Description
FortiGate is able to process an expired password renewal for LDAP users during the user's login (e.g. with SSL-VPN).
This article provides basic guidelines and verification steps for setting up this functionality with Active Directory.
Scope
Standard LDAP authentication is already configured and functional (except the password renewal feature).
The section describing configuration changes within Active Directory is for informational purposes only.
It was tested with a default domain configuration in a domain running on Windows Server 2016.
If there are issues with setting or verifying the password reset delegation, refer to the Windows/Active Directory support contact, as troubleshooting Active Directory configurations is out of scope of Fortinet TAC.
Solution
1) Delegate password reset rights for the LDAP account used by the FortiGate in Active Directory.
- Open Active Directory Users and Computers (aka ADUC, aka dsa.msc).
Navigate to the Organizational Unit (OU) that contains your users, select it and select the option 'Delegate Control...'.
Note.
The password reset rights will be applicable only onto users in the selected OU).
$test = [adsi]"LDAP://CN=John Doe,OU=usr,DC=testdomain,DC=lab"
$test.psbase.invoke("SetPassword","NewPassword1234#")
$test.psbase.CommitChanges()
# config user ldapVerification.
edit "testdomain"
set server "10.109.51.52"
set cnid "sAMAccountName"
set dn "dc=testdomain,dc=lab"
set type regular
set username "TESTDOMAIN\\fortigate-ldap"
set password ENC ###
set secure ldaps #<=== Mandatory: Active Directory requires secure LDAP over TLS for password change action.
set port 636
set password-renewal enable
next
end
# diagnose test authserver LDAP <LDAP-server-name> <username> <current-password>Replace <LDAP-server-name> with the name of the LDAP server object in FortiGate configuration in '# config user ldap'.
# dia test authserver ldap testdomain jdoe OldPassword1234#If the delegation is not configured correctly, or if the user is located in a different OU, to which the FortiGate LDAP account does not have password reset rights for, the password change attempt will instead fail with the following message:
New Password:********
Confirm Password:********
authenticate 'jdoe' against 'testdomain' succeeded!
Group membership(s) - CN=Domain Users,CN=Users,DC=testdomain,DC=lab
# dia test authserver ldap testdomain jdoe OldPassword1234#Reversal.
New Password:**********
Confirm Password:**********
authenticate 'jdoe' against 'testdomain' failed!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.