Last Modified: Jun 14, 2025
Affected Product(s):
F5OS F5OS-A, F5OS-C
Known Affected Versions:
F5OS-A 1.3.0, F5OS-A 1.3.1, F5OS-A 1.3.2, F5OS-A 1.4.0, F5OS-A 1.5.0, F5OS-A 1.5.1, F5OS-A 1.5.2, F5OS-A 1.5.3, F5OS-A 1.7.0, F5OS-A 1.8.0
Fixed In:
F5OS-C 1.8.0
Opened: Jun 04, 2024 Severity: 3-Major
Previously, username lookup for LDAP-authenticated users was always case-sensitive.
Username lookups for authentication/authorization against LDAP directory were always conducted in a case-sensitive fashion, even for directories where case-insensitive was the default for the organization (e.g. Windows AD). Case-insensitive default is considered a safer security posture. It prevents username masking and cache injection when multiple users that only differ by case, with differing authorization privileges, exist in the same directory.
Third-party authentication is configured with LDAP or Active Directory; user(s) in question reside in LDAP directory.
Always use correct case for case-sensitive searches.
A new option was added which allows the admin to enable case-insensitive searches for LDAP username lookups. Note that case-sensitive remains the default for security reasons.