For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Daniel_Elkins's avatar
Daniel_Elkins
Icon for Nimbostratus rankNimbostratus
Oct 06, 2020

Authentication: Remote - Active directory + Microsoft RBAC

I have configured user authentication using Remote - Active directory, but it does not seem to be properly searching groups and applying the appropriate roles.        I have confirmed at th...
Daniel_Elkins's avatar
Daniel_Elkins
Icon for Nimbostratus rankNimbostratus
Oct 09, 2020

This issue was resolved via F5 supoport who advised me to modify the configuration in "remote role group" to add "memberOf=" in front of group name I entered in the attribute string field for the defined group. This allowed me to log in with a user in active directory was explicitly assigned to the group in question.

 

Badd example:

 

CN=F5Admins,OU=<myDomain> Users & Groups,DC=<myDomain>,DC=local

 

Working example:

 

memberOf=CN=F5Admins,OU=<myDomain> Users & Groups,DC=<myDomain>,DC=local

 

I have however discovered that if you have this group in another nested group within Active Directory authentication still fails. From what I have researched the limited scope available in the LDAP configuration is lacking the "recursive" query option for LDAP.

 

https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/auth/auth_ldap.html?highlight=ldap

This document shows that even at the CLI configuration within TMSH the only options for query scope are:

 

scope [base | one | sub]

 

The good news is, this particular issue of group configuration has been resolved, but the new issue of nested group memberships is stillbroken to my knowledge.