Hi all, I perform LDAP authentication with a custom iRule. I need to intercept when LDAP password has expired.... and then perform a redirect to an application to reset the password. Someone can help me? Thanks, Salvatore

Hi Salvatore, Can you post the existing iRule you're using? Is this LDAP auth for an HTTP(S) application? Which LTM version are you running? Are you wanting to proxy the password reset attempt to another server or, if it is HTTP, send the client a redirect? Aaron

Hi Aron, thanks for your quick replay. Can you post the existing iRule you're using? YES, JUST A MOMENT TO OBSCURE SENSITIVE INFORMATION Is this LDAP auth for an HTTP(S) application? HTTP APPLICATION Which LTM version are you running? 10.1.0 Are you wanting to proxy the password reset attempt to another server or, if it is HTTP, send the client a redirect? WHEN PASSWORD EXPIRED I WANT REDIRECT THE CLIENT TO ANOTHER HTTP APPLICATION WHERE THE USER CAN CANGHE ITS PASSWORD I NEED ONLY TO INTERCEPT THE RESPONSE OF LDAP SERVER THAT CONTAIN THE ERROR. Thanks!!! Salvatore

I can't attach as a .txt or .zip the iRule. If I copy and paste it is not readable. I can send you by email, if you prefer. Thank

Can you post the iRule in [ code ] [ /code ] blocks (without the spaces) to preserve the formatting? Thanks, Aaron

when CLIENT_ACCEPTED { set authinsck_ldap 0 set forceauth_ldap 1 set ckname_ldap xxxxx set ckpass_ldap xxxxx set ckvalue_ldap [IP::client_addr] } when HTTP_REQUEST { set ckdomain_ldap [HTTP::host] set asid_ldap [AUTH::start pam default_ldap] if {[HTTP::cookie exists $ckname_ldap]} { log local0. "---> HTTEST Cookie esistente" HTTP::cookie decrypt $ckname_ldap $ckpass_ldap 128 log local0. "---> HTTEST Cookie DECIFRATO" if {[HTTP::cookie value $ckname_ldap] eq $ckvalue_ldap} { log local0. "---> HTTEST Cookie valido" set forceauth_ldap 0 Rimuovo Header Authorization con credenziali utente autenticato set userHT_ldap [HTTP::username] HTTP::header remove Authorization Inserisco Header per Authentication offloading HTTP::header insert Authorization "xxxxxxx" HTTP::header insert iv-user xxxxxx HTTP::header insert Via xxxxxxx } else { log local0. "---> HTTEST Cookie esistente MA NON VALIDO" } HTTP::cookie remove $ckname_ldap } else { log local0. "---> HTTEST Cookie Inesistente" } if {$forceauth_ldap eq 1} { LDAP Authentication [log local0. "---> HTTEST LDAP" AUTH::username_credential $asid_ldap [HTTP::username] AUTH::password_credential $asid_ldap [HTTP::password] AUTH::authenticate $asid_ldap HTTP::collect log local0. "---> HTTEST Invio Richiesta LDAP" } } when HTTP_RESPONSE { if { $ldap eq 1} { if {$authinsck_ldap eq 1} { HTTP::cookie insert name $ckname_ldap value $ckvalue_ldap path / domain $ckdomain_ldap HTTP::cookie insert name $ckname_ldap value $ckvalue_ldap path / domain .xxxxxx.it HTTP::cookie secure $ckname_ldap enable HTTP::cookie encrypt $ckname_ldap $ckpass_ldap 128 log local0. "---> HTTEST Scrivo Cookie" } } } when AUTH_SUCCESS { if { $ldap eq 1} { if {$asid_ldap eq [AUTH::last_event_session_id]} { set authinsck_ldap 1 HTTP::release log local0. "---> HTTEST SUCCESSO" } } } when AUTH_FAILURE { if { $ldap eq 1} { if {$asid_ldap eq [AUTH::last_event_session_id]} { HTTP::respond 401 "WWW-Authenticate" "Basic realm=\"\"" log local0. "---> HTTEST FALLITO" } } } when AUTH_WANTCREDENTIAL { if { $ldap eq 1} { if {$asid_ldap eq [AUTH::last_event_session_id]} { HTTP::respond 401 "WWW-Authenticate" "Basic realm=\"\"" log local0. "---> HTTEST WANT CRED" set ldap 0 } } } when AUTH_ERROR { if { $ldap eq 1} { if {$asid_ldap eq [AUTH::last_event_session_id]} { HTTP::respond 401 log local0. "---> HTTEST ERROR" } } }

Intercept LDAP password expired

21 Replies

Hamish
Cirrocumulus
Jun 29, 2010
FWIW I had a similar problem using TACACS authentication with the ACA module. The response from support was that it doesn't get passed back (Of course LDAP may be different, but I suspect not).

I did actually raise a request to have this fixed, and IIRC a CR was opened for it (But low priority. Let me have a dig around and I'll see what I can find).

H
hoolio
Cirrostratus
Jul 03, 2010
Can you reset the password so it's not expired and check to what in the LDAP attributes changes?

Aaron

Seclab_Supporto

Nimbostratus

Jul 05, 2010

Following the result when the authentication successfully

Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:logonCount = 0
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:codePage = 0
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:badPasswordTime = 129224645700625000
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:name = pippo pippo
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:cn = pippo pippo
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:sn = pippo
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:adminCount = 1
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:whenCreated = 20100701125950.0Z
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:pwdLastSet = 129227961255156250
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:lastLogon = 129224646042031250
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:badPwdCount = 0
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:objectClass = user
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:distinguishedName = CN=pippo pippo,CN=Users,DC=dominio,DC=test
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:memberOf = CN=Administrators,CN=Builtin,DC=dominio,DC=test
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:countryCode = 0
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:displayName = pippo pippo
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:sAMAccountType = 805306368
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:objectGUID = √õ‚àè?≈í‚Äúk¬∏JœÄ]]√õ>√É(b
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:uSNChanged = 49161
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:lastLogoff = 0
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:userPrincipalName = pippo@dominio.test
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:givenName = pippo
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:whenChanged = 20100705093525.0Z
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:objectCategory = CN=Person,CN=Schema,CN=Configuration,DC=dominio,DC=test
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:accountExpires = 9223372036854775807
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:userAccountControl = 512
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:primaryGroupID = 513
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:uSNCreated = 45090
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:sAMAccountName = pippo
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:objectSid =
Jul  5 11:36:27 tmm tmm[1605]: Rule LdapHT : SALVA -- ldap:attr:instanceType = 4

Seclab_Supporto
Nimbostratus
Jul 05, 2010
I think the only attribute that can be useful is ldap: attr: pwdLastSet. Calculating when the user has set the password might be possible to calculate when it expires ... not using tcl.

Is there any other solution?

Thanks, Salvatore
Hamish
Cirrocumulus
Jul 05, 2010
Have you tried logging a support call?
hoolio
Cirrostratus
Jul 05, 2010
As Hamish suggested, it would be good to open a support case to find out what kind of method F5 would recommend.

Hard coding the expire time in an iRule might work if you check if the current time minus the last change time is less than the expiry time. But that would break if the password expiry time was changed on the LDAP server.

I did notice that the attribute Rule ldap:attr:adminCount = 1 is present in the unexpired request and not present in the expired request. If that's always the case, you might be able to use that to detect an expired password.

Aaron
Seclab_Supporto
Nimbostratus
Jul 05, 2010
Have you tried logging a support call? Yes, of course. Following the response to my request of information (Case Number C706610 opened 28th July 2010): Hi Salvatore, This would be a custom iRule modification. Your best bet would be to use the resources on devcentral.f5.com - perhaps asking in the forums, or contacting our professional services team who might be able to quote you on some iRule consultancy. Regards, I'm not happy for this answer.
hoolio
Cirrostratus
Jul 05, 2010
I'd clarify with F5 Support that you're not asking them to write an iRule for you--you're trying to find out what is possible using a specific iRule command. It might help to reference Hamish's case if he can find the CR he received.

Aaron
Marco_Battagli1
Nimbostratus
Mar 13, 2014
Hi Salvatore, do you have solved this issue?

I am in the same situation.

Let me know please,

Regards, Marco
david78
Nimbostratus
Mar 13, 2014
Hi,

with APM is easy. In VPE, on a "LDAP Auth" box, add a new branch with this expression: expr { [ mcget {session.ldap.last.errmsg}] contains "password expired"

Forum Discussion

Intercept LDAP password expired

21 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Illegal Metacharacter in Parameter Name in Json Data

Cisco TACACS+ Config on ISE LTM Pair

AS3 declaration to set cookie to preferred

SSL Bridging and FQDN rewrite Policy

Checking for X-Forwarded-For against an Address Data-Group

Related Content

AD password expired

F5 App Study Tool with passwords stored in Vault

Password Safety & Security: Passwords vs. Passphrases

Automate scp transfers using password

DNS Interception: Protecting the Client

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS