Forum Discussion
AltostratusAD/LDAP authentication/authorization w/ "Remote Role Groups"
Hello,
I have been experimenting with AD/LDAP auth and have got it working to some extent. However, I am not successful in making the Remote Role Groups work.
It is just lite they are not considered at all. The only way of specifying access is through the "External users" settings on System->Users->Authentication page. If I set the default role to Guest, all users are logged in as guest etc. I need to separate guests from administrators and I understand that should be done with "Remote Role Groups".
If I set the "External users" to "No access" I cannot log in at all, despite the "Remote Role Group" setting.
My configuration:
tmsh show running-config /auth ldap system-auth
auth ldap system-auth {
bind-pw $M$2E$/KZpHL0Oe8xucW3Pgj6D1Q==
check-roles-group enabled
login-attribute samaccountname
search-base-dn OU=Users,OU=Country,OU=Company,DC=top,DC=domain
servers { 10.10.10.10 }
user-template %s@top.domain
}
tmsh show running-config /auth remote-role
auth remote-role {
role-info {
john.doe {
attribute memberOF=CN=john.doe,OU=Users,OU=Country,OU=Company,DC=top,DC=domain
line-order 1
role administrator
user-partition All
}
}
}
5 Replies
Ossar_178453I managed to solve it by understanding better how LDAP works and some ldapsearch magic.
The trick was to have a proper memberOF parameter, i.e. John Doe was not memberOF himself which made it not work.
Brad_ParkerCirrus
You can mark your answer as answered so other community members can see that it is indeed answered.
JustCooLpOOLeCirrocumulus
Could you elaborate a bit on your fix? When a user is logging in, they are given the role that is applied to External Users as opposed to the role given for the Role Group.
- StacyAnn_257051
the trick is to add a group with the same exact name of your active directory group under Remote Role Groups, when adding the attribute string be sure to use memberOf= so it will search that group for users to authenticate. Under the authentication tab in remote directory tree add the base DN for your AD and be sure to set Role to no access under external users. This will allow access to only the users who are in the group you specified. this link also provides some good information. https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-1-0/16.html
Abdessamad_851Nimbostratus
Hello, Do you know how to get it working when nested groups are used? I maanaged to make it work when the user is directly attached to a group, but it desn't work when we should check a sub group (nested). Thanks.
