Forum Discussion
NimbostratusLDAP PAM Nested Group Membership
Hi,
My question relates to the LTM Advanced Client Authentication Module. Is the LDAP Profile/Configuration capable of doing recursive group membership matching?
I'm 99% sure that it doesn't since: 1) There's no obvious configuration option to enable this 2) It's not documented 3) Firepass only just started supporting LDAP_MATCHING_RULE_IN_CHAIN in early 2012 and the ACA module is far more antiquated
However, since I haven't found any mention on DevCentral or askF5 that it's NOT supported, I thought I'd ask here to address that 1% uncertainty.
Thanks in advance, Andrew
4 Replies
- Kevin_Stewart
Employee
I'm 98% certain that it doesn't support nested group membership matching, and 100% certain that it never will. As I'm sure you're aware, development on ACA has long since ended, and all new authentication proxy functionality has been moved to APM - which does indeed support nested group membership matching.
APHi Kevin,
Thanks for the response. I was hoping for a 100% sure answer, but I'll take 98%. I'm trying to make the case for APM, it will certainly make life easier as ACA is just too primitive.
Thanks.
- Kevin_Stewart
Well, it's PAM running in Linux, so there's always a way to make it work (albeit perhaps painfully). If you're actually looking to make a case against it, then consider that ACA is not only no longer in development, but also dangerously close to no longer supported.
- AP
Agree on all counts. Thanks Kevin!
