Forum Discussion
CirrostratusLDAP admin authentication - nested group membership
Dear,
I would like to give access to a BIG-IP (running version 12.1.0) to users based on their group membership.
I have authentication working fine, and I can get group membership if the group directly assigned to the user.
But it I don't find a way to instruct the F5 to do recursive queries on nested groups.
auth ldap system-auth {
bind-dn
bind-pw *****
check-roles-group enabled
debug enabled
login-attribute sAMAccountName
search-base-dn
servers { }
user-template %s@
}
auth remote-role {
role-info {
Admins {
attribute memberOf=
console tmsh
line-order 1
role administrator
user-partition All
}
}
}
Thanks for your assistance.
Greg_BurchNimbostratus
Did anyone ever supply an answer to this question?
Daniel_ElkinsWorking with version 15.1.0.5-0.0.0.8 I still have this issue, I have yet to find a recursive function, which prevents me from authenticating via LDAP due to my Active Directory membership policies using nested groups. When researching the TMSH documentation for 15.x, i see the only options for scope are "scope [base | one | sub]
" which means they are not allowing recursive lookups. That does not necessartily mean it doesn't exist as ther are sometimes hidden CLI commands to perform magic ... but for public consumption it appears they still do nto support recursive ldap queries.