Layer7 API Management

  • Private Community
 View Only

 API GW Layer 7 - Send Request Control to Active Directory with LDAP Write Assertion

Dallas Schauer's profile image
Dallas Schauer posted Oct 04, 2024 04:39 PM

Hello all,

I am working on an API GW service to update a user's password in Microsoft Active Directory using the Write LDAP assertion. I was able to get it to update password, but I also need it to enforce request controls such as enforcing password history. In a normal implementation, the OID of the policy is passed along with the LDAP modify request to enforce the rule set in the DC. Is there any way to implement this using the Write LDAP assertion in API GW Layer 7 policy manager 11.0? 

Request control examples:

[MS-ADTS]: LDAP Extended Controls | Microsoft Learn

Java example:

active directory - LDAP_SERVER_POLICY_HINTS_OID control not working in AD LDS Windows Server 2012R2 - Stack Overflow

Joseph Fry's profile image
Broadcom Employee Joseph Fry posted Oct 14, 2024 10:37 AM

Dallas,

I suspect this question may have been better asked simply: "How do you specify LDAP controls using the Write LDAP assertion?"

The assertion uses LDIF, so the question can be further refined to "how do you add controls to an LDIF?"  To which I would refer you to the example at the bottom of https://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format.  

version: 1
dn: o=testing,dc=example,dc=com
control: 1.3.6.1.1.13.1 false cn
changetype: add
objectClass: top
objectClass: organisation
o: testing

Notice the "control:" line where they specify an OID, its criticality, and the data.  I recommend reading section 4.1.12 of the RFC (http://www.faqs.org/rfcs/rfc2251.html) to understand the criticality values.

Please post back if you have success!