Forum Discussion

AP's avatar
Icon for Nimbostratus rankNimbostratus
May 12, 2014

LDAP PAM Nested Group Membership



My question relates to the LTM Advanced Client Authentication Module. Is the LDAP Profile/Configuration capable of doing recursive group membership matching?


I'm 99% sure that it doesn't since: 1) There's no obvious configuration option to enable this 2) It's not documented 3) Firepass only just started supporting LDAP_MATCHING_RULE_IN_CHAIN in early 2012 and the ACA module is far more antiquated


However, since I haven't found any mention on DevCentral or askF5 that it's NOT supported, I thought I'd ask here to address that 1% uncertainty.


Thanks in advance, Andrew


4 Replies

  • AP's avatar
    Icon for Nimbostratus rankNimbostratus

    Agree on all counts. Thanks Kevin!


  • Well, it's PAM running in Linux, so there's always a way to make it work (albeit perhaps painfully). If you're actually looking to make a case against it, then consider that ACA is not only no longer in development, but also dangerously close to no longer supported.


  • AP's avatar
    Icon for Nimbostratus rankNimbostratus

    Hi Kevin,


    Thanks for the response. I was hoping for a 100% sure answer, but I'll take 98%. I'm trying to make the case for APM, it will certainly make life easier as ACA is just too primitive.




  • I'm 98% certain that it doesn't support nested group membership matching, and 100% certain that it never will. As I'm sure you're aware, development on ACA has long since ended, and all new authentication proxy functionality has been moved to APM - which does indeed support nested group membership matching.