LDAP lookup account considerations
(2022-02-08)
Problem
What do we have to do to permit the LDAP lookup account to be able to change passwords on the AD server?
Solution
that feature has two pre-requisities:
- works with Microsoft AD server ONLY ! so second statement page 720 (as mentioned, I haven't checked page content) is true as those do not support similar functionalities for other LDAP servers in wild (Oracle, IBM, OpenLDAP just examples). Feature was desined completely around MS AD. If you need that for other servers, please contact our sales representatives and open New Feature Request.
- LDAP server on FortiGate has to be LDAP(S) As password expiry and renewal is bond to credentials handshakes it has to be encrypted connection. It is NOT supported on plain unencrypted LDAP config.
Hope it clarified info a bit.
Kind regards, Tomas
And
Active Directory has a feature called "Delegation of Control" that enables much more fine-grained control over permissions, and it's really easy to configure. (There's a "wizard".) Here is what you do:
- Launch "Active Directory Users and Computers"
- Select the object that is named by whatever you entered as "Distinguished Name" when you configured the LDAP server in FortiOS. E.g. the Users container.
- Select "Action" -> "Delegate Control". This starts the Delegate Control Wizard.
- Follow the steps. The “Reset user passwords and force password change at next logon” predefined task is what the FortiGate unit needs to be able to change passwords for an account.
Peter Værlien