password-expiry-warning and password-renewal

Chapter 3 Authentication for FortiOS 5.0 : Authentication servers : LDAP servers : Configuring the FortiGate unit to use an LDAP server : password-expiry-warning and password-renewal

In SSLVPN, when an LDAP user is connecting to the LDAP server it is possible for them to receive any pending password expiry or renewal warnings. When the password renewal or expiry warning exists, SSLVPN users will see a prompt allowing them to change their password.

password-expiry-warning allows FortiOS to detect from the LDAP server when a password is expiring or has expired using server controls or error codes.

password-renewal allows FortiOS to perform the online LDAP password renewal operations the LDAP server expects.

On an OpenLDAP server, when a user attempts to logon with an expired password they are allowed to logon on but only to change their password.

When changing passwords on a Windows AD system, the connection must be SSL-protected.