Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1
Fixed In:
13.0.0, 12.1.2, 11.6.1 HF1
Opened: May 26, 2016 Severity: 3-Major Related Article:
K20422849
Corresponding session variable session.ldap.last.memberOf contains only the groups user has explicit membership.
Only groups the user is a direct member of will be populated to the APM 'session.ldap.last.memberOf' variable.
This occurs when the following conditions are met: -- When APM LDAP Query is configured with option "Fetch groups to which the user or group belong" is set to "All". -- The Required Attribute includes the "memberOf" LDAP attribute.
Add the following attribute to the "Required Attributes" list: "objectClass" If APM is communicating via LDAP with Microsoft Active Directory, consider adding this attribute to the list: "primaryGroupID" Note: Adding the "primaryGroupID" attribute will cause APM to fetch all groups Microsoft Active Directory, including the primary group.
LDAP Query now retrieves groups from the backend server in accordance with option "fetch groups to which the user or group belong". it doesn't matter if any required attribute set or not set.