Forum Discussion

AP's avatar
AP
Icon for Nimbostratus rankNimbostratus
May 12, 2014

LDAP PAM Nested Group Membership

Hi,

 

My question relates to the LTM Advanced Client Authentication Module. Is the LDAP Profile/Configuration capable of doing recursive group membership matching?

 

I'm 99% sure that it doesn't since: 1) There's no obvious configuration option to enable this 2) It's not documented 3) Firepass only just started supporting LDAP_MATCHING_RULE_IN_CHAIN in early 2012 and the ACA module is far more antiquated

 

However, since I haven't found any mention on DevCentral or askF5 that it's NOT supported, I thought I'd ask here to address that 1% uncertainty.

 

Thanks in advance, Andrew

 

aca
application delivery
ldap
LTM

4 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 12, 2014

    I'm 98% certain that it doesn't support nested group membership matching, and 100% certain that it never will. As I'm sure you're aware, development on ACA has long since ended, and all new authentication proxy functionality has been moved to APM - which does indeed support nested group membership matching.

     

  • AP's avatar
    AP
    Icon for Nimbostratus rankNimbostratus
    May 12, 2014

    Hi Kevin,

     

    Thanks for the response. I was hoping for a 100% sure answer, but I'll take 98%. I'm trying to make the case for APM, it will certainly make life easier as ACA is just too primitive.

     

    Thanks.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 12, 2014

    Well, it's PAM running in Linux, so there's always a way to make it work (albeit perhaps painfully). If you're actually looking to make a case against it, then consider that ACA is not only no longer in development, but also dangerously close to no longer supported.

     

  • AP's avatar
    AP
    Icon for Nimbostratus rankNimbostratus
    May 13, 2014

    Agree on all counts. Thanks Kevin!