Bug ID 495273

Bug Tracker
ID 495273

Bug ID 495273: LDAP extended error info only available at debug log level which could affect Branch rules

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.0.0, 11.6.0 HF5

Opened: Dec 08, 2014

Severity: 3-Major

Symptoms

LDAP session variable contains only simple error message at INFO log level and requires DEBUG log level to display the full error message. This variable is displayed in the logon page after logon failure.

Impact

Branch rules in visual policy editor based on extended error message will not work correctly in 11.6.

Conditions

LDAP Auth/Query is configured and there is need for extended error details at NON debug log level.

Workaround

None

Fix Information

A new session variable is introduced: session.ldap.last.errmsgext which contains extended error information at any log level. The existing session.ldap.last.errmsg variable contains only simple error message (decoded error code).

Behavior Change

A new session variable is introduced, session.ldap.last.errmsgext, which contains extended error information at any log level. The existing session.ldap.last.errmsg variable now contains only a simple error message (decoded error code). Branch rules in visual policy editor based on extended error message will not work correctly.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips