For When You Can't Have The Real Thing
[ start | index | login ]
start > FortiOS > 6 > LDAP lookup account considerations

LDAP lookup account considerations

Created by dave. Last edited by dave, 188 days ago. Viewed 114 times. #1
[edit] [rdf]
labels
attachments
(2022-02-08)

Problem

What do we have to do to permit the LDAP lookup account to be able to change passwords on the AD server?

Solution

that feature has two pre-requisities:
  1. works with Microsoft AD server ONLY !
    so second statement page 720 (as mentioned, I haven't checked page content) is true as those do not support similar functionalities for other LDAP servers in wild (Oracle, IBM, OpenLDAP just examples). Feature was desined completely around MS AD. If you need that for other servers, please contact our sales representatives and open New Feature Request.
  2. LDAP server on FortiGate has to be LDAP(S)
    As password expiry and renewal is bond to credentials handshakes it has to be encrypted connection. It is NOT supported on plain unencrypted LDAP config.

Hope it clarified info a bit.

Kind regards, Tomas

And

Active Directory has a feature called "Delegation of Control" that enables much more fine-grained control over permissions, and it's really easy to configure. (There's a "wizard".) Here is what you do:
  • Launch "Active Directory Users and Computers"
  • Select the object that is named by whatever you entered as "Distinguished Name" when you configured the LDAP server in FortiOS. E.g. the Users container.
  • Select "Action" -> "Delegate Control". This starts the Delegate Control Wizard.
  • Follow the steps. The “Reset user passwords and force password change at next logon” predefined task is what the FortiGate unit needs to be able to change passwords for an account.
Peter Værlien

(both quotes share the same >>source)

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt