NimbostratusAD Query is set up with following settings:
Complexity check for Password Reset
Enabled
Prompt user to change password before expiration
3 weeks (21)
TestUser: password expires in 14 Days
From what I could read in the configuration & VPE Guide, APM should ask the user to change his password.
This does not happen, Do I Miss something ?
Hi Steph,
What software version are you using? And could it be the case that the AD query is failing? And is the APM able to perform the following LDAP query to retrieve the password complexity settings:
Considerations for the 'Complexity check for Password Reset' setting
When the Complexity check for Password Reset setting is enabled, the BIG-IP APM system will use a Lightweight Directory Access Protocol (LDAP) searchRequest packet to attempt to retrieve the user's Distinguished Name (DN) by using the sAMAccountName attribute as a filter (sAMAccountName=<user name>). Therefore, if the user name (CN) entered in the BIG-IP APM system (during the login attempt) does not match the sAMAccountName attribute, the LDAP searchRequest packet will fail when retrieving the user DN.
As a result, the user cannot change their password and the BIG-IP APM system logs messages similar to the following example to the /var/log/apm file:
Session variable 'session.ad.last.errmsg' set to 'Password policy check error: can't get required user attribute'
See KB16806 for more information.
Cheers,
Kees
