Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
soporteCICA
New Contributor

Created on ‎07-12-2024 02:11 AM Edited on ‎07-12-2024 02:16 AM

SSL-VPN password-renewal changes password to plain-text in LDAP

I have a Fortigate 501e (FotiOS v7.2.7) with SSL-VPN where local users authenticate via LDAP. This LDAP has a password policy and it is configured in SSL-VPN that users change their password on the first login.

The password change occurs correctly and is reflected in LDAP, but we have noticed that when making this password change, in LDAP it is saved as plain text instead of SSHA as it was originally.

 

The procedure is as follows:

- We create the user in LDAP and assign it a temporary SSHA password.

- We create the SSL-VPN user (LDAP type) in Fortinet.

- On the first login, FortiClient (or Web Portal) asks the user to change the password.

 

At this time, the password is updated in LDAP, but in plain text instead of SSHA, with the security problem that this entails.

 

In Fortinet, the LDAP connection has this related setting:

set secure ldaps

set ca-cert "USERTrust_RSA_Certification_Authority"

set port 636

set password-expiry-warning enable

set password-renewal enable

 

We have ruled out the LDAP server as the problem, since there have been no changes to the server and the password change is done correctly (and remains in SSHA) when done through a server authenticated with LDAP.

 

When this password reset was implemented it was done correctly to SSHA, I suspect that since the last update we did to v7.2.7 build1577 is when this problem started. Any idea how to solve this problem? Thank you very much.

732
0 Kudos
3 REPLIES 3
dhamum2
New Contributor

Created on ‎07-12-2024 03:41 AM

If you can change the password there, it's an issue with FortiClient. If you cannot even do that, it's more likely to be something between the FGT, possibly an issue on the FGT itself, and the LDAP.

https://19216811.cam/ https://1921681001.id/
https://19216811.cam/ https://1921681001.id/
711
spoojary
Staff
Staff

Created on ‎07-12-2024 05:10 AM

https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/688719/ssl-vpn-with-ldap-use...

 

https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/115783/ssl-vpn-with-ldap-use...


Verify the SSL-VPN settings on FortiGate to ensure no misconfigurations are causing the password to be saved in plain text. Review the LDAP configuration on FortiGate to confirm that the password handling settings are correct.

Siddhanth Poojary
670
soporteCICA
New Contributor
In response to spoojary

Created on ‎07-12-2024 05:55 AM

I already read that guide and I can't find any option related with the password hashing. Everything works fine before updated the Fortigate, but there's no known issue about this in the datasheet. 

655
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.