I have a Fortigate 501e (FotiOS v7.2.7) with SSL-VPN where local users authenticate via LDAP. This LDAP has a password policy and it is configured in SSL-VPN that users change their password on the first login.
The password change occurs correctly and is reflected in LDAP, but we have noticed that when making this password change, in LDAP it is saved as plain text instead of SSHA as it was originally.
The procedure is as follows:
- We create the user in LDAP and assign it a temporary SSHA password.
- We create the SSL-VPN user (LDAP type) in Fortinet.
- On the first login, FortiClient (or Web Portal) asks the user to change the password.
At this time, the password is updated in LDAP, but in plain text instead of SSHA, with the security problem that this entails.
In Fortinet, the LDAP connection has this related setting:
set secure ldaps
set ca-cert "USERTrust_RSA_Certification_Authority"
set port 636
set password-expiry-warning enable
set password-renewal enable
We have ruled out the LDAP server as the problem, since there have been no changes to the server and the password change is done correctly (and remains in SSHA) when done through a server authenticated with LDAP.
When this password reset was implemented it was done correctly to SSHA, I suspect that since the last update we did to v7.2.7 build1577 is when this problem started. Any idea how to solve this problem? Thank you very much.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you can change the password there, it's an issue with FortiClient. If you cannot even do that, it's more likely to be something between the FGT, possibly an issue on the FGT itself, and the LDAP.
Verify the SSL-VPN settings on FortiGate to ensure no misconfigurations are causing the password to be saved in plain text. Review the LDAP configuration on FortiGate to confirm that the password handling settings are correct.
I already read that guide and I can't find any option related with the password hashing. Everything works fine before updated the Fortigate, but there's no known issue about this in the datasheet.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.