Bug ID 596116: LDAP Query does not resolve group membership, when required attribute(s) specified

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2

Fixed In:
13.0.0, 12.1.2, 11.6.1 HF1

Opened: May 26, 2016
Severity: 3-Major
Related AskF5 Article:
K20422849

Symptoms

Corresponding session variable session.ldap.last.memberOf contains only the groups user has explicit membership.

Impact

Only groups the user is a direct member of will be populated to the APM 'session.ldap.last.memberOf' variable.

Conditions

This occurs when the following conditions are met: -- When APM LDAP Query is configured with option "Fetch groups to which the user or group belong" is set to "All". -- The Required Attribute includes the "memberOf" LDAP attribute.

Workaround

Add the following attribute to the "Required Attributes" list: "objectClass" If APM is communicating via LDAP with Microsoft Active Directory, consider adding this attribute to the list: "primaryGroupID" Note: Adding the "primaryGroupID" attribute will cause APM to fetch all groups Microsoft Active Directory, including the primary group.

Fix Information

LDAP Query now retrieves groups from the backend server in accordance with option "fetch groups to which the user or group belong". it doesn't matter if any required attribute set or not set.

Behavior Change