AD password expired check in Active Directory Query

Alberto_Flores · ‎18-Feb-2022

Hello i'm facing this issue and I could only find this solution.

Solved: AD password expired - DevCentral (f5.com)

For our flow is impossible to apply the same solution as we need to do that check almost at the end of the flow after dozen of other checks.

In the post is a link related with another possibility

if "pwdLastSet" + "Max-Pwd-Age" >= "now" "password is expired"

How can we translate this into the expr ?

expr {[mcget {session.logon.last.pwdLastSet + session.logon.last.maxPwdAge }] equals session.logon.last.LastLogonTimeStamp }

Is this expr correct ?

Kind regards

Sebastiansierra · ‎22-Feb-2022

Hi,

The expressión is wrong because you are trying to call some variables that doesn´t exist:

1.session.logon.last.pwdLastSet = session.ad.last.attr.pwdLastSet

2.session.logon.last.maxPwdAge= session.logon.last.attr.maxPwdAge

3.session.logon.last.LastLogonTimeStamp= session.user.starttime

So, the next step is to create an AD Query before Ad Auth and Required Attributes:

1.pwdLastSet

2.maxPwdAge

Could you try to configure the Ad Query and see if you receive the values from the AD? I´m trying to do it in my lab but for some reason, I don´t receive the maxPwdAge and I think that the problem is my AD