Bug ID 1381661: LDAP external authentication fails if there is no group definition for user's primary GID

Last Modified: Oct 21, 2024

Affected Product(s):
F5OS F5OS, Velos(all modules)

Known Affected Versions:
F5OS-A 1.5.1, F5OS-A 1.5.2, F5OS-C 1.6.2

Fixed In:
F5OS-A 1.8.0, F5OS-A 1.7.0

Opened: Oct 19, 2023

Severity: 3-Major

Symptoms

LDAP external authentication (e.g. REST API or GUI; but not ssh) fails in the following scenario: - User is defined in external auth system (e.g. LDAP) - User has a primary GID assigned - There is no group definition for user's primary GID While this is legal, because the numeric GID should be sufficient, when we try to look up the group info and fail, this short circuits authentication resulting in an error.

Impact

Externally defined users may not be able to log in.

Conditions

- User is defined in external auth system (e.g. LDAP) - User has a primary GID assigned - There is no group definition for user's primary GID

Workaround

Define a group for the user's primary group ID. system aaa authentication roles role <group name> config remote-gid <group ID>

Fix Information

LDAP external authentication no longer fails if there is no group definition for user's primary GID. The numeric GID is sufficient.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips