Bug ID 512355: AD Query might fail if "fetch primary group" is enabled, but attribute primaryGroupID is not added to required attributes list

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Fixed In:
12.0.0

Opened: Mar 13, 2015
Severity: 3-Major

Symptoms

if the option "fetch primary group" is enabled for AD Query AND some attributes are configured as "required attributes" then AD Query request only those configured attributes for a user during logon process. If the required attributes missing primaryGroupID attribute, then AD Query will fail as it cannot find primary group DN for the user

Impact

AD Query fails

Conditions

the option "fetch primary group" is enabled for AD Query AND some attributes are configured as "required attributes" AND required attributes missing primaryGroupID attribute

Workaround

add primaryGroupID attribute to the list of required attributes. it's not necessary if "required attributes" list is empty - in this case, bigip retrieves all attributes for a user including primaryGroupID

Fix Information

None

Behavior Change