For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nikolay_Matveev's avatar
Nikolay_Matveev
Icon for Nimbostratus rankNimbostratus
Jan 15, 2016

APM iRule to "replicate" password change between AD and stand-alone servers

Dear Community,   I have a quite tricky problem to solve and hope somebody can point me in right direction.   I have a single sign-on infrastructure where APM provides SSO across 3 VSs. AAA aut...
application delivery
BIG-IP Access Policy Manager (APM)
iRules
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Jan 15, 2016

Hi Nikolay,

 

If I where you, then I would turn the DB accounts into shadow accounts.

 

I would change the passwords of the DB to a value which is unknown to end users, but known by your APM (using datagroups or by using a strong and fixed password for every DB user). Then inject those DB credentials during APM logon into the session and use them whenever the user requests content from the application servers.

 

AD Account => APM Session => DB Account

 

By doing this the users would still login to your F5 using your AD credentials and every application. And they could change the AD password as usual and as often they want. But without the need for manual or automatic password replication...

 

Cheers, Kai