Bug ID 589794: APD might crash if LDAP Query agent fails to retrieve primary group for a user

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1

Fixed In:
11.6.1 HF1

Opened: Apr 26, 2016
Severity: 3-Major

Symptoms

APD crashes and generate a core file.

Impact

Authentication service will be interrupted.

Conditions

The problem can happen only when the following conditions are met: 1. LDAP Query is used with AD backend. 2. 'Fetch groups to which the user or group belong' is defined for a value other than None (e.g., direct/all). 3. There were previous logons to the BIG-IP system, so a group cache is built and valid. 4. There is a new group created in the domain and assigned as a primary group for the user trying to authenticate.

Workaround

Administrator should reset the group cache using either GUI (AAA LDAP Server configuration page) or tmsh (apm aaa ldap object). After the cache is reset, the cache will be built from scratch at the time of the next request, and the new group will be added to the cache.

Fix Information

APD no longer crashes if LDAP Query agent fails to retrieve primary group for a user.

Behavior Change