Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4
Fixed In:
11.6.0 HF6
Opened: Apr 16, 2015 Severity: 3-Major
-decoded option is needed.
in 11.6.0, if you create a rule to match an AD group in an "AD group resource assign" it will create something like this in the bigip.conf: expression "expr { [mcget -decode {session.ad.last.attr.memberOf}] contains \"CN=TEST,\" }" Prior to 11.6.0 the generated config was: expression "expr { [mcget {session.ad.last.attr.memberOf}] contains \"CN=TEST,\" }" The upgrade script does not take care of adding the "-decode" option which result in no groups being displayed in the VPE after an upgrade to 11.6.0
upgrade to 11.6.0
No workaround
issue resolved, the -decode and lower string comparison added to expressions in AD and LDAP Group Mapping during upgrade.