I want to set the password to be changed for an Active Directory account which I have fetched via a query. The documentation for AD seems suitably dense and unreadable, but I'm fairly sure it'll eventually reveal the right setting to twiddle (probably setting pwdLastSet to "0"). But not sure how to do this on F5. Also is the code for the APM "AD Auth" visible anywhere, as I'd like to see how it works, which would presumably answer this and other questions I have.

Hi, i have never seen that we could modify AD attributes from APM policy agent. You could eventually change it with an lDAP request using irule sideband connection if the AD allows such modification. This will need some work to create the ldap request i believe: https://devcentral.f5.com/wiki/iRules.SIDEBAND.ashx

Does this help https://devcentral.f5.com/questions/implement-apm-change-password-with-115x ?

Yes, but that was the next task on my list, which is now done aside from tidying up the wording and layout and testing ;) I'm not sure if this helps for my current case or not, what I'd ideally like to do is jump into a regular "logon" screen but straight into the password change view, but I can't see how that can fit into the policy (since there seems to be interactions between the "Logon Screen, and the "AD Auth" which aren't documented or explained - it might all be in the PHP but reverse engineering it is hard).

Is there an example of setting an Active Directory attribute from F5 iRule or Access Policy?

14 Replies

Arnaud_Lemaire
Employee
Jul 28, 2014
Hi, i have never seen that we could modify AD attributes from APM policy agent.

You could eventually change it with an lDAP request using irule sideband connection if the AD allows such modification. This will need some work to create the ldap request i believe:

https://devcentral.f5.com/wiki/iRules.SIDEBAND.ashx
kunjan_118660
Cumulonimbus
Jul 28, 2014
Does this help https://devcentral.f5.com/questions/implement-apm-change-password-with-115x ?
- Simon_Waters_13
  Cirrostratus
  Jul 29, 2014
  Yes, but that was the next task on my list, which is now done aside from tidying up the wording and layout and testing ;) I'm not sure if this helps for my current case or not, what I'd ideally like to do is jump into a regular "logon" screen but straight into the password change view, but I can't see how that can fit into the policy (since there seems to be interactions between the "Logon Screen, and the "AD Auth" which aren't documented or explained - it might all be in the PHP but reverse engineering it is hard).
kunjan
Nimbostratus
Jul 28, 2014
Does this help https://devcentral.f5.com/questions/implement-apm-change-password-with-115x ?
- Simon_Waters_13
  Cirrostratus
  Jul 29, 2014
  Yes, but that was the next task on my list, which is now done aside from tidying up the wording and layout and testing ;) I'm not sure if this helps for my current case or not, what I'd ideally like to do is jump into a regular "logon" screen but straight into the password change view, but I can't see how that can fit into the policy (since there seems to be interactions between the "Logon Screen, and the "AD Auth" which aren't documented or explained - it might all be in the PHP but reverse engineering it is hard).
Arnaud_Lemaire
Employee
Jul 29, 2014
You may be able to play with the logon page and some customization to set variables to trigger the password change, for example if you set so values in logon.inc :

$challenge = 1;

$errorcode = 5023;

$GLOBALS["set_new_password"] = 1;

this is triggering automatically the password change, but i won't recommand it as it is intrusive, and may interfere with APM logon page post processing.

11.5 password change feature allows you to setup a check box in the logon page or before in the vpe with a variable assign (session.logon.last.change_password 1) to allows user to change their password.

But your use case would be more to allow all user to change their password (without the first logon prompt) as they currently don't know it ? is that correct ?
Simon_Waters_13
Cirrostratus
Jan 23, 2015
This one went quiet, but now we want a solution. Move to 11.6.

May be there are other routes to a solution, but I think it makes sense to try and do this in the style of Arnaud's first answer - e.g. using a regular APM component, since the password change will fail sometimes, and we would want to handle those errors in the same style as when conducting a normal login.
- Nick_Eoannidis
  Nimbostratus
  Apr 02, 2015
  Did you find a solution to this Simon? It would be good if you could just do password reset for failed user login with OTP - grab username, verify user with OTP (via http or email sms) then set new password once verified.
JoeTheFifth_453
Nimbostratus
Jun 20, 2017
heading the same route here: forgotten password => logon page with userid only => AD Query => Get user email => OTP Generate => Mail => OTP Verify => Reset Password with random value and set User Must Change Password at next logon => Email new new password to user email fetched from AD (same used in OTP step). Missing Step = Reset Password with random value and set User Must Change Password at next logon
- Simon_Waters_13
  Cirrostratus
  Jun 21, 2017
  I confess we gave up trying to do this with APM, we deployed a simple webserver behind the F5 which only the F5 can talk to, and sent requests from the the F5 to this webserver to perform the password reset and toggle the must change at next login field. We used the LDAP Tool Box project as a template, and adapted it to meet our needs.
  
  It seems insane as F5 license a whole bunch of Oracle software to do precisely this kind of thing, but it didn't seem to be exposed in a sensible fashion. This seems a common use case so I'm surprised F5 haven't sorted it, but then there are a whole bunch of things APM does or doesn't do that surprise me too often. It is possible it has improved since, but I haven't seen anything obvious in 12, and the hardware we have doesn't support 13.
- JoeTheFifth_453
  Nimbostratus
  Jun 21, 2017
  funny I just opened a thread describing the same web server/sideband method :-) it is here: https://devcentral.f5.com/s/feed/0D51T00006uKJtNSAW
  ¬†
  
  you comments/code share are welcome.
  ¬†
JoeTheFifth
Altostratus
Jun 20, 2017
heading the same route here: forgotten password => logon page with userid only => AD Query => Get user email => OTP Generate => Mail => OTP Verify => Reset Password with random value and set User Must Change Password at next logon => Email new new password to user email fetched from AD (same used in OTP step). Missing Step = Reset Password with random value and set User Must Change Password at next logon
- Simon_Waters_13
  Cirrostratus
  Jun 21, 2017
  I confess we gave up trying to do this with APM, we deployed a simple webserver behind the F5 which only the F5 can talk to, and sent requests from the the F5 to this webserver to perform the password reset and toggle the must change at next login field. We used the LDAP Tool Box project as a template, and adapted it to meet our needs.
  
  It seems insane as F5 license a whole bunch of Oracle software to do precisely this kind of thing, but it didn't seem to be exposed in a sensible fashion. This seems a common use case so I'm surprised F5 haven't sorted it, but then there are a whole bunch of things APM does or doesn't do that surprise me too often. It is possible it has improved since, but I haven't seen anything obvious in 12, and the hardware we have doesn't support 13.
- JoeTheFifth
  Altostratus
  Jun 21, 2017
  funny I just opened a thread describing the same web server/sideband method :-) it is here: https://devcentral.f5.com/questions/reset-user-password-irule-sideband-54111answer147092
  
  you comments/code share are welcome.