Bug ID 518573: The -decode option should be added to expressions in AD and LDAP group mapping.

Last Modified: Jun 30, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5

Fixed In:
11.6.0 HF6

Opened: Apr 16, 2015
Severity: 3-Major


-decoded option is needed.


in 11.6.0, if you create a rule to match an AD group in an "AD group resource assign" it will create something like this in the bigip.conf: expression "expr { [mcget -decode {session.ad.last.attr.memberOf}] contains \"CN=TEST,\" }" Prior to 11.6.0 the generated config was: expression "expr { [mcget {session.ad.last.attr.memberOf}] contains \"CN=TEST,\" }" The upgrade script does not take care of adding the "-decode" option which result in no groups being displayed in the VPE after an upgrade to 11.6.0


upgrade to 11.6.0


No workaround

Fix Information

issue resolved, the -decode and lower string comparison added to expressions in AD and LDAP Group Mapping during upgrade.

Behavior Change