APM - AD Nested Groups Limited?

Question

Hi there,&nbsp;
I am trying to configure remote access to an application using AD Query.  The query is configured to check membership of a group "F5_Application", this group has a number of nested groups which giver users rights within the application "Application_User" and/or "Application_Admin".&nbsp;
The query is configured to enumerate nested groups, however if a user belongs to one of the nested groups access does not work, if I add the user into the "F5_Application" group as well then it succeeds.&nbsp;
I've checked the logs and it appears that not all groups are being enumerated, is there a limit in the number of groups that can be enumerated?  Is there a method to enumerate all the groups?&nbsp;
Many thanks&nbsp;
Mark&nbsp;

kevin_stewart · Answer

Two things could be happening. 
&nbsp;  
&nbsp; 1. The memberOf attribute is not returned if the user is a member of only one group. If you look at the AD query in a Wireshark, you'll see that the AD returns "attributes: 0 items" if you filter strictly on the memberOf value. However, without the filter, the query will return primaryGroupID, which is the SID of that one (primary) group (ex. 513 = Domain Users). I would recommend applying at least two groups to all users (even if one of them is an empty group). 
&nbsp;  
&nbsp; 2. I don't believe there's any specific limitation to the number and depth of nested groups. If you're adding and removing group memberships for testing and not seeing the differences, it's probably because APM has cached the information. If this is a test unit, you can issue the following to reset the APD cache: bigstart restart apd. &nbsp;

philipp_stadler · Answer

long time ago you wrote this question and it wasn't really answered. Today I have a real similar issue and I guess it's the same problem than yours.&nbsp;
I have no nested groups but only a long list of groups a user is memberOf (sometimes more than 20), but only about first twelve groups in list works, all others fail. So propably there is a limitation (by character or by group) for the memberOf variable.&nbsp;
I'm using AD Query in VPE for checking group membership.&nbsp;
Thanks,
Philipp&nbsp;

kunjan · Answer

I think you are hitting: &nbsp;&nbsp;
357063-2 - Remove the 64K limit for Session DB variables.&nbsp;
This is fixed in 11.5.0 HF1.&nbsp;
http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15166.html&nbsp;

philipp_stadler · Answer

good tip, but I already use 11.5.1 and my log output for following irule gives me all group memberships.

when ACCESS_POLICY_AGENT_EVENT {
  set user [ACCESS::session data get session.logon.last.username]
  if {[ACCESS::policy agent_id] eq "logmemberof"} {
      set memberOfList [split [ACCESS::session data get session.ad.last.attr.memberOf] "|"]
      foreach x $memberOfList {
         log local0. "User $user in group: $x"
      }
  }
}

kunjan · Answer

How about sessiondump -allkeys and look for session.ad.last.attr.memberOf ? Is it truncated?&nbsp;

Forum Discussion

APM - AD Nested Groups Limited?

7 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Can iRule mask the payload content on event logs of security

Related Content

Certified Kubernetes Administrator - Study Group

iRules 101 - #13 - Nested Conditionals

Nested Loop for IRules Redirects

GTM synchronization group

Intermediate iRules: Data-Groups