Forum Discussion

jtrotz1's avatar
jtrotz1
Icon for Nimbostratus rankNimbostratus
Nov 02, 2014

Trying to get user info using iControl REST on 11.6 for a local user created in a partition other than Common

We created a partition called "Users" and create all local users there. I want to see if a user name already exists using REST. It seems I can only get info on accounts created inthe default /Common partition. I have tried adding the partition to the uri and using the filter option with no luck.

 

Here is what I get using curl:

 

curl -sk -u admin:xxxx 'https://bigip.edu/mgmt/tm/auth/user/wgeiger1?ver=11.6.0&$filter=partition%20eq%20Users'

 

RESULTS: {"code":404,"message":"01020036:3: The requested user (wgeiger1) was not found.","errorStack":[]}

 

curl -sk -u admin:xxxx 'https://bigip.edu/mgmt/tm/auth/user/wgeiger1?ver=11.6.0'

 

RESULTS: {"code":404,"message":"01020036:3: The requested user (wgeiger1) was not found.","errorStack":[]}

 

curl -sk -u admin:xxxx 'https://bigip.edu/mgmt/tm/auth/user/wgeiger1'

 

RESULTS: {"code":404,"message":"01020036:3: The requested user (wgeiger1) was not found.","errorStack":[]}

 

curl -sk -u admin:xxxx 'https://bigip.edu/mgmt/tm/auth/user/~Users~wgeiger1'

 

RESULTS: {"code":404,"message":"01020036:3: The requested user (/Users/wgeiger1) was not found.","errorStack":[]}

 

And for a user in the /Common partition:

 

curl -sk -u admin:xxxx 'https://bigip.edu/mgmt/tm/auth/user/testUser'

 

RESULTS: {"kind":"tm:auth:user:userstate","name":"testUser","fullPath":"testUser","generation":0,"selfLink":"https://localhost/mgmt/tm/auth/user/testUser?ver=11.6.0","description":"testUser","encryptedPassword":"!!","partitionAccess":[{"name":"EMMS","role":"manager"},{"name":"RAD","role":"irule-manager"}]}

 

Is this a bug? More likely I am doing this wrong - any ideas?

 

6 Replies

  • R_Marc's avatar
    R_Marc
    Icon for Nimbostratus rankNimbostratus

    I believe users exist only in the common partition.

     

    Config wise, they all go into bigip_user.conf. The reason being, I believe, that a user could potentially have access to multiple partitions, and so they need to exist at the root level (Common).

     

  • Thanks, I was afraid of that being the case. I also looked at using SOAP, but ran in to the same issue. I was following the idea on https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-11-6-0/2.html where they recommended a "Users" partition.

     

    • R_Marc's avatar
      R_Marc
      Icon for Nimbostratus rankNimbostratus
      I would recommend not using local users, personally :). Any reason you can't use ldap/AD or radius?
  • We originally were using Ldap and AD groups to manage what roles they could use, but then we had to switch to Radius to support MFA access. Radius didn't work as good for passing group info so we had to resort to local accounts with RADIUS authentication. I am working on an app to simplify managing the user accounts across 32 bigips and was hoping to use REST.

     

  • R_Marc's avatar
    R_Marc
    Icon for Nimbostratus rankNimbostratus

    I've never done radius on an F5, but I did use on a NetScaler for 2FA as well. I just passed the AD group information on to the appliance. For Radius I did authorization via AD and authentication via RSA token. I was using FreeRadius. I don't see why the same wouldn't work for F5. You have flipped my interest bit, so perhaps I'll see what that would look like (I really, really hate local accounts).

     

  • I went ahead and deleted the /Users partition and created all the users in /Common. Thanks for everyones input.