Forum Discussion
Change password fo the users using APM in LDAP servers
Hi:
I am configuring an authentication policy in my F5 using APM. I wanna know if I can change the user's password using the policy when I use an LDAP server. I have found that I can change user's passwords when is an AD but I can't find anything about LDAP.
Hi Gilberto,
The short answer is no.
As long as you have the "change password" option enabled on the logon page, the end user can see the option to change their password. But if you are using an LDAP server instead of an AD server, the prompt to change the password won't actually be given to the user.
I tested this in a lab environment, where I used the same exact actual server but created two different entries in APM: one as an LDAP server, and one as an AD server. Either way, the logon page presented the checkbox. But only if I was using an AD server would the checkbox actually take me to a reset password page.
This thread on devcentral explains the configuration in decent detail. Of course, the use-case for this was fairly limited in the first place, not really allowing for support of users who forgot their passwords to change it. There's been a couple of requests for greater support but I haven't seen a response or any other documentation for it.
Best of luck,
Austin
- AMiles_377865Cirrocumulus
Hi Gilberto,
The short answer is no.
As long as you have the "change password" option enabled on the logon page, the end user can see the option to change their password. But if you are using an LDAP server instead of an AD server, the prompt to change the password won't actually be given to the user.
I tested this in a lab environment, where I used the same exact actual server but created two different entries in APM: one as an LDAP server, and one as an AD server. Either way, the logon page presented the checkbox. But only if I was using an AD server would the checkbox actually take me to a reset password page.
This thread on devcentral explains the configuration in decent detail. Of course, the use-case for this was fairly limited in the first place, not really allowing for support of users who forgot their passwords to change it. There's been a couple of requests for greater support but I haven't seen a response or any other documentation for it.
Best of luck,
Austin
- Gilberto_383328Nimbostratus
Thank you so much for your answer. Can I do something in the F5 like an iRule to solve this problem? or We need to use an AD.
- AMiles_377865Cirrocumulus
The main issue with recovering a forgotten password is security. It's a bit of a vicious cycle: you need to be authenticated in order to change your password, but you need your password to authenticate.
Off the top of my head, you could maybe set up some sort of API call that APM could make to the AD server. Ideally, the API call would have to:
- Somehow authenticate the user (maybe email verification, phone) without knowing the user's password
- Accept input from the user to change their password
- Log in to the AD server as an account admin
- Change the user's password to whatever they input
Like I said, there might be some issues with security and authentication.
It seems like a fairly difficult implementation that, while I'm sure someone has figured something out, they haven't published it anywhere I or anyone else on Devcentral could see it. Then again, this is a little outside of my field of expertise so maybe I'm over-complicating things. Maybe someone smarter than me has figured it out and it might be worth opening another question thread on Devcentral so they can see it. There's at least a couple of other F5 users on this site that I know would be interested in the answer.
Another potential solutions is, like you suggested, something with iRules. You could trigger some sort of email warning to an account admin, who could maybe reset their password in AD, and inform the user of what the reset password was. The user then uses the password given to them by the account admin to reset the password to something of their choice. Again, far from perfect as far as security, and would only really work in small environments.
Let me know if you can figure something clever out,
Austin
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com