Forum Discussion
AD/LDAP Auth on rSeries F5-OS
AD/LDAP auth on F5-OS seems unnecessarily complicated compared to how TMOS handles it. Does anyone have this working in their environment? If so, can you explain which attributes are created (F5-F5OS-UID, F5-F5OS-GID, uidNumber, gidNumber, etc.) and if they are applied directly to the AD user and/or AD group?
The config guide mentions that F5-F5OS-GID is the only required attribute (F5-F5OS-UID defaults to 1001). It's not clear to me if this attribute must be added directly to the user account or if it can be created in an AD group that the user is a member of.
Then there is a Solution Article that says LDAP requires the user have a uidNumber and gidNumber. The AD group must have a gidNumber that corresponds to the associated group ID of the F5 system role. They provide an example of a AD user and AD group showing uidNumber and gidNumber, but there is no reference to F5-F5OS-GID.
2 Replies
- p_schim
Nimbostratus
Hi there! Have you been able to solve this issue?
- Roland00
Altocumulus
We were able to get it working, but it wasn't ideal. The short answer is the uidNumber and gidNumber attributes must be explicitly added to each AD user. We did not setup any other attributes referenced in the guide.
For uidNumber, we just started at 1000 and sequentially worked our way up for each user. This is not ideal because according to our local AD admin, uidNumber is not a standard attribute that they can create/modify. Our local AD admin had to get our global AD admins to create the new attribute for each user. Additionally, there is no system in place in AD to auto-sequence the number, so I suppose that has to be tracked somewhere else? We have a small group of F5 admins that need access to F5OS, so it's manageable for us, but I imagine it would be a pain for a team with dozens of users.
For gidNumber, we set 9000 for each user because the only users logging into F5OS would be administrators. Again, this attribute is not considered standard so it required escalations to get it added to our users. We initially set the gidNumber on an AD group for F5 Admins as referenced in the solution article, but it seemed pointless because we still had to explicitly set gidNumber for each user.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com