Bug ID 589794: APD might crash if LDAP Query agent fails to retrieve primary group for a user

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4

Fixed In:
11.6.1 HF1

Opened: Apr 26, 2016

Severity: 3-Major


APD crashes and generate a core file.


Authentication service will be interrupted.


The problem can happen only when the following conditions are met: 1. LDAP Query is used with AD backend. 2. 'Fetch groups to which the user or group belong' is defined for a value other than None (e.g., direct/all). 3. There were previous logons to the BIG-IP system, so a group cache is built and valid. 4. There is a new group created in the domain and assigned as a primary group for the user trying to authenticate.


Administrator should reset the group cache using either GUI (AAA LDAP Server configuration page) or tmsh (apm aaa ldap object). After the cache is reset, the cache will be built from scratch at the time of the next request, and the new group will be added to the cache.

Fix Information

APD no longer crashes if LDAP Query agent fails to retrieve primary group for a user.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips