Layer7 API Management

 View Only

 Change password of Microsoft AD user using Layer7 API Gateway

Rafael Rozendo's profile image
Rafael Rozendo posted Jan 26, 2024 01:39 PM

I would like to create a password reset API with Layer 7 API Gateway that would directly change the user password in a Microsoft Active Directory.

I have already done it before for CA Directory users. To accomplish this task I used the "Write LDAP" assertion that would replace the "userPassword" attribute. However, it does not seem to work for Microsoft AD. Every documentation that I encounter says that I have to invoke the IADsUser::SetPassword method in order to change the password of a Microsoft AD user (https://learn.microsoft.com/en-us/previous-versions/ms180915(v=vs.90)?redirectedfrom=MSDN). But looking at the documentation for the "Write LDAP" assertion it does not look like I can use it to invoke methods, and neither have I found an example on how to do it.

Is there any way that I can implement this password reset using only the Layer 7 API Gateway?

Thanks in advance

Joseph Fry's profile image
Broadcom Employee Joseph Fry

I have not done this myself, but I did research it a bit and came to a different conclusion:

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f3adda9f-89e1-4340-a3f2-1f0a6249f1f8 states:

Active Directory supports modifying passwords on objects via the userPassword attribute, provided that (1) either the DC is running as AD LDS, or the DC is running as AD DS and the domain functional level is DS_BEHAVIOR_WIN2003 or greater, and (2) the fUserPwdSupport heuristic is true in the dSHeuristics attribute (section 6.1.1.2.4.1.2).

There are some caveats to managing AD credentials with LDAP.  For example, any account in a protected group could only be managed by another account in the same or higher protected group. (https://specopssoft.com/support/en/password-reset/understanding-privileged-accounts-and-adminsdholder.htm).  And I suspect you will need to use LDAPS to do password changes, unless you make some configuration changes.

What kind of errors are you seeing from both the gateway and AD itself?

Rafael Rozendo's profile image
Rafael Rozendo

Hi Joseph, thanks for the quick reply

In fact I was not getting any errors whatsover. It simply didn't have any effect.

But after some digging around I managed to successfully change a password using the "Write LDAP" assertion. Instead of the "userPassword" attribute, I had to modify the "unicodePwd" attribute.

Just for future reference, the new password had to be quoted and base64 encoded using UTF-16LE

Joseph Fry's profile image
Broadcom Employee Joseph Fry

Glad you got it figured out, and thanks for providing the solution for the next person!

Gopi ReddyIrala's profile image
Gopi ReddyIrala

@Rafael Rozendo - Can you please provide more details on the API Gateway changes to update the user's password in Active Directory.

We keep getting an error when we try to update the password. I have tried the various combinations like including the pwd within quotes, UTF16-LE etc.

I am stuck with this issue for almost 2 weeks and also reached out to Broadcom support for help, but no update for the past 2 weeks.

Any quick help is appreciated, Thanks.

Rafael Rozendo's profile image
Rafael Rozendo

@Gopi ReddyIrala are you using LDAPS or LDAP on the  identity provider configuration? For me it only worked with LDAPS. At some point I think that  I also had an error regarding an invalid certificate in my AD, so we had to fix it as well.

Additionally, we had to modify a Java config file inside the gateway because it was complaining about our AD URL. It had to do with some Java newer restrictions on LDAP URL naming scheme. To solve this issue, we had to set the following option: "Dcom.sun.jndi.ldapURLParsing=legacy". Unfortunately, I don't remember exactly which file we had to modify.

Other than that, it looks like you are doing exactly what I did: the new password had to be within quotes and base64 encoded with the "character encoding" option set to "UTF-16LE", although I'm not sure if this specific encoding is related specifically to my environment

I am sending a screenshot of how my "Write LDAP" assertion looks like.

The identity provider must also be configured with the option "Allow updates from" checked, but I suppose you already have it done because otherwise it would probably not even show as a valid option in the "Write LDAP" assertion

Attachment  View in library
Joseph Fry's profile image
Broadcom Employee Joseph Fry

@Gopi ReddyIrala, once you have reproduced Rafael's solution, I encourage you to do a detailed write up for the next person.  You are the second person this year trying to accomplish the same task, I imagine there are others.  Having some detailed guidance might save the next person a lot of stress.

Gustavo Azolas's profile image
Broadcom Employee Gustavo Azolas

Hi , 

tested on lab the steps mentioned here on a simple policy with WriteLDAP assertion and it worked fine.

We got first times this Error :
2024-09-23T11:43:40.150-0700 INFO    385 com.l7tech.server.message: Processing request for service: wldap [/wldap]
2024-09-23T11:43:40.150-0700 WARNING 385 com.l7tech.external.assertions.ldapwrite.server.ServerLdapWriteAssertion: 4: Failed to perform LDAP operation:[LDAP: error code 53 - 0000001F: SvcErr: DSID-031A124C, problem 5003 (WILL_NOT_PERFORM), data 0
].  Exception caught!

However, resolved checking the new password had to be within quotes and base64 encoded with the "character encoding" option set to "UTF-16LE" 

ref:  WILL_NOT_PERFORM issue

Based on that   :

1. one of the options used on lab which worked fine :

https://gwServerName:8443/wldap?userDN=CN=apigw01,CN=Users,DC=TeamAD&passwd_nocoded="7layerAP@321"

2. With all above in place the WriteLDAP assertion is able to set password and whatever other attribute into LDAP server..

thanks

Gopi ReddyIrala's profile image
Gopi ReddyIrala

@Rafael Rozendo - Thank you so much for your help. We are able to resolve the issue with your suggestion.

We are stuck with another situation now. Do you know how to send the "AD control" settings with the LDAP Modify assertion to AD.

Please refer the below link for more details on what we want to achieve with it.

[MS-ADTS]: LDAP_SERVER_POLICY_HINTS_OID | Microsoft Learn

Joseph Fry's profile image
Broadcom Employee Joseph Fry

Gopi ReddyIrala, please open a new question rather than changing topics.  This will likely get a better response and will make it easier for anyone using this in the future to answer their own questions.