NimbostratusHow to catch expired password APM ?
I have trouble catching if user gets "Password has expired" on access policy login.
AD-module handles the change password procedure ok, BUT,
after such a change, it then forwards the OLD password used in the login page to the radius server (used in 2FA).
So, what is needed is that after password change occurs, user is redirected to the login page (or if the renewed password can be caught, sending of that password to the next phase).
The apm-logs show propriate values, BUT they dont survive the built-in ad-module and are resetted after pw-change?
So far I've tried these (in a branch rule):
expr { [mcget {session.ad.last.errmsg}] contains "Password has expired" || [mcget {session.logon.last.change_password}] == 1 }
expr { [mcget {session.logon.last.change_password}] == 1 || [mcget {session.logon.page.errorcode}] == 1403 }samples from apm-logs:
30dff639: Session variable 'session.ad.last.errmsg' set to 'Password has expired, principal name: userl@domain'
30dff639: Session variable 'session.logon.page.errorcode' set to '1403'
change_password -part works OK, it's set on the login page checkbox and survives until end of the session.