IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  How to detect when an ActiveDirectory account has been flagged for mandatory password change ?

    Posted Wed September 23, 2020 05:13 AM
    Hello,
    We have an authentication policy that is responsible for checking login/password against our Active Directory, and handling some throttling.

    I am trying to tweak the process for some edge cases as when an AD account is flagged for mandatory password change on login.
    I haven't found any way at the moment to detect that precise case.

    Here is how we do the AD authentication in the auth policy:
    var hlpr = new UserLookupHelper(); hlpr.init(true); // Init with "Username / Password" auth mechanism var user = hlpr.getUser(username); if (user != null) { var authn = user.authenticate(password); if (authn) { // do what's needed for populating ISAM creds } else { //log an error and handle throttling // TODO detect if account is flagged for mandatory password change } }​

    The documentation on the class com.ibm.security.access.user.User is very light, and most of the available properties are not documented.
    Anyway I tried a few of those properties (such as isPasswordValid()) but I haven't found any property allowing me to identify precisely the edge case I am looking for.

    Has someone handled this particular case ? How could we implemented a detection for this particular case ?

    ------------------------------
    André Leruitte
    ------------------------------


  • 2.  RE: How to detect when an ActiveDirectory account has been flagged for mandatory password change ?

    Posted Thu September 24, 2020 02:59 AM
    Edited by Peter Volckaert Thu September 24, 2020 03:03 AM

    Hi André,

    Take a look here: https://github.com/peter-volckaert/custom-password/blob/master/mapping-rules/Infomap_CustomPassword.js
    In that Infomap I print out some things you can discover about the status of the credential.
    Here's the snippet:

    logmsg(INFO,"isAccountValid="+user.isAccountValid()+",isAccountLocked="+user.isAccountLocked()+",isAccountDisabled="+user.isAccountDisabled()); logmsg(INFO,"isPasswordValid="+user.isPasswordValid()+",isCredentialsValid="+user.isCredentialsValid()+",isPasswordExpiringSoon="+user.isPasswordExpiringSoon());



    I'd suggest you embed similar logging in your code and see if anyone of those work for your use case.
    What's available is documented (indeed lightly...) in the User class of the JavaDoc.

    Kind regards, Peter.



    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------

    Original Message


  • 3.  RE: How to detect when an ActiveDirectory account has been flagged for mandatory password change ?

    Posted Thu September 24, 2020 04:39 AM
    Hi Peter,

    Thanks for your advice. Unfortunately it doesn't allow to discern between the following cases :
    - login with a valid userid / incorrect password
    - login with a valid userid / expired password

    I know there is some way to do it because ISVA implements it when using /pkmslogin . It returns a "HPDIA0204W The user's password has expired" error.

    How could I implement the same inside an authentication policy? Does somebody have another idea?

    ------------------------------
    André Leruitte
    ------------------------------

    Original Message


  • 4.  RE: How to detect when an ActiveDirectory account has been flagged for mandatory password change ?

    Posted Thu September 24, 2020 05:07 AM
    Edited by Peter Volckaert Thu September 24, 2020 05:12 AM
    Hi André,

    What happens if you do a pdadmin login command for that user?
    If it says "expired", then you can use the pdadmin API to do the same check from within your Infomap.
    That REST API is called "Running pdadmin commands" and can be found as in the screenshot below. Click on the picture to actually see something :-) 

    I'm curious to know if this helps.
    Kind regards, Peter.

    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------

    Original Message


  • 5.  RE: How to detect when an ActiveDirectory account has been flagged for mandatory password change ?

    Posted Thu September 24, 2020 09:52 AM
    Hi Peter,

    Before looking into how implementing a pdadmin call from within a "mapping rule" I tested via CLI:


    It gives the level of detail I'm looking for :)
    Thank you Peter!


    I will now have to look into how to make a pdadmin call from an infomap mapping rule. I would like to avoid having to call the LMI REST api's from within the infomap...
    If you have any example of that I would be grateful.


    Regards


    ------------------------------
    André Leruitte
    ------------------------------

    Original Message


  • 6.  RE: How to detect when an ActiveDirectory account has been flagged for mandatory password change ?

    Posted Thu September 24, 2020 11:30 AM
    Hi André,

    I don't see another way to do that pdadmin login call. Indeed, you must take care of performance. On the other hand, that call only needs to be done when the user fails to authenticate. So should not be too often...
    Now, can you also try the following: use the init() of the ULH with the whole range of params? The below is taken from the JavaDoc:

    init(java.lang.String hostname, int port, java.lang.String bindDn, java.lang.String bindDnPwd, java.lang.String keystore, java.lang.String clientCertLabel, java.lang.String searchFilter, java.lang.String mgmtDomain, int connectionTimeout, boolean loginFailuresPersistent, java.util.Properties overrideProperties) 

    So use the user's credentials for the BindDn and bindDnPwd. If you're lucky, then you might get an error code that discern between expired and wrong. You should do this init() only after you've detected a failed authentication of course.
    Let me know if this is a good idea and if it helps.

    As for an example of calling the REST API from within an InfoMap you can look at the git repo where I pointed to earlier in this thread. It has examples on how to call OAuth API calls.

    Kind regards, Peter.

    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------

    Original Message


  • 7.  RE: How to detect when an ActiveDirectory account has been flagged for mandatory password change ?

    Posted Thu September 24, 2020 11:32 AM
    In the meanwhile I implemented sucessfully the call to the pdamdin api from the infomap. When the user password is expired we can now display a proper error message.
    Next step will be to redirect the browser to a change password form :)

    But the most important was to be able to display a correct error message to the user.

    As always, thank you again for your precious inputs Peter!

    ------------------------------
    André Leruitte
    ------------------------------

    Original Message


Related Content