Forum Discussion

Simon_Waters_13's avatar
Simon_Waters_13
Icon for Cirrostratus rankCirrostratus
Jul 28, 2014

Is there an example of setting an Active Directory attribute from F5 iRule or Access Policy?

I want to set the password to be changed for an Active Directory account which I have fetched via a query.

 

The documentation for AD seems suitably dense and unreadable, but I'm fairly sure it'll eventually reveal the right setting to twiddle (probably setting pwdLastSet to "0").

 

But not sure how to do this on F5.

 

Also is the code for the APM "AD Auth" visible anywhere, as I'd like to see how it works, which would presumably answer this and other questions I have.

 

  • Hi, i have never seen that we could modify AD attributes from APM policy agent.

     

    You could eventually change it with an lDAP request using irule sideband connection if the AD allows such modification. This will need some work to create the ldap request i believe:

     

    https://devcentral.f5.com/wiki/iRules.SIDEBAND.ashx

     

  • Does this help https://devcentral.f5.com/questions/implement-apm-change-password-with-115x ?

     

    • Simon_Waters_13's avatar
      Simon_Waters_13
      Icon for Cirrostratus rankCirrostratus
      Yes, but that was the next task on my list, which is now done aside from tidying up the wording and layout and testing ;) I'm not sure if this helps for my current case or not, what I'd ideally like to do is jump into a regular "logon" screen but straight into the password change view, but I can't see how that can fit into the policy (since there seems to be interactions between the "Logon Screen, and the "AD Auth" which aren't documented or explained - it might all be in the PHP but reverse engineering it is hard).
  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus

    Does this help https://devcentral.f5.com/questions/implement-apm-change-password-with-115x ?

     

    • Simon_Waters_13's avatar
      Simon_Waters_13
      Icon for Cirrostratus rankCirrostratus
      Yes, but that was the next task on my list, which is now done aside from tidying up the wording and layout and testing ;) I'm not sure if this helps for my current case or not, what I'd ideally like to do is jump into a regular "logon" screen but straight into the password change view, but I can't see how that can fit into the policy (since there seems to be interactions between the "Logon Screen, and the "AD Auth" which aren't documented or explained - it might all be in the PHP but reverse engineering it is hard).
  • You may be able to play with the logon page and some customization to set variables to trigger the password change, for example if you set so values in logon.inc :

     

    $challenge = 1;

     

    $errorcode = 5023;

     

    $GLOBALS["set_new_password"] = 1;

     

    this is triggering automatically the password change, but i won't recommand it as it is intrusive, and may interfere with APM logon page post processing.

     

    11.5 password change feature allows you to setup a check box in the logon page or before in the vpe with a variable assign (session.logon.last.change_password 1) to allows user to change their password.

     

    But your use case would be more to allow all user to change their password (without the first logon prompt) as they currently don't know it ? is that correct ?

     

  • This one went quiet, but now we want a solution. Move to 11.6.

     

    May be there are other routes to a solution, but I think it makes sense to try and do this in the style of Arnaud's first answer - e.g. using a regular APM component, since the password change will fail sometimes, and we would want to handle those errors in the same style as when conducting a normal login.

     

    • Nick_Eoannidis's avatar
      Nick_Eoannidis
      Icon for Nimbostratus rankNimbostratus
      Did you find a solution to this Simon? It would be good if you could just do password reset for failed user login with OTP - grab username, verify user with OTP (via http or email sms) then set new password once verified.
  • heading the same route here: forgotten password => logon page with userid only => AD Query => Get user email => OTP Generate => Mail => OTP Verify => Reset Password with random value and set User Must Change Password at next logon => Email new new password to user email fetched from AD (same used in OTP step). Missing Step = Reset Password with random value and set User Must Change Password at next logon

     

    • Simon_Waters_13's avatar
      Simon_Waters_13
      Icon for Cirrostratus rankCirrostratus

      I confess we gave up trying to do this with APM, we deployed a simple webserver behind the F5 which only the F5 can talk to, and sent requests from the the F5 to this webserver to perform the password reset and toggle the must change at next login field. We used the LDAP Tool Box project as a template, and adapted it to meet our needs.

       

      It seems insane as F5 license a whole bunch of Oracle software to do precisely this kind of thing, but it didn't seem to be exposed in a sensible fashion. This seems a common use case so I'm surprised F5 haven't sorted it, but then there are a whole bunch of things APM does or doesn't do that surprise me too often. It is possible it has improved since, but I haven't seen anything obvious in 12, and the hardware we have doesn't support 13.

       

  • heading the same route here: forgotten password => logon page with userid only => AD Query => Get user email => OTP Generate => Mail => OTP Verify => Reset Password with random value and set User Must Change Password at next logon => Email new new password to user email fetched from AD (same used in OTP step). Missing Step = Reset Password with random value and set User Must Change Password at next logon

     

    • Simon_Waters_13's avatar
      Simon_Waters_13
      Icon for Cirrostratus rankCirrostratus

      I confess we gave up trying to do this with APM, we deployed a simple webserver behind the F5 which only the F5 can talk to, and sent requests from the the F5 to this webserver to perform the password reset and toggle the must change at next login field. We used the LDAP Tool Box project as a template, and adapted it to meet our needs.

       

      It seems insane as F5 license a whole bunch of Oracle software to do precisely this kind of thing, but it didn't seem to be exposed in a sensible fashion. This seems a common use case so I'm surprised F5 haven't sorted it, but then there are a whole bunch of things APM does or doesn't do that surprise me too often. It is possible it has improved since, but I haven't seen anything obvious in 12, and the hardware we have doesn't support 13.