Last Modified: Oct 21, 2024
Affected Product(s):
F5OS F5OS, Velos
Known Affected Versions:
F5OS-A 1.5.2
Fixed In:
F5OS-A 1.8.0
Opened: Mar 28, 2024 Severity: 3-Major
If RADIUS or TACACS are utilized for authentication, the user’s ‘passwd’ details will be saved in /etc/libnss-udr/passwd. However, if the user switches to LDAP authentication and disables the previous method, their entry may not be removed from /etc/libnss-udr/passwd. If a user is using GID remapping (by configuring remote-gid), the authentication will fail, at least when logging into the CLI.
The authentication will fail for the LDAP-defined user. An error message will appear such as: “No valid role group found in user groups: 9002 123 5340”.
- Enable RADIUS authentication and log into the system as a remote RADIUS-defined user. - Change the authentication method to LDAP and disable RADIUS authentication. - Configure remote-gid functionality for an LDAP-defined user. This LDAP-defined user should have the same name as the RADIUS-defined user. - Log into the system as that remote LDAP-defined user.
Log into the system as a ‘root’ user and clear the information in /etc/libnss-udr/passwd.
The remote-gid functionality will no longer be affected by changing authentication methods from RADIUS/TACACS to LDAP. LDAP users with valid credentials will be allowed in.