Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rb043
New Contributor II

SSLVPN Password Reset over LDAP not working via GUI

I've followed this guide meticulously for our LDAP configuration on our Fortigate 80F. See below:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-expired-password-LDAP-renewal-with-....

 

The authentication and group assignment is working perfectly, including the CLI commands for diagnosing the delegation and confirming you can change a user password from Fortigate, command example below:
dia test authserver ldap testdomain jdoe OldPassword1234#

 

However, when using the web gui to get to admin and subsequently an account which is set to reset on next logon,  get the change password screen and copy/paste the old and new passwords (to ensure I'm not getting it wrong!), but I consistently get an error saying "Invalid Old Password" - but I know the password is correct and if I immediately go to the CLI and run the diagnose command above, it works perfect. So I know it's not an LDAP issue or an issue in the config of the LDAP server on Forti. 

 

Any ideas on this one? For further clarification the password has special characters both before and after, and also adheres to the password policy both before and after. 

 

Aside from this, LDAP authentication is working perfect.

5 REPLIES 5
ndumaj
Staff
Staff

Hi,

What is your FGT version?
There is a ticket ID 782158 - "The ç character is not accepted by an LDAPS password change" - that means that pass change doesn't work if your pass contains non-ASCII characters, and the issue is solved on v7.2.1.
https://docs.fortinet.com/document/fortigate/7.2.1/fortios-release-notes/289806/resolved-issues

BR

- Happy to help, hit like and accept the solution -
rb043
New Contributor II

We're on 7.0.10, although contemplating patching it anyway as I had a feeling this would be the case! 

That's a good find, thank you. I searched high and low but couldn't find anything related. I think I'll confirm it by changing the policy temporarily to allow all ascii, then get the update in. 

I'm guessing there's no update available for the 7.0 range (e.g. take to 7.0.11), and instead I need to stage it right through to 7.2.1?

ndumaj

Hi,
Unfortunately at the moment there is no fix available on 7.0.x, the fix is only available on v7.2.1 and above.
BR

- Happy to help, hit like and accept the solution -
rb043
New Contributor II

That's a shame - but a good excuse to upgrade! 

I've confirmed it now between another site (7.2.1+) and it's consistent, works fine. 

Upgrade incoming... Thanks for your help

ndumaj

Eh, sorry, at least we have a solution :),
Happy to help!

- Happy to help, hit like and accept the solution -
Labels
Top Kudoed Authors