Last Modified: May 29, 2024
Affected Product(s):
F5OS Velos
Fixed In:
F5OS-C 1.6.0, F5OS-A 1.4.0, F5OS-A 1.3.0
Opened: Aug 11, 2022 Severity: 3-Major
Users on systems have a role assigned to them. This role is one of a predefined set which includes the admin role. A remote user with multiple roles, some of which are not in this predefined set, is configured on a remote authentication server (LDAP, tacplus or RADIUS). Such a user was treated different based on mode of access (GUI or ssh) and the remote authentication method. Sometimes the user can log in, sometimes not.
When a remote user has multiple roles which include invalid roles, the behavior of the system was inconsistent.
A user has to configured on a remote authentication server (LDAP, tacplus or RADIUS) with multiple group IDs, some of which are not assigned to any role in our system. That remote authentication method has to be configured as an authentication method on our system. User supplies the correct password and tries to log in. The user may or may not be allowed into the system, depending on method of access and remote authentication method.
Removing the invalid group ID from the remote server will fix the issue.
When a remote user belongs to multiple roles, some of which are invalid ones, only the valid roles are considered for authorization. Also, this is consistently done across methods of access (GUI, ssh, etc.) and across all remote authentication methods (LDAP, tacplus, RADIUS, etc.).