Forum Discussion
daniel_spillers
Jun 15, 2012Nimbostratus
Admin Users Remote LDAP + role groups
BIGIP LTM version: 11.1
LDAP flavor: OpenLDAP, OpenDS, etc (not Active Directory)
Admin section: System > Users
The Remote - LDAP authentication method's remote role group feature is focused around user attributes, and does not implement a group model (e.g., to check an LDAP group's list of uniqueMembers). When someone logs in, BIGIP uses a LDAP query that returns ALL ('*') standard attributes on that user. Operational attributes are not retrieved unless specifically requested (this is default LDAP behavior).
isMemberOf is a popular operational attribute that is automatically set on a user when the user is added as a uniqueMember of an LDAP group. This is hugely useful when applications only implement a user attribute-based query, like BIGIP. It automatically and easily exposes a group model via the user. Active Directory does this, but through a standard attribute. The LDAP standard, however, is to expose these kinds of dynamically-generated values as operational attributes (which makes a lot of sense).
I want to manage my users as group members, and be able to use that membership in BIGIP's admin interface for role assignment. Without a group model, I am restricted to user attributes.
That's fine, except I can't specify which attributes I want to retrieve. This means that operational attributes like isMemberOf are not usable by BIGIP to determine remote role groups membership.
I can see three solutions in order to make LDAP group models instantly useful for BIGIP remote roles, and I'm curious if anyone has any other ideas:
1) f5: allow me to specify the attributes (in addition to any required attributes like cn, uid, etc.) that I want retrieved instead of the default ALL '*' query
2) f5: modify the default ALL query to ask for standard and operational attributes (an ldapsearch format would be: '*' '+'); or allow me to toggle "retrieve operational attributes" on/off, which would add the '+' signifier to the query
3) me: implement a redundant user attribute synchronization model on my LDAP to replicate isMemberOf to a standard attribute like memberOf.
- hooleylistCirrostratusHi Daniel,
- daniel_spillersNimbostratusWill do. I wanted to do my due diligence in case someone out in the community had already found a workaround.
- Hello Daniel,
- HamishCirrocumulusisMemberOf isn't a function... It's an attribute of the object. You can simply add a new attribute to the existing objects if an ldap implementation doesn't have it, or if the implementation doesn't autopopulate operational attributes...
- daniel_spillersNimbostratusI did indeed submit a case, and the f5 rep told me that there was an RFE created.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects