For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

daniel_spillers's avatar
daniel_spillers
Icon for Nimbostratus rankNimbostratus
Jun 15, 2012

Admin Users Remote LDAP + role groups

BIGIP LTM version: 11.1

 

LDAP flavor: OpenLDAP, OpenDS, etc (not Active Directory)

 

Admin section: System > Users

 

 

The Remote - LDAP authentication method's remote role group feature is focused around user attributes, and does not implement a group model (e.g., to check an LDAP group's list of uniqueMembers). When someone logs in, BIGIP uses a LDAP query that returns ALL ('*') standard attributes on that user. Operational attributes are not retrieved unless specifically requested (this is default LDAP behavior).

 

 

isMemberOf is a popular operational attribute that is automatically set on a user when the user is added as a uniqueMember of an LDAP group. This is hugely useful when applications only implement a user attribute-based query, like BIGIP. It automatically and easily exposes a group model via the user. Active Directory does this, but through a standard attribute. The LDAP standard, however, is to expose these kinds of dynamically-generated values as operational attributes (which makes a lot of sense).

 

 

I want to manage my users as group members, and be able to use that membership in BIGIP's admin interface for role assignment. Without a group model, I am restricted to user attributes.

 

That's fine, except I can't specify which attributes I want to retrieve. This means that operational attributes like isMemberOf are not usable by BIGIP to determine remote role groups membership.

 

 

I can see three solutions in order to make LDAP group models instantly useful for BIGIP remote roles, and I'm curious if anyone has any other ideas:

 

 

1) f5: allow me to specify the attributes (in addition to any required attributes like cn, uid, etc.) that I want retrieved instead of the default ALL '*' query

 

 

2) f5: modify the default ALL query to ask for standard and operational attributes (an ldapsearch format would be: '*' '+'); or allow me to toggle "retrieve operational attributes" on/off, which would add the '+' signifier to the query

 

 

3) me: implement a redundant user attribute synchronization model on my LDAP to replicate isMemberOf to a standard attribute like memberOf.

 

basic
getting started
new to f5

5 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 26, 2012
    Hi Daniel,

     

     

    I think this is good feedback. I suggest opening a case with F5 Support to get their thoughts and possibly open a request for enhancement.

     

     

    Aaron
  • daniel_spillers's avatar
    daniel_spillers
    Icon for Nimbostratus rankNimbostratus
    Jun 26, 2012
    Will do. I wanted to do my due diligence in case someone out in the community had already found a workaround.
  • JoshBecigneul's avatar
    JoshBecigneul
    Icon for MVP rankMVP
    Aug 11, 2012
    Hello Daniel,

     

    Did you ever submit a case for this? We're limited by the same issue (OpenLDAP doesn't have a isMemberOf function), and it would be nice to use LDAP groups as we have a large number of admins at various skill levels across a large number of devices.

     

    Thanks,

     

    Josh Becigneul
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Aug 11, 2012
    isMemberOf isn't a function... It's an attribute of the object. You can simply add a new attribute to the existing objects if an ldap implementation doesn't have it, or if the implementation doesn't autopopulate operational attributes...

     

     

    If you want the attribute to be auto-populated when a user is added to a group object, you can setup a quick program to do a persistent search and update in 'real-time'.

     

     

    H