cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

AD password expired check in Active Directory Query

Alberto_Flores
Nimbostratus
Nimbostratus

Hello i'm facing this issue and I could only find this solution.

Solved: AD password expired - DevCentral (f5.com)

For our flow is impossible to apply the same solution as we need to do that check almost at the end of the flow after dozen of other checks.
 
In the post is a link related with another possibility 

if "pwdLastSet" + "Max-Pwd-Age" >= "now" "password is expired"

 How can we translate this into the expr ?

expr {[mcget {session.logon.last.pwdLastSet + session.logon.last.maxPwdAge }] equals  session.logon.last.LastLogonTimeStamp  }

Is this expr correct ?

Kind regards

 

1 REPLY 1

Sebastiansierra
Cirrostratus
Cirrostratus

Hi,

The expressión is wrong because you are trying to call some variables that doesn´t exist:

1.session.logon.last.pwdLastSet = session.ad.last.attr.pwdLastSet

2.session.logon.last.maxPwdAge= session.logon.last.attr.maxPwdAge

3.session.logon.last.LastLogonTimeStamp= session.user.starttime

So, the next step is to create an AD Query before Ad Auth and Required Attributes:

1.pwdLastSet

2.maxPwdAge

Could you try to configure the Ad Query and see if you receive the values from the AD? I´m trying to do it in my lab but for some reason, I don´t receive the maxPwdAge and I think that the problem is my AD