cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP admin authentication - nested group membership

Abdessamad1
Cirrostratus
Cirrostratus

Dear,

 

I would like to give access to a BIG-IP (running version 12.1.0) to users based on their group membership.

 

I have authentication working fine, and I can get group membership if the group directly assigned to the user.

 

But it I don't find a way to instruct the F5 to do recursive queries on nested groups.

 

auth ldap system-auth { bind-dn bind-pw ***** check-roles-group enabled debug enabled login-attribute sAMAccountName search-base-dn servers { } user-template %s@ } auth remote-role { role-info { Admins { attribute memberOf= console tmsh line-order 1 role administrator user-partition All } } }

Thanks for your assistance.

 

2 REPLIES 2

Greg_Burch
Nimbostratus
Nimbostratus

Did anyone ever supply an answer to this question?

Daniel_Elkins
Nimbostratus
Nimbostratus

Working with version 15.1.0.5-0.0.0.8 I still have this issue, I have yet to find a recursive function, which prevents me from authenticating via LDAP due to my Active Directory membership policies using nested groups. When researching the TMSH documentation for 15.x, i see the only options for scope are "scope [base | one | sub]

" which means they are not allowing recursive lookups. That does not necessartily mean it doesn't exist as ther are sometimes hidden CLI commands to perform magic ... but for public consumption it appears they still do nto support recursive ldap queries.