Bug ID 596116: LDAP Query does not resolve group membership, when required attribute(s) specified

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2

Fixed In:
13.0.0, 12.1.2, 11.6.1 HF1

Opened: May 26, 2016

Severity: 3-Major

Related Article: K20422849


Corresponding session variable session.ldap.last.memberOf contains only the groups user has explicit membership.


Only groups the user is a direct member of will be populated to the APM 'session.ldap.last.memberOf' variable.


This occurs when the following conditions are met: -- When APM LDAP Query is configured with option "Fetch groups to which the user or group belong" is set to "All". -- The Required Attribute includes the "memberOf" LDAP attribute.


Add the following attribute to the "Required Attributes" list: "objectClass" If APM is communicating via LDAP with Microsoft Active Directory, consider adding this attribute to the list: "primaryGroupID" Note: Adding the "primaryGroupID" attribute will cause APM to fetch all groups Microsoft Active Directory, including the primary group.

Fix Information

LDAP Query now retrieves groups from the backend server in accordance with option "fetch groups to which the user or group belong". it doesn't matter if any required attribute set or not set.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips