Bug ID 513480: ldap query fails when user is assigned to newly created group and that group is set as primary group

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6

Fixed In:
13.0.0

Opened: Mar 19, 2015
Severity: 3-Major

Symptoms

In MS Active Directory there is a special attribute primaryGroupID for a user. BIG-IP caches AD groups to resolve primaryGroupID into group DN. when new group is created in the domain and assigned to a user as primaryGroup, BIG-IP cannot find that group by ID in it's cache, and tries to fetch new group from domain using primaryGroupToken attribute. the query fails as primaryGroupToken is constructed attribute and cannot be a part of filter expression

Impact

user cannot login

Conditions

new group is created in the domain, the new group is assigned to the user, the group is set as primary group for the user

Workaround

clear group cache for AAA LDAP Server. during next user's login, the cache will be built from scratch and the new group will be in the cache - no need to retrieve it from server.

Fix Information

after fix, group is retrieved from server using objectSid attribute.

Behavior Change