Creating a password changer

To create a password changer:

1. Log in to FortiPAM with an account that has sufficient permission to create a password changer.
2. Go to Secret Settings > Password Changers.
3. Select Create to create a new password changer.

   The New Password Changer window opens.

   

4. Enter the following information:

   Name	The name of the password changer.
   Type	From the dropdown, select a type: Active Directory LDAP Open LDAP Samba SSH with Public Key SSH with Password (default)
   New Line Mode	Select from the following options: CR (\r): Carriage Return (\r) CRLF (\r\n): Carriage Return and Line Feed (\r\n) (default) LF (\n): Line Feed (\n)
   Change Auth Mode	Select from the following two options: Association: Changing password requires credentials from the associated secret. See Associated Secret option when Creating a secret. Self: Secret can change its password (default).
   Verify Auth Mode	Select from the following two options: Association: Verifying password requires credentials from the associated secret. See Associated Secret option when Creating a secret. Self: Secret can verify its password (default).
   Description	Optionally, enter a description.
   Changers	The password changing procedure. See Changers. The option is available only when the Type is SSH with Public Key or SSH with Password.
   Verifiers	The password verification procedure. See Verifiers. The option is available only when the Type is SSH with Public Key or SSH with Password.

5. Click Submit.

Changers

1. In step 4 when Creating a password changer, select Create in Changers.

   The New Procedure window opens. By default, the Type is Execute.

   

   Different configuration options are available according to the Type selected.

   

   

2. Enter the following information:

   Type	From the dropdown, select from the following options: Execute Expect Expect Prompt
   Command	Commands to execute on the password changer. Valid variables are: $USER $PASSWORD $PASSPHRASE $NEWPASSWD $NEW_PUB_KEY $NEW_PRI_KEY $[0].$ $PUB_KEY Note: $[0].$ could be used when an associated secret is used. In this case, $[0].$USER means the username of the associated secret. $[0].$PASSWORD means the password of the associated secret. Enter $ to get the list of valid variables. Note: The option is only available when the Type is Execute.
   Response	The prompted line in target server. Enter $ to get the list of valid variables. Note: The option is only available when the Type is Expect.
   Execute Action	Either select Execute command unconditionally or Execute command on previous match. Note: The option is only available when the Type is Execute.
   Expect Action	From the dropdown, select from the following three options: Abort procedure on string not matched Continue procedure on string not matched Abort procedure on string matched Note: The option is only available when the Type is Expect or Expect Prompt.
   Interpretation:	Select the method to interpret the expect string. Plain: Interpret the expect string as a plain command. Regex: Interpret the expect string as a regular expression. For example, if the response is "Current password:", then all of "Current", "password", "rent" will succeed to match. Note: The option is only available when the Type is Expect.
   Critical	Enable to indicate that the step is critical. Password changing is successful when all steps before the critical step are passed. Steps after the critical step are optional, password changer ignores the optional steps if they fail.
   Delay (ms)	The maximum waiting time for the current action, in ms (default = 50, 50 - 20000).
   Description	Optionally, enter a description.

   To reorder the changer sequence, drag from the sequence number and then drop.

3. Click OK.

From the list, select a changer and then select Edit to edit the changer. From the list, select changer and then select Delete to delete the changer.

Verifiers

1. In step 4 when Creating a password changer, select Create in Verifiers.

   The New Procedure window opens. By default, the Type is Execute.

   

   Different configuration options are available according to the Type selected.

   

   

2. Enter the following information:

   Type	From the dropdown, select from the following options: Execute Expect Expect Prompt
   Command	Commands to execute on the password changer. Valid variables are: $USER $PASSWORD $PASSPHRASE $NEWPASSWD $NEW_PUB_KEY $NEW_PRI_KEY $[0].$ $PUB_KEY Note: $[0].$ could be used when an associated secret is used. In this case, $[0].$USER means the username of the associated secret. $[0].$PASSWORD means the password of the associated secret. Enter $ to get the list of valid variables. Note: The option is only available when the Type is Execute.
   Response	The prompted line in target server. Enter $ to get the list of valid variables. Note: The option is only available when the Type is Expect.
   Execute Action	Either select Execute command unconditionally or Execute command on previous match. Note: The option is only available when the Type is Execute.
   Expect Action	From the dropdown, select from the following three options: Abort procedure on string not matched Continue procedure on string not matched Abort procedure on string matched Note: The option is only available when the Type is Expect or Expect Prompt.
   Critical	Enable to indicate that the step is critical. Password verification is successful when all steps before the critical step are passed. Steps after the critical step are optional, password verifier ignores the optional steps if they fail.
   Delay	The maximum waiting time for the current action, in ms (default = 50, 50 - 20000).
   Description	Optionally, enter a description.

   To reorder the verifier sequence, drag from the sequence number and then drop.

3. Click OK.

From the list, select a verifier and then select Edit to edit the verifier. From the list, select verifier and then select Delete to delete the verifier.

See Automatic password changing and Automatic password verification.