Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
epoirier-dd
New Contributor II

Fortiauthenticator self serve password reset LDAP

Hi everyone,

 

I'm kind of very new to FortiAuthenticator. I am working on setting up one at a customer. I am having issues with the self serve portal (not the legacy one) for the password change.

 

I have setup both LDAPS and the FortiAuthenticator is joined to the domain (although documentation said I need only one of these, issue below was not working with only LDAPS).

 

When trying to change the password for my test user, whatever I put as new password, it doesn't want to take it. I have tried complex, short or long password or even simple ones, I always get the error message below.

 

epoirierdd_0-1655153824627.png

If anyone have any hint, that would be greatly appreciated.

1 Solution
epoirier-dd
New Contributor II

Finally found the issue and it wasn't related to the FortiAuthenticator at all. I decided to test changing the password of my test account on a more regular way, to find out I was getting the same error. Turns out the customer domain password policy was set to a minimum password age of over 100 days. Tested with an old account and it was working fine

 

Thanks for your hints.

View solution in original post

4 REPLIES 4
Markus_M
Staff
Staff

Hi and welcome to the FortiAuthenticator.

First thing to check is the debug log that can be seen with https://fac-ip/debug/radius

There you find all sorts of authentication logs; these might help to see more details about the problem.

 

Best regards,

 

Markus

epoirier-dd
New Contributor II

Hi Markus, thanks for the reply!

 

I have looked into in the radius log, but I don't see anything when I try to change the password from the Self-Serve portal. 

 

Additional note, I worked on getting SSL VPN working with the FortiAuthenticator via RADIUS authentication. I tested changed the password when connecting to VPN and that worked right away with the correct config. So this seems to be only related to the new self-serve portal capability to change a LDAP user. 

warshad
Staff
Staff

Please try to reproduce the issue and check the radius logs https://fac-ip/debug/radius.

 

There should some logs there. Please check and let us know.

 

Waqas Arshad
Fortinet
epoirier-dd
New Contributor II

Finally found the issue and it wasn't related to the FortiAuthenticator at all. I decided to test changing the password of my test account on a more regular way, to find out I was getting the same error. Turns out the customer domain password policy was set to a minimum password age of over 100 days. Tested with an old account and it was working fine

 

Thanks for your hints.

Labels
Top Kudoed Authors