Forum Discussion

Dan_E's avatar
Dan_E
Icon for Altostratus rankAltostratus
Feb 24, 2021

iRules LX for APM password reset

We are attempting to use APM as a Self-Service Password Reset resolution.

I can modify Active Directory attributes than to this article https://devcentral.f5.com/s/articles/apm-cookbook-modify-ldap-attribute-values-using-iruleslx-21850 , however, has anyone used iRules LX to reset a password.

I'll validate the user first with other methods but want to reset a forgotten password rather than the APM built-in Kerberos API reset with the current password to update to a new one.

 

Thanks

ad
BIG-IP Access Policy Manager (APM)
iRulesLX
ldap
password
security
sspr
  • JacobAx's avatar
    JacobAx
    Icon for Nimbostratus rankNimbostratus
    Nov 02, 2021

    Hi, If this question is still relevant I have an incomplete code, but the password reset works, this should get you started in your devolpment.

    If you are intrested i'll can get back at you and post the final product once done!

     

    Please note that this is currently in development and validation should occur in irule before sending data to the workspace

    process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
var f5 = require('f5-nodejs');
var ldap = require('ldapjs');
 
 
const bind_url = 'ldaps url';
const bind_dn = 'enter DN';
const bind_pw = 'enter password here';  
 
 
var ilx = new f5.ILXServer(); 
ilx.listen();
 
function ldap_unbind(client){
    client.unbind(function(err) {
        if (err) {
           console.log('Error Unbinding.');
        } 
    });
}
 
 
 
ilx.addMethod('ldap_pwreset', function(ldap_pwreset, response) {
    var newPassword = ldap_pwreset.params()[0];
    var DN = ldap_pwreset.params()[1];
    
     this.ldapClient = ldap.createClient({
        url: bind_url,
        tlsOptions: { 'rejectUnauthorized': false },
        reconnect: {
            initialDelay: 100,
            maxDelay: 1000,
            failAfter: 10
        }
    });
 
    const ldap_client = this.ldapClient;
    // do a rebind when reconnect
    this.ldapClient.on('connect', function () {
        ldap_client.bind(bind_dn, bind_pw, err => {
            if (err) {
                console.log('error while ldap binding' + err);
            }
        });
        
 ldap_client.bind(bind_dn, bind_pw, function(err) { 
        
       if (err) {
            console.log(err)
        }
    });
    function encodePassword(password) {
    return new Buffer('"' + password + '"', 'utf16le').toString();
}
    const change = new ldap.Change({
      operation: 'replace',
      modification: { unicodePwd: encodePassword(newPassword) },
    });
 
    ldap_client.modify(DN, change, function(err) {
      if (err) {
          ldap_unbind(ldap_client);
        response.reply(err);
      }else{
        ldap_unbind(ldap_client);
       response.reply('success');
      }
    });
 
 
 
 
 
 
   });   
    
    
    
 
    });