For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Seclab_Supporto's avatar
Seclab_Supporto
Icon for Nimbostratus rankNimbostratus
Jun 28, 2010

Intercept LDAP password expired

Hi all, I perform LDAP authentication with a custom iRule. I need to intercept when LDAP password has expired.... and then perform a redirect to an application to reset the password. Someone can hel...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jun 29, 2010
The PAM API (which LTM uses for remote auth) seems to support an account expired message, but I'm not sure if this detail is provided by LTM. Also, you're using deprecated events for the AUTH result. In 9.4, AUTH_RESULT deprecated AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR, and AUTH_WANTCREDENTIAL. See the wiki page for details:

http://devcentral.f5.com/wiki/default.aspx/iRules/AUTH_RESULT.html

PAM API details:

http://docs.sun.com/app/docs/doc/817-0699/6mgfuai9e?a=view

PAM_ACCT_EXPIRED - User account has expired

Can you replace all of the AUTH events in your rule with AUTH_RESULT and log the output from AUTH::response_data using a loop through the array? Can you then test with an expired account and see if LTM provides any info that can be used to determine whether the account is expired?

Here's an example you can use to log the auth response data: 


    Save the response data to an array
   array set auth_response_data [AUTH::response_data]

    Loop through the array and print out the names and values
   foreach name [array names $auth_response_data] {
      log local0. "$name = $auth_response_data($name)"
   }

Aaron