Last Modified: Oct 21, 2024
Affected Product(s):
F5OS Velos
Known Affected Versions:
F5OS-A 1.5.1, F5OS-C 1.6.0, F5OS-C 1.6.1, F5OS-C 1.6.2
Fixed In:
F5OS-A 1.8.0, F5OS-A 1.7.0, F5OS-A 1.5.2
Opened: Oct 03, 2023 Severity: 2-Critical
When a user in an external authentication system (LDAP, Radius, TACACS) is given a GID for an F5 role, and that GID is a secondary GID, the role assignment may not be discovered. This would result in the inability to access the system or be able to configure the system for that user.
Inability to log into the system, or inability to configure the system for the user in question.
- User in an external authentication system (LDAP, Radius, TACACS) - GID corresponding to F5 role is a secondary GID (for example, it is not the user's default GID, rather a GID from a group to which the user belongs)
The GID for the desired role should be the GID directly mapped to the user in the external authentication system (for example, in LDAP, the gidNumber on the user object should be the F5 role GID), rather than a secondary GID (for example, in LDAP, the gidNumber on a group of which the user is a member).
All GID role mappings are properly considered when discovering role assignments for users in external authentication systems.