Forum Discussion

Roland00's avatar
Roland00
Icon for Altocumulus rankAltocumulus
Jun 21, 2024

AD/LDAP Auth on rSeries F5-OS

AD/LDAP auth on F5-OS seems unnecessarily complicated compared to how TMOS handles it. Does anyone have this working in their environment? If so, can you explain which attributes are created (F5-F5OS-UID, F5-F5OS-GID, uidNumber, gidNumber, etc.) and if they are applied directly to the AD user and/or AD group?

The config guide mentions that F5-F5OS-GID is the only required attribute (F5-F5OS-UID defaults to 1001). It's not clear to me if this attribute must be added directly to the user account or if it can be created in an AD group that the user is a member of.

Then there is a Solution Article that says LDAP requires the user have a uidNumber and gidNumber. The AD group must have a gidNumber that corresponds to the associated group ID of the F5 system role. They provide an example of a AD user and AD group showing uidNumber and gidNumber, but there is no reference to F5-F5OS-GID.

2 Replies

    • Roland00's avatar
      Roland00
      Icon for Altocumulus rankAltocumulus

      We were able to get it working, but it wasn't ideal. The short answer is the uidNumber and gidNumber attributes must be explicitly added to each AD user. We did not setup any other attributes referenced in the guide.

      For uidNumber, we just started at 1000 and sequentially worked our way up for each user. This is not ideal because according to our local AD admin, uidNumber is not a standard attribute that they can create/modify. Our local AD admin had to get our global AD admins to create the new attribute for each user. Additionally, there is no system in place in AD to auto-sequence the number, so I suppose that has to be tracked somewhere else? We have a small group of F5 admins that need access to F5OS, so it's manageable for us, but I imagine it would be a pain for a team with dozens of users.

      For gidNumber, we set 9000 for each user because the only users logging into F5OS would be administrators. Again, this attribute is not considered standard so it required escalations to get it added to our users. We initially set the gidNumber on an AD group for F5 Admins as referenced in the solution article, but it seemed pointless because we still had to explicitly set gidNumber for each user.