Chapter 16 SSL VPN for FortiOS 5.0 : Basic Configuration : User accounts and groups : Authentication
  
Authentication
Remote users must be authenticated before they can request services and/or access network resources through the web portal. The authentication process can use a password defined on the FortiGate unit or optionally use established external authentication mechanisms such as RADIUS or LDAP.
To authenticate users, you can use a plain text password on the FortiGate unit (Local domain), forward authentication requests to an external RADIUS, LDAP or TACACS+ server, or utilize PKI certificates.
For information about how to create RADIUS, LDAP, TACACS+ or PKI user accounts and certificates, see the Authentication chapter of The Handbook.
 
FortiOS supports LDAP password renewal notification and updates through SSL VPN. Configuration is enabled using the CLI commands:
config user ldap
edit <username>
set password-expiry-warning enable
set password-renewal enable
end