Bug ID 498993: it is possible to get infinite loop in LDAP Query while resolving nested groups

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.0.0, 11.6.0 HF5

Opened: Dec 30, 2014

Severity: 3-Major

Related Article: K16972


Processing nested groups might cause an infinite loop.


User cannot pass access policy that contains the affected agent. The apd process must be restarted to re-initialize LDAP agent.


LDAP query is configured to get group membership using 'member' attribute. On the LDAP server, group1 has group2 as a member and group2 has group1 as a membermember (membership loop), then the LDAP Query falls into an infinite loop trying to resolve nested groups.



Fix Information

The LDAP Query resolves group membership including nested groups as expected.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips