Forum Discussion

Abdessamad1's avatar
Icon for Cirrostratus rankCirrostratus
Jun 02, 2016

LDAP admin authentication - nested group membership


I would like to give access to a BIG-IP (running version 12.1.0) to users based on their group membership.

I have authentication working fine, and I can get group membership if the group directly assigned to the user.

But it I don't find a way to instruct the F5 to do recursive queries on nested groups.

auth ldap system-auth {
    bind-pw *****
    check-roles-group enabled
    debug enabled
    login-attribute sAMAccountName
    servers {  }
    user-template %s@
auth remote-role {
    role-info {
        Admins {
            attribute memberOf=
            console tmsh
            line-order 1
            role administrator
            user-partition All

Thanks for your assistance.

2 Replies

  • Working with version I still have this issue, I have yet to find a recursive function, which prevents me from authenticating via LDAP due to my Active Directory membership policies using nested groups. When researching the TMSH documentation for 15.x, i see the only options for scope are "scope [base | one | sub]

    " which means they are not allowing recursive lookups. That does not necessartily mean it doesn't exist as ther are sometimes hidden CLI commands to perform magic ... but for public consumption it appears they still do nto support recursive ldap queries.