Change password fo the users using APM in LDAP servers

Question

Hi:&nbsp;
I am configuring an authentication policy in my F5 using APM. I wanna know if I can change the user's password using the policy when I use an LDAP server. I have found that I can change user's passwords when is an AD but I can't find anything about LDAP. &nbsp;

amiles_377865 · Accepted Answer

Hi Gilberto,&nbsp;
The short answer is no. &nbsp;
As long as you have the "change password" option enabled on the logon page, the end user can see the option to change their password.  But if you are using an LDAP server instead of an AD server, the prompt to change the password won't actually be given to the user.  
&nbsp;
I tested this in a lab environment, where I used the same exact actual server but created two different entries in APM: one as an LDAP server, and one as an AD server.  Either way, the logon page presented the checkbox.  But only if I was using an AD server would the checkbox actually take me to a reset password page.&nbsp;
This thread on devcentral explains the configuration in decent detail.  Of course, the use-case for this was fairly limited in the first place, not really allowing for support of users who forgot their passwords to change it. There's been a couple of requests for greater support but I haven't seen a response or any other documentation for it.&nbsp;
Best of luck,&nbsp;
Austin&nbsp;

gilberto_383328 · Answer

Thank you so much for your answer. Can I do something in the F5 like an iRule to solve this problem? or We need to use an AD.&nbsp;

amiles_377865 · Answer

The main issue with recovering a forgotten password is security.  It's a bit of a vicious cycle: you need to be authenticated in order to change your password, but you need your password to authenticate. &nbsp;
Off the top of my head, you could maybe set up some sort of API call that APM could make to the AD server.  Ideally, the API call would have to:&nbsp;
Somehow authenticate the user (maybe email verification, phone) without knowing the user's passwordAccept input from the user to change their password Log in to the AD server as an account admin Change the user's password to whatever they input
Like I said, there might be some issues with security and authentication.  
&nbsp;
It seems like a fairly difficult implementation that, while I'm sure someone has figured something out, they haven't published it anywhere I or anyone else on Devcentral could see it.  Then again, this is a little outside of my field of expertise so maybe I'm over-complicating things.  Maybe someone smarter than me has figured it out and it might be worth opening another question thread on Devcentral so they can see it.  There's at least a couple of other F5 users on this site that I know would be interested in the answer. &nbsp;
Another potential solutions is, like you suggested, something with iRules.  You could trigger some sort of email warning to an account admin, who could maybe reset their password in AD, and inform the user of what the reset password was.  The user then uses the password given to them by the account admin to reset the password to something of their choice.  Again, far from perfect as far as security, and would only really work in small environments.&nbsp;
Let me know if you can figure something clever out,&nbsp;
Austin&nbsp;

Forum Discussion

Change password fo the users using APM in LDAP servers

3 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

BIGIQ/DCD and BIGIP Admin password change

APM Customization: Password Change Validation

Password Safety & Security: Passwords vs. Passphrases

Authentication issue when changing password

Require username and password for virtual server