Bug ID 512355: AD Query might fail if "fetch primary group" is enabled, but attribute primaryGroupID is not added to required attributes list

Last Modified: Nov 22, 2021

Affected Product(s):
BIG-IP APM(all modules)

Fixed In:
12.0.0

Opened: Mar 13, 2015

Severity: 3-Major

Symptoms

if the option "fetch primary group" is enabled for AD Query AND some attributes are configured as "required attributes" then AD Query request only those configured attributes for a user during logon process. If the required attributes missing primaryGroupID attribute, then AD Query will fail as it cannot find primary group DN for the user

Impact

AD Query fails

Conditions

the option "fetch primary group" is enabled for AD Query AND some attributes are configured as "required attributes" AND required attributes missing primaryGroupID attribute

Workaround

add primaryGroupID attribute to the list of required attributes. it's not necessary if "required attributes" list is empty - in this case, bigip retrieves all attributes for a user including primaryGroupID

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips

Have a question?

About F5

Education

F5 sites

Support Tasks

© F5, Inc. All rights reserved. Policies | Privacy | Trademarks