APM Cookbook: Modify LDAP Attribute Values using iRulesLX

Introduction Access Policy Manager (APM) does not have the ability to modify LDAP attribute values using the native features of the product. In the past I’ve used some creative unsupported solutio...
Published Sep 27, 2016
Version 1.0
BIG-IP Access Policy Manager (APM)
cookbook
iRulesLX
Security
Slayer001's avatar
Slayer001
Icon for Cirrus rankCirrus
Dec 06, 2019

I came across this when looking for a method to let the user reset their forgotten password. Is there a way to reset the unicodePwd attribute via this method. As I get plugin[/Common/plugin_ldap_modify.ldap_modify_extension] LDAP Modify Failed. when trying this.

I found some more information regarding the unicodePwd attribute (https://ldapwiki.com/wiki/Passwords%20Using%20LDIF):

"The modify request should contain a single replace operation with the new password enclosed in quotation marks and be Base64 encoded"

I added a base64 encoded value of the password between " marks but it still fails with the same Modify failed. and following error code: setup_io: it's not allowed to set the NT hash password directly

 

I noticed that unicodePwd has 2 colons behind it when it is changed via ldapmodify to indicate the base64 encoding. I'm not very familiar with javascript but I guess that's not included in the ldap_modify_extension?