Forum Discussion

Abdessamad1's avatar
Abdessamad1
Icon for Cirrostratus rankCirrostratus
Jun 02, 2016

LDAP admin authentication - nested group membership

Dear,

I would like to give access to a BIG-IP (running version 12.1.0) to users based on their group membership.

I have authentication working fine, and I can get group membership if the group directly assigned to the user.

But it I don't find a way to instruct the F5 to do recursive queries on nested groups.

auth ldap system-auth {
    bind-dn 
    bind-pw *****
    check-roles-group enabled
    debug enabled
    login-attribute sAMAccountName
    search-base-dn 
    servers {  }
    user-template %s@
}
auth remote-role {
    role-info {
        Admins {
            attribute memberOf=
            console tmsh
            line-order 1
            role administrator
            user-partition All
        }
    }
}

Thanks for your assistance.

BIG-IP
security
TMOS

2 Replies

Sort By
  • Daniel_Elkins's avatar
    Daniel_Elkins
    Icon for Nimbostratus rankNimbostratus
    Oct 09, 2020

    Working with version 15.1.0.5-0.0.0.8 I still have this issue, I have yet to find a recursive function, which prevents me from authenticating via LDAP due to my Active Directory membership policies using nested groups. When researching the TMSH documentation for 15.x, i see the only options for scope are "scope [base | one | sub]

    " which means they are not allowing recursive lookups. That does not necessartily mean it doesn't exist as ther are sometimes hidden CLI commands to perform magic ... but for public consumption it appears they still do nto support recursive ldap queries.