Forum Discussion
NimbostratusTrying to get user info using iControl REST on 11.6 for a local user created in a partition other than Common
We created a partition called "Users" and create all local users there. I want to see if a user name already exists using REST. It seems I can only get info on accounts created inthe default /Common partition. I have tried adding the partition to the uri and using the filter option with no luck.
Here is what I get using curl:
curl -sk -u admin:xxxx 'https://bigip.edu/mgmt/tm/auth/user/wgeiger1?ver=11.6.0&$filter=partition%20eq%20Users'
RESULTS: {"code":404,"message":"01020036:3: The requested user (wgeiger1) was not found.","errorStack":[]}
curl -sk -u admin:xxxx 'https://bigip.edu/mgmt/tm/auth/user/wgeiger1?ver=11.6.0'
RESULTS: {"code":404,"message":"01020036:3: The requested user (wgeiger1) was not found.","errorStack":[]}
curl -sk -u admin:xxxx 'https://bigip.edu/mgmt/tm/auth/user/wgeiger1'
RESULTS: {"code":404,"message":"01020036:3: The requested user (wgeiger1) was not found.","errorStack":[]}
curl -sk -u admin:xxxx 'https://bigip.edu/mgmt/tm/auth/user/~Users~wgeiger1'
RESULTS: {"code":404,"message":"01020036:3: The requested user (/Users/wgeiger1) was not found.","errorStack":[]}
And for a user in the /Common partition:
curl -sk -u admin:xxxx 'https://bigip.edu/mgmt/tm/auth/user/testUser'
RESULTS: {"kind":"tm:auth:user:userstate","name":"testUser","fullPath":"testUser","generation":0,"selfLink":"https://localhost/mgmt/tm/auth/user/testUser?ver=11.6.0","description":"testUser","encryptedPassword":"!!","partitionAccess":[{"name":"EMMS","role":"manager"},{"name":"RAD","role":"irule-manager"}]}
Is this a bug? More likely I am doing this wrong - any ideas?
6 Replies
R_MarcI believe users exist only in the common partition.
Config wise, they all go into bigip_user.conf. The reason being, I believe, that a user could potentially have access to multiple partitions, and so they need to exist at the root level (Common).
jtrotz1Thanks, I was afraid of that being the case. I also looked at using SOAP, but ran in to the same issue. I was following the idea on https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-11-6-0/2.html where they recommended a "Users" partition.
- R_MarcI would recommend not using local users, personally :). Any reason you can't use ldap/AD or radius?
- jtrotz1
We originally were using Ldap and AD groups to manage what roles they could use, but then we had to switch to Radius to support MFA access. Radius didn't work as good for passing group info so we had to resort to local accounts with RADIUS authentication. I am working on an app to simplify managing the user accounts across 32 bigips and was hoping to use REST.
- R_Marc
I've never done radius on an F5, but I did use on a NetScaler for 2FA as well. I just passed the AD group information on to the appliance. For Radius I did authorization via AD and authentication via RSA token. I was using FreeRadius. I don't see why the same wouldn't work for F5. You have flipped my interest bit, so perhaps I'll see what that would look like (I really, really hate local accounts).
- jtrotz1
I went ahead and deleted the /Users partition and created all the users in /Common. Thanks for everyones input.
