Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
krajaa
Staff
Staff

Created on ‎08-16-2016 07:48 AM Edited on ‎09-20-2023 08:04 AM By Moderator

Article Id 190569

Technical Tip: How to enable password renewal of remote LDAP user through FortiGate

Description

 
This article explains how to enable password renewal of a remote LDAP user through FortiGate.
 
Scope

 

FortiGate.


Solution

 

It is possible to renew the password of a remote LDAP user through the FortiGate.

 

config user ldap
    edit <server_name>
        set password-renewal enable
        set secure ldaps
        set port 636       

 

When the password of the remote user expires, this configuration will give an option to a user to renew their password through a FortiGate login (VPN etc.).

Note.
This feature will work only with LDAPS and not with LDAP.

The reason why password renewal through FortiGate works only with LDAPS (LDAP over SSL) and not with plain LDAP is primarily for security considerations.

 

  1. Encryption: LDAPS provides encryption of data in transit between the FortiGate and the LDAP server. This ensures that sensitive data, such as passwords, are encrypted and protected from eavesdropping while in transit. When users are renewing the password, it is crucial that the new passwords are transmitted securely, which LDAPS ensures.

  2. Data Integrity: Along with encryption, LDAPS provides protection against data tampering, ensuring that the data (like a new password) sent from a client to the server has not been altered in transit.

  3. Authentication: LDAPS can authenticate the server to the client, ensuring that the FortiGate is talking to the correct LDAP server. This protects against man-in-the-middle attacks where an attacker might try to impersonate the LDAP server.

  4. Industry Standards: Many industry regulations and best practices emphasize the need for encrypting sensitive data, especially when it is in transit. If password changes were allowed over plain LDAP, it could potentially violate these standards.

  5. Potential for Information Disclosure: Even if the main password data is not directly exposed in a plain LDAP communication, there could be information leaks due to error messages, data structures, or other metadata that could be exploited by a potential attacker. LDAPS helps mitigate this by encrypting all data in transit.

For these reasons, FortiGate and many other security appliances and software enforce or recommend using LDAPS when dealing with sensitive operations like password renewals.

 

Related Article:

Technical Tip: Configuring LDAP over SSL (LDAPS)

9415
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.