Bug ID 806093: Unwanted LDAP referrals slow or prevent administrative login

Last Modified: Aug 15, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 15.0.0, 15.0.1

Opened: Jul 17, 2019
Severity: 2-Critical

Symptoms

On a BIG-IP system configured with remote LDAP/Active Directory authentication, attempting to login to the Configuration Utility or to the command-line interface may proceed very slowly or fail.

Impact

BIG-IP system may accept LDAP referrals that it is unable to process, resulting in authentication timeouts/failures.

Conditions

-- LDAP/Active Directory 'system-auth' authentication configured. -- The Active Directory enables LDAP referrals (the default). -- There are a large number of Active Directory servers in the enterprise, or the BIG-IP system does not have complete network connectivity to all Active Directory servers (caused by firewalls or special routes).

Workaround

To temporarily disable the referrals, edit one of the configuration files /etc/nslcd.conf or /config/bigip/auth/pam.d/ldap/system-auth.conf, and add the following line: referrals no Note: This change is not persistent and will be lost whenever MCPD re-loads the configuration, or when other changes are made to system-auth configuration values.

Fix Information

None

Behavior Change