For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Integrate APM Sessions with AD Account Management

Problem this snippet solves:

This iApp will query Active Directory for any locked-out or disabled accounts as well as accounts that have changed their passwords in the last n-minutes. It will then delete any APM sessions these users may have. This was created for a large Hospital in the Texas Medial Center that needed to terminate external access when MS FIM disabled/locked-out an account. They also wanted to cover the use case of a device is lost/stolen so the user's password is changed to prevent unauthorized access.

Things to note

The LDAP query only looks for accounts that have a http://support.microsoft.com/kb/305144 userAccountControl value of 514. If you're using other types (such as password never expires) you'll need to update this value.

Code :

45221
Published Mar 11, 2015
Version 1.0
BIG-IP Access Policy Manager (APM)
devops
iApps
security

1 Comment

  • Walter_Kacynski's avatar
    Walter_Kacynski
    Icon for Cirrostratus rankCirrostratus
    Jul 20, 2015
    session.user.starttime is a standard field as of 11.5.0 and 11.6.0 at least. There should be no need for session.custom.session_create_time