Hello! Who can make sense of these two pieces of information?
FortiOS Handbook: Authentication for FortiOS 5.2, PDF file, page 28:
password-expiry-warning and password-renewal In SSLVPN, when an LDAP user is connecting to the LDAP server it is possible for them to receive any pending password expiry or renewal warnings. When the password renewal or expiry warning exists, SSLVPN users will see a prompt allowing them to change their password. password-expiry-warning allows FortiOS to detect from the LDAP server when a password is expiring or has expired using server controls or error codes. password-renewal allows FortiOS to perform the online LDAP password renewal operations the LDAP server expects.
Fortigate-cli-5.2.pdf, page 720:
FortiGate LDAP support does not extend to proprietary functionality, such as notification of password expiration, that is available from some LDAP servers. FortiGate LDAP support does not supply information to the user about why authentication failed.
And below this, there are options:
config user ldap
edit <server_name>
set password-expiry-warning {disable | enable}
set password-renewal {disable | enable}
...
end
Now why I am asking this is that I enabled these two options and set my own account in a state where I should change my password in next logon which I did with VPN (with Windows AD). FortiClient really tells me that I have to change my password but when I do this by entering new password twice, I just get Permission denied (-455) or something like that and that's it. What is wrong here? I even added the internal user that authenticates LDAP to Domain Admins group but that didn't help to really password successfully and log in. When I checked from AD server which password actually works, old or the entered new one, it turned out that the password wasn't actually changed.
Any hints or experience with this?
Thank you.
Solved! Go to Solution.
Hello,
both pieces are true, however can be stated in more clear form that password renewal/warning stated by LDAP server is processed by FortiGate and user is prompted accordingly. BUT that feature has two pre-requisities:
1) works with Microsoft AD server ONLY !
so second statement page 720 (as mentioned, I haven't checked page content) is true as those do not support similar functionalities for other LDAP servers in wild (Oracle, IBM, OpenLDAP just examples). Feature was desined completely around MS AD. If you need that for other servers, please contact our sales representatives and open New Feature Request.
2) LDAP server on FortiGate has to be LDAP(S) !
As password expiry and renewal is bond to credentials handshakes it has to be encrypted connection. It is NOT supported on plain unencrypted LDAP config.
Hope it clarified info a bit.
Kind regards, Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff 
Call me paranoid, but I decided that I wanted to know just how much power I had given this service account by adding it to the "Account Operators" group, so I researched it. Needless to say, I didn't like what I learned. Less than a domain admin, but still way more than I am comfortable with.
Active Directory has a feature called "Delegation of Control" that enables much more fine-grained control over permissions, and it's really easy to configure. (There's a "wizard".) Here is what you do:
[ol]Minimum required permissions. Always a good idea when dealling with security.
Hello,
both pieces are true, however can be stated in more clear form that password renewal/warning stated by LDAP server is processed by FortiGate and user is prompted accordingly. BUT that feature has two pre-requisities:
1) works with Microsoft AD server ONLY !
so second statement page 720 (as mentioned, I haven't checked page content) is true as those do not support similar functionalities for other LDAP servers in wild (Oracle, IBM, OpenLDAP just examples). Feature was desined completely around MS AD. If you need that for other servers, please contact our sales representatives and open New Feature Request.
2) LDAP server on FortiGate has to be LDAP(S) !
As password expiry and renewal is bond to credentials handshakes it has to be encrypted connection. It is NOT supported on plain unencrypted LDAP config.
Hope it clarified info a bit.
Kind regards, Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff 
Little bit further trying after your information and I got it working.
It is also written in the Handbook at page 28 that "When changing passwords on a Windows AD system, the connection must be SSL-protected." -- which wasn't immediately clear to me that SSL goes for LDAP connection, it rather looked like a general note about changing passwords and I am already dealing with SSL-VPN. Now I changed the LDAP connection to Secure (LDAPS) _and_ added the user name that is being used for LDAP queries to domain admins group and then I could really change the password.
Thank you very much for information!
It is sufficient for the user name that is being used for LDAP queries to be a member of the "Account Operators" group for the password change dialogue to work.
It may be that this will work if this user has even fewer priviledges than those conferred by the "Account Operators" group, but I haven't researched this. I just totally recoiled from the idea that an account like this should have "Domain Administrator" priviledges, and picked something more restricted, that would do the job.
Call me paranoid, but I decided that I wanted to know just how much power I had given this service account by adding it to the "Account Operators" group, so I researched it. Needless to say, I didn't like what I learned. Less than a domain admin, but still way more than I am comfortable with.
Active Directory has a feature called "Delegation of Control" that enables much more fine-grained control over permissions, and it's really easy to configure. (There's a "wizard".) Here is what you do:
[ol]Minimum required permissions. Always a good idea when dealling with security.
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2677 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.