Forum Discussion

daniel_spillers's avatar
Icon for Nimbostratus rankNimbostratus
Jun 15, 2012

Admin Users Remote LDAP + role groups

BIGIP LTM version: 11.1


LDAP flavor: OpenLDAP, OpenDS, etc (not Active Directory)


Admin section: System > Users



The Remote - LDAP authentication method's remote role group feature is focused around user attributes, and does not implement a group model (e.g., to check an LDAP group's list of uniqueMembers). When someone logs in, BIGIP uses a LDAP query that returns ALL ('*') standard attributes on that user. Operational attributes are not retrieved unless specifically requested (this is default LDAP behavior).



isMemberOf is a popular operational attribute that is automatically set on a user when the user is added as a uniqueMember of an LDAP group. This is hugely useful when applications only implement a user attribute-based query, like BIGIP. It automatically and easily exposes a group model via the user. Active Directory does this, but through a standard attribute. The LDAP standard, however, is to expose these kinds of dynamically-generated values as operational attributes (which makes a lot of sense).



I want to manage my users as group members, and be able to use that membership in BIGIP's admin interface for role assignment. Without a group model, I am restricted to user attributes.


That's fine, except I can't specify which attributes I want to retrieve. This means that operational attributes like isMemberOf are not usable by BIGIP to determine remote role groups membership.



I can see three solutions in order to make LDAP group models instantly useful for BIGIP remote roles, and I'm curious if anyone has any other ideas:



1) f5: allow me to specify the attributes (in addition to any required attributes like cn, uid, etc.) that I want retrieved instead of the default ALL '*' query



2) f5: modify the default ALL query to ask for standard and operational attributes (an ldapsearch format would be: '*' '+'); or allow me to toggle "retrieve operational attributes" on/off, which would add the '+' signifier to the query



3) me: implement a redundant user attribute synchronization model on my LDAP to replicate isMemberOf to a standard attribute like memberOf.


5 Replies

  • Hi Daniel,



    I think this is good feedback. I suggest opening a case with F5 Support to get their thoughts and possibly open a request for enhancement.



  • Will do. I wanted to do my due diligence in case someone out in the community had already found a workaround.
  • Hello Daniel,


    Did you ever submit a case for this? We're limited by the same issue (OpenLDAP doesn't have a isMemberOf function), and it would be nice to use LDAP groups as we have a large number of admins at various skill levels across a large number of devices.




    Josh Becigneul
  • Hamish's avatar
    Icon for Cirrocumulus rankCirrocumulus
    isMemberOf isn't a function... It's an attribute of the object. You can simply add a new attribute to the existing objects if an ldap implementation doesn't have it, or if the implementation doesn't autopopulate operational attributes...



    If you want the attribute to be auto-populated when a user is added to a group object, you can setup a quick program to do a persistent search and update in 'real-time'.