Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

AD password expired check in Active Directory Query

Alberto_Flores
Nimbostratus
Nimbostratus

Hello i'm facing this issue and I could only find this solution.

Solved: AD password expired - DevCentral (f5.com)

For our flow is impossible to apply the same solution as we need to do that check almost at the end of the flow after dozen of other checks.
 
In the post is a link related with another possibility 

if "pwdLastSet" + "Max-Pwd-Age" >= "now" "password is expired"

 How can we translate this into the expr ?

expr {[mcget {session.logon.last.pwdLastSet + session.logon.last.maxPwdAge }] equals  session.logon.last.LastLogonTimeStamp  }

Is this expr correct ?

Kind regards

 

1 REPLY 1

Hi,

The expressión is wrong because you are trying to call some variables that doesn´t exist:

1.session.logon.last.pwdLastSet = session.ad.last.attr.pwdLastSet

2.session.logon.last.maxPwdAge= session.logon.last.attr.maxPwdAge

3.session.logon.last.LastLogonTimeStamp= session.user.starttime

So, the next step is to create an AD Query before Ad Auth and Required Attributes:

1.pwdLastSet

2.maxPwdAge

Could you try to configure the Ad Query and see if you receive the values from the AD? I´m trying to do it in my lab but for some reason, I don´t receive the maxPwdAge and I think that the problem is my AD