APM iRule to "replicate" password change between AD and stand-alone servers
Dear Community,
I have a quite tricky problem to solve and hope somebody can point me in right direction.
I have a single sign-on infrastructure where APM provides SSO across 3 VSs. AAA authentication is done against AD using Kerberos. All pool members for all 3 VSs are Windows boxes but only two pools (for VS1 and VS2) contain servers which are members of the AD domain where I authenticate my clients. The last pool (used by VS3) consists of stand-alone servers with their own user account database (the DB is kept on a backend SQL server). And these servers support only form-based or Basic authentication (unfortunately it's a legacy "black box" application). All clients are external (so their PCs do not belong to the AD domain in question).
As long as a username and password match both in AD and on those stand-alone servers everything is fine with SSO. As expected the problem appears when a user tries to change his/her password. It gets changed in AD without any issues but as the stand-alone servers have no means to synchronise their user DB with AD I need some means of maintaining identical passwords across all systems. To me the most logical approach would be to create an iRule that would capture the new password when password change dialogue is invoked by APM. Then, provided AD password change was successful in AD, the iRule would construct a request for the VS3 that would change password for the same username on the stand-alone servers.
The task seems doable but the questions are:
- What's the best way (iRule event/condition) to capture the moment when APM invokes that AAA AD password change form?
- How can the new password value can be acquired from that form in the iRule code?
- How can a password change request be constructed for a server with form-based or Basic authentication.
Assume that accounts in AD and on the stand-alone boxes have the same user login names and initially passwords are identical.
Any advices and clues would be very much appreciated!