Forum Discussion

Cirrus

Oct 14, 2019

AD password expired

Dear all,

I've configured a portal to give my end users the possibility to change the AD password. Now I'd like to add a feature and check if the password has expired and send them on another flow. Is there a way to accomplish this with an APM Query? I was thinking to work on pwdLastSet attribute but I need to convert it and then compare it with the configured policy. Is there a way to do it in a simpler manner?

Thank you

Luca

application delivery

BIG-IP Access Policy Manager (APM)

Luca_Comes
Nov 14, 2019
Hi Dave,
thank you for your answer. I solved my problem putting an AD query block between the logon page and the authentication block, and intercepting if the last error contians the words "Password is expired". If any matches occur I will send the client to another flow where he does only AD authentication that force itself to change the password.

Luca

Luca_Comes
Cirrus
Nov 14, 2019
Hi Dave,
thank you for your answer. I solved my problem putting an AD query block between the logon page and the authentication block, and intercepting if the last error contians the words "Password is expired". If any matches occur I will send the client to another flow where he does only AD authentication that force itself to change the password.

Luca
Luca_Comes
Cirrus
Oct 30, 2019
Anyone who has some suggestions?
Dave_W
Employee
Oct 31, 2019
Hello Luca, based off this you probably do this, but I don't think it would be a simple solution:

https://ldapwiki.com/wiki/AD%20Determining%20Password%20Expiration