AnsweredLDAP auth and password change over VPN

Author
echo
Silver Member
  • Total Posts : 88
  • Scores: 4
  • Reward points: 0
  • Joined: 2013/06/19 07:45:28
  • Location: Tallinn, Estonia
  • Status: offline
2015/11/03 02:31:45 (permalink)
0

LDAP auth and password change over VPN

Hello! Who can make sense of these two pieces of information?
 
FortiOS Handbook: Authentication for FortiOS 5.2, PDF file, page 28:
password-expiry-warning and password-renewal
In SSLVPN, when an LDAP user is connecting to the LDAP server it is possible for them to receive any pending password expiry or renewal warnings. When the password renewal or expiry warning exists, SSLVPN users will see a prompt allowing them to change their password.
password-expiry-warning allows FortiOS to detect from the LDAP server when a password is expiring or has expired using server controls or error codes.
password-renewal allows FortiOS to perform the online LDAP password renewal operations the LDAP server expects.
 
Fortigate-cli-5.2.pdf, page 720:
FortiGate LDAP support does not extend to proprietary functionality, such as notification of password expiration, that is available from some LDAP servers. FortiGate LDAP support does not supply information to the user about why authentication failed.
 
And below this, there are options:
config user ldap
edit <server_name>
set password-expiry-warning {disable | enable}
set password-renewal {disable | enable}
...
end
 
Now why I am asking this is that I enabled these two options and set my own account in a state where I should change my password in next logon which I did with VPN (with Windows AD). FortiClient really tells me that I have to change my password but when I do this by entering new password twice, I just get Permission denied (-455) or something like that and that's it. What is wrong here? I even added the internal user that authenticates LDAP to Domain Admins group but that didn't help to really password successfully and log in. When I checked from AD server which password actually works, old or the entered new one, it turned out that the password wasn't actually changed.
 
Any hints or experience with this?
Thank you.
#1
xsilver_FTNT
Expert Member
  • Total Posts : 331
  • Scores: 61
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Status: offline
Re: LDAP auth and password change over VPN 2015/11/03 02:50:04 (permalink) ☼ Best Answerby echo 2015/11/03 04:12:32
0
Hello,
 
both pieces are true, however can be stated in more clear form that password renewal/warning stated by LDAP server is processed by FortiGate and user is prompted accordingly. BUT that feature has two pre-requisities:
 
1) works with Microsoft AD server ONLY !
so second statement page 720 (as mentioned, I haven't checked page content) is true as those do not support similar functionalities for other LDAP servers in wild (Oracle, IBM, OpenLDAP just examples). Feature was desined completely around MS AD. If you need that for other servers, please contact our sales representatives and open New Feature Request.
 
2) LDAP server on FortiGate has to be LDAP(S) !
As password expiry and renewal is bond to credentials handshakes it has to be encrypted connection. It is NOT supported on plain unencrypted LDAP config.
 
Hope it clarified info a bit.
 
Kind regards, Tomas
#2
echo
Silver Member
  • Total Posts : 88
  • Scores: 4
  • Reward points: 0
  • Joined: 2013/06/19 07:45:28
  • Location: Tallinn, Estonia
  • Status: offline
Re: LDAP auth and password change over VPN 2015/11/03 04:12:15 (permalink)
0
Little bit further trying after your information and I got it working.
It is also written in the Handbook at page 28 that "When changing passwords on a Windows AD system, the connection must be SSL-protected." -- which wasn't immediately clear to me that SSL goes for LDAP connection, it rather looked like a general note about changing passwords and I am already dealing with SSL-VPN. Now I changed the LDAP connection to Secure (LDAPS) _and_ added the user name that is being used for LDAP queries to domain admins group and then I could really change the password.
Thank you very much for information!
#3
pvarlien
New Member
  • Total Posts : 2
  • Scores: 4
  • Reward points: 0
  • Joined: 2016/10/06 04:16:13
  • Location: Trondheim, Norway
  • Status: offline
Re: LDAP auth and password change over VPN 2016/10/06 06:18:32 (permalink)
0
It is sufficient for the user name that is being used for LDAP queries to be a member of the "Account Operators" group for the password change dialogue to work.
 
It may be that this will work if this user has even fewer priviledges than those conferred by the "Account Operators" group, but I haven't researched this. I just totally recoiled from the idea that an account like this should have "Domain Administrator" priviledges, and picked something more restricted, that would do the job.
post edited by pvarlien - 2016/10/06 06:56:41
#4
pvarlien
New Member
  • Total Posts : 2
  • Scores: 4
  • Reward points: 0
  • Joined: 2016/10/06 04:16:13
  • Location: Trondheim, Norway
  • Status: offline
Re: LDAP auth and password change over VPN 2016/10/10 07:56:59 (permalink) ☄ Helpfulby oheigl 2016/10/10 13:52:51
5 (2)
Call me paranoid, but I decided that I wanted to know just how much power I had given this service account by adding it to the "Account Operators" group, so I researched it. Needless to say, I didn't like what I learned. Less than a domain admin, but still way more than I am comfortable with.
 
Active Directory has a feature called "Delegation of Control" that enables much more fine-grained control over permissions, and it's really easy to configure. (There's a "wizard".) Here is what you do:
  1. Launch "Active Directory Users and Computers"
  2. Select the object that is named by whatever you entered as "Distinguished Name" when you configured the LDAP server in FortiOS. E.g. the Users container.
  3. Select "Action" -> "Delegate Control". This starts the Delegate Control Wizard.
  4. Follow the steps. The “Reset user passwords and force password change at next logon” predefined task is what the FortiGate unit needs to be able to change passwords for an account.
Minimum required permissions. Always a good idea when dealling with security.
post edited by pvarlien - 2018/01/22 00:19:01
#5
Jump to:
© 2018 APG vNext Commercial Version 5.5