After successfully logging into the GUI, the user has access to the user portal. If desired, the user can change their password in the user portal. |
Scope | FortiAuthenticator 6.X. |
Solution |
Choosing to join the domain instead of LDAPS will cover all 3 use cases: RADIUS login, GUI user login, and GUI user portal.
Additionally, for the domain-join, note that the FortiAuthenticator system time must be correct (use NTP, ideally) and the FortiAuthenticator must be able to resolve '_ldap' SRV records from the DNS server. Typically this will have to be the domain's DNS server. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.