AD password expired check in Active Directory Query

Alberto_Flores · ‎18-Feb-2022

Hello i'm facing this issue and I could only find this solution.

Solved: AD password expired - DevCentral (f5.com)

For our flow is impossible to apply the same solution as we need to do that check almost at the end of the flow after dozen of other checks.

In the post is a link related with another possibility

if "pwdLastSet" + "Max-Pwd-Age" >= "now" "password is expired"

How can we translate this into the expr ?

expr {[mcget {session.logon.last.pwdLastSet + session.logon.last.maxPwdAge }] equals session.logon.last.LastLogonTimeStamp }

Is this expr correct ?

Kind regards

Sebastiansierra · ‎22-Feb-2022

Hi,

The expressión is wrong because you are trying to call some variables that doesn´t exist:

1.session.logon.last.pwdLastSet = session.ad.last.attr.pwdLastSet

2.session.logon.last.maxPwdAge= session.logon.last.attr.maxPwdAge

3.session.logon.last.LastLogonTimeStamp= session.user.starttime

So, the next step is to create an AD Query before Ad Auth and Required Attributes:

1.pwdLastSet

2.maxPwdAge

Could you try to configure the Ad Query and see if you receive the values from the AD? I´m trying to do it in my lab but for some reason, I don´t receive the maxPwdAge and I think that the problem is my AD

DevCentral

AD password expired check in Active Directory Query

Register For AppWorld 2024

F5 Receives Six Trust Radius
Best of 2023 Awards

F5 XC WAF

F5 BIG-IP

DevCentral

AD password expired check in Active Directory Query

Register For AppWorld 2024

F5 Receives Six Trust Radius Best of 2023 Awards

F5 XC WAF

F5 BIG-IP

F5 Receives Six Trust Radius
Best of 2023 Awards