Bug ID 580567: LDAP Query agent failed to resolve nested group membership

Last Modified: Apr 28, 2025

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
13.0.0, 12.1.3

Opened: Mar 15, 2016

Severity: 3-Major

Symptoms

Not all of the nested group membership are resolved for a user

Impact

User authentication might fail or not getting all the assigned resources due to missing nested group membership.

Conditions

Several conditions need to be met: 1. LDAP Query agent is configured to connect to GC (Global Catalog) in AD environment; AND 2. There are sub domains in the AD environment; AND 3. A user who is a member of a group from one of the sub domains login in.

Workaround

None

Fix Information

after fix, LDAP agent retrieve group from server when talking to Global Catalog

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips