Bug ID 699267: LDAP Query may fail to resolve nested groups

Last Modified: Jun 04, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5

Fixed In:
14.1.0, 13.1.0.8, 12.1.3.4, 11.6.3.3

Opened: Dec 18, 2017
Severity: 3-Major

Symptoms

LDAP Query agent may fail to resolve nested groups for a user. /var/log/apm logfile contains the following error messages when 'debug' log level is enabled for Access Profile: err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while getting group membership down with error (No such object.). err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while querying LDAP with error (No such object.).

Impact

LDAP Query agent fails. unable to get user identity. unable to finalize Access Policy.

Conditions

LDAP Query agent is configured in an Access Policy. 'Fetch groups to which the user or group belong' option is enabled

Workaround

None

Fix Information

after fix, LDAP Query resolves all nested groups as expected and session.ldap.last.attr.memberOf attributes contains user's groups

Behavior Change