Bug ID 513480: ldap query fails when user is assigned to newly created group and that group is set as primary group

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6

Fixed In:
13.0.0

Opened: Mar 19, 2015

Severity: 3-Major

Symptoms

In MS Active Directory there is a special attribute primaryGroupID for a user. BIG-IP caches AD groups to resolve primaryGroupID into group DN. when new group is created in the domain and assigned to a user as primaryGroup, BIG-IP cannot find that group by ID in it's cache, and tries to fetch new group from domain using primaryGroupToken attribute. the query fails as primaryGroupToken is constructed attribute and cannot be a part of filter expression

Impact

user cannot login

Conditions

new group is created in the domain, the new group is assigned to the user, the group is set as primary group for the user

Workaround

clear group cache for AAA LDAP Server. during next user's login, the cache will be built from scratch and the new group will be in the cache - no need to retrieve it from server.

Fix Information

after fix, group is retrieved from server using objectSid attribute.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips