LDAP admin authentication - nested group membership

Abdessamad1 · ‎02-Jun-2016

Dear,

I would like to give access to a BIG-IP (running version 12.1.0) to users based on their group membership.

I have authentication working fine, and I can get group membership if the group directly assigned to the user.

But it I don't find a way to instruct the F5 to do recursive queries on nested groups.

auth ldap system-auth {
    bind-dn 
    bind-pw *****
    check-roles-group enabled
    debug enabled
    login-attribute sAMAccountName
    search-base-dn 
    servers {  }
    user-template %s@
}
auth remote-role {
    role-info {
        Admins {
            attribute memberOf=
            console tmsh
            line-order 1
            role administrator
            user-partition All
        }
    }
}

Thanks for your assistance.

Greg_Burch · ‎19-Aug-2019

Did anyone ever supply an answer to this question?

Daniel_Elkins · ‎09-Oct-2020

Working with version 15.1.0.5-0.0.0.8 I still have this issue, I have yet to find a recursive function, which prevents me from authenticating via LDAP due to my Active Directory membership policies using nested groups. When researching the TMSH documentation for 15.x, i see the only options for scope are "scope [base | one | sub]

" which means they are not allowing recursive lookups. That does not necessartily mean it doesn't exist as ther are sometimes hidden CLI commands to perform magic ... but for public consumption it appears they still do nto support recursive ldap queries.

DevCentral

LDAP admin authentication - nested group membership

MFA required on DevCentral