SSL-VPN: LDAP Users Can't Change Password
Description
LDAP users connecting through SonicWall’s SSL-VPN NetExtender cannot reset or change their passwords. This issue often occurs due to misconfigure LDAP settings or insufficient permissions for the LDAP bind user.
Cause
Root Causes
-
LDAP Bind User Privileges: The LDAP bind user is not bound with administrative privileges, as shown in TSR logs with the entry:
Bound as administrative user: NoThis indicates the bind account does not have the required permissions to manage password changes.
-
Delegated Permissions: Proper delegation has not been set up for the LDAP bind user to reset passwords in Active Directory (AD). Additionally, inheritance may not be enabled for user objects.
-
TLS Protocol: Password changes over LDAP require the connection to be secured using TLS. If TLS is not enabled, the operation fails.
1. Verify LDAP Bind User Privileges
-
Open the TSR logs in SonicWall.
-
Search for the entry:
Bound as administrative user: No. -
If the value is “No,” the bind user lacks administrative privileges.
2. Configure Administrative Privileges
Option 1: Add Bind User to Domain Admins
-
Open Active Directory Users and Computers (ADUC).
-
Add the LDAP bind user to the Domain Admins group.
Option 2: Manually Configure Administrative Privileges
-
In ADUC, locate the LDAP bind user account.
-
Open the Attribute Editor.
-
Set the
adminCountattribute value to1. 
3. Delegate Control for Password Reset
-
Open ADUC on the Windows Server.
-
Right-click on the domain name and select Delegate Control.
-
In the Wizard:
-
Add the LDAP bind user.
-
Select Reset user passwords and force password change at next logon.
-
-
Complete the wizard.
Enable Inheritance for User Objects:
-
Check the Advanced Security Settings for user accounts.
-
Enable Inheritance to propagate delegated permissions to all user objects.
-
Without inheritance, the LDAP bind user cannot reset passwords for existing accounts.
-
Note: Delete the LDAP integration , reconfigured and bind with same user account.