Bug ID 1304085: Unable to set local user's password if the same user exists on a remote LDAP server

Last Modified: Oct 21, 2024

Affected Product(s):
F5OS Velos(all modules)

Known Affected Versions:
F5OS-C 1.6.0, F5OS-C 1.6.1, F5OS-C 1.6.2

Fixed In:
F5OS-A 1.8.0

Opened: Jun 01, 2023

Severity: 3-Major

Symptoms

If a user exists locally (in F5OS) as well as on a remote LDAP server, and LDAP-based authentication is configured as an accepted authentication method, attempting to set the user's local password in F5OS will fail. In the ConfD CLI, an error like the following will be observed: syscon-1-active(config)# system aaa authentication users user ldap_user config set-password Value for 'password' (<string>): **************** Error: Rejected, Configured password-policy: min-length:6 required-differences:8 max-letter-repeat:3 policy applies to root:true It should be emphasized that in the case of such duplicate user definitions locally/remotely, the local user's credentials will need to be used to login even if remote authentication is preferred.

Impact

Unable to set the local user's password.

Conditions

A user exists locally (in F5OS) as well as on a remote LDAP server, and LDAP-based authentication is configured as an accepted authentication method.

Workaround

Temporarily remove LDAP as an authentication method, set the user's password, and then re-configure the preferred authentication method(s).

Fix Information

Fixed issue with setting a local user's password when an identically named user exists on a remote LDAP server and LDAP is enabled as an authentication method

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips