Bug ID 1572929: Changing remote authentication methods from RADIUS/TACACS to LDAP may break remote-gid functionality.

Last Modified: Oct 21, 2024

Affected Product(s):
F5OS F5OS, Velos(all modules)

Known Affected Versions:
F5OS-A 1.5.2

Fixed In:
F5OS-A 1.8.0

Opened: Mar 28, 2024

Severity: 3-Major

Symptoms

If RADIUS or TACACS are utilized for authentication, the user’s ‘passwd’ details will be saved in /etc/libnss-udr/passwd. However, if the user switches to LDAP authentication and disables the previous method, their entry may not be removed from /etc/libnss-udr/passwd. If a user is using GID remapping (by configuring remote-gid), the authentication will fail, at least when logging into the CLI.

Impact

The authentication will fail for the LDAP-defined user. An error message will appear such as: “No valid role group found in user groups: 9002 123 5340”.

Conditions

- Enable RADIUS authentication and log into the system as a remote RADIUS-defined user. - Change the authentication method to LDAP and disable RADIUS authentication. - Configure remote-gid functionality for an LDAP-defined user. This LDAP-defined user should have the same name as the RADIUS-defined user. - Log into the system as that remote LDAP-defined user.

Workaround

Log into the system as a ‘root’ user and clear the information in /etc/libnss-udr/passwd.

Fix Information

The remote-gid functionality will no longer be affected by changing authentication methods from RADIUS/TACACS to LDAP. LDAP users with valid credentials will be allowed in.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips