To configure the FortiGate unit for LDAP authentication – CLI example:

config user ldap edit ourLDAPsrv

set server 10.11.101.160 set cnid cn

set dn cn=users,dc=office,dc=example,dc=com set type regular

set username cn=administrator,cn=users,dc=office,dc=example,dc=com set password w5AiGVMLkgyPQ

set password-expiry-warning enable set password-renewal enable

end

password-expiry–warning and password-renewal

In SSLVPN, when an LDAP user is connecting to the LDAP server it is possible for them to receive any pending password expiry or renewal warnings. When the password renewal or expiry warning exists, SSLVPN users will see a prompt allowing them to change their password.

password-expiry-warning allows FortiOS to detect from the LDAP server when a password is expiring or has expired using server controls or error codes.

password-renewal allows FortiOS to perform the online LDAP password renewal operations the LDAP server expects.

On an OpenLDAP server, when a user attempts to logon with an expired password they are allowed to logon but only to change their password.

When changing passwords on a Windows AD system, the connection must be SSL-protected.

Using the Query icon

The LDAP Distinguished Name Query list displays the LDAP directory tree for the LDAP server connected to the FortiGate unit. This helps you to determine the appropriate entry for the DN field. To see the distinguished name associated with the Common Name identifier, select the Expand icon next to the CN identifier. Select the DN from the list. The DN you select is displayed in the Distinguished Name field. Select OK and the Distinguished Name you selected will be saved in the Distinguished Name field of the LDAP Server configuration.

To see the users within the LDAP Server user group for the selected Distinguished Name, expand the Distinguished Name in the LDAP Distinguished Name Query tree.