Bug ID 1365985: GID role mapping may not work with secondary GID

Last Modified: May 29, 2024

Affected Product(s):
F5OS Velos(all modules)

Known Affected Versions:
F5OS-A 1.5.1, F5OS-C 1.6.0, F5OS-C 1.6.1, F5OS-C 1.6.2

Fixed In:
F5OS-A 1.7.0, F5OS-A 1.5.2

Opened: Oct 03, 2023

Severity: 2-Critical

Symptoms

When a user in an external authentication system (LDAP, Radius, TACACS) is given a GID for an F5 role, and that GID is a secondary GID, the role assignment may not be discovered. This would result in the inability to access the system or be able to configure the system for that user.

Impact

Inability to log into the system, or inability to configure the system for the user in question.

Conditions

- User in an external authentication system (LDAP, Radius, TACACS) - GID corresponding to F5 role is a secondary GID (for example, it is not the user's default GID, rather a GID from a group to which the user belongs)

Workaround

The GID for the desired role should be the GID directly mapped to the user in the external authentication system (for example, in LDAP, the gidNumber on the user object should be the F5 role GID), rather than a secondary GID (for example, in LDAP, the gidNumber on a group of which the user is a member).

Fix Information

All GID role mappings are properly considered when discovering role assignments for users in external authentication systems.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips