Forum Discussion
JoeTheFifth
Altostratus
AltostratusReset forgotten user password iRule = Sideband
Hi Guys,
Just discovered the sideband technique. I'm looking into crafting an irule to reset a user password in Active directory. I'm using APM to get the user loginname. BigIP LTM 11.5.4.
Here ...
JoeTheFifthAltostratus
AltostratusMy plan:
- Build a lightweight IIS web site on my Web Server
- Add code (C sharp) to reset password and Set the 'Change Password at next logon' based on a string (username) received in the query example :
- Create an irule to perform a sideband connection => send the username and get a success result
- go on with the APM policy if result is OK.
- User will get a random password and will be asked to change it by APM on next logon
What do you guys think?
JoeTheFifthAltostratus
AltostratusI managed to make it work as expected. I made a webservice (iis) and added code to generate a temp randam password, reset the user password using this random temp one, check the box 'user must change password at next logon' and email the temp password to the user. I forked a sideband irule to connect to the webservice through a virtual server and and send the query to trigger the webservice webmethod to do the job. The webservice runs under and app pool account with the necessary rights to perform the password reset and attribute change and return success or failure. The returned data is processed by the irule and a variable is set to ok or ko and is available to APM policy flow. APM policy continues based on the 1/0 result => access/deny
I now have to think of ways to make this secure. The options I see: 1. make the webservice work through https 2. make the webservice accessible to the bigip selfips only 3. Make the webservice authenticated maybe and add a user and password in the sideband connection (not sure this is doable). Please let me know if you have security lockdown options.