Bug ID 806093: Unwanted LDAP referrals slow or prevent administrative login

Last Modified: Feb 14, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 15.0.0, 15.0.1

Fixed In:
15.1.0, 15.0.1.1, 14.1.2.3

Opened: Jul 17, 2019

Severity: 2-Critical

Symptoms

On a BIG-IP system configured with remote LDAP/Active Directory authentication, attempting to login to the Configuration Utility or to the command-line interface may proceed very slowly or fail.

Impact

The BIG-IP system may chase LDAP referrals that reference LDAP servers that are unreachable, resulting in authentication timeouts/failures.

Conditions

-- LDAP/Active Directory 'system-auth' authentication configured. -- The Active Directory enables LDAP referral chasing (the default). -- There are a number of Active Directory servers in the enterprise, or the BIG-IP system does not have complete network connectivity to all Active Directory servers (caused by firewalls or special routes).

Workaround

Which workaround to use to temporarily disable referrals chasing depends on the version you have. -- For BIG-IP 14.1.0 - 14.1.2.2, and 15.0.0 - 15.0.1.0 1. Edit the configuration files -- /etc/nslcd.conf 2. Add add the following line to the end of the file: referrals no 3. Restart nslcd service to apply change: systemctl restart nslcd Important: This change is not persistent, and will be lost whenever MCPD reloads the BIG-IP configuration (tmsh load sys config), or when other changes are made to system-auth configuration values. -- For BIG-IP 14.1.2.3 (and later 14.1.x releases), and 15.0.1.1 (and later 15.0.x.x releases), a db key has been added to allow this setting to be controlled. After making the db key change, the BIG-IP configuration must be saved and then loaded again, in order to update nslcd.conf tmsh modify sys db systemauth.referrals value no tmsh save sys config tmsh load sys config

Fix Information

In BIG-IP v15.1.0 and later, you can configure the use of referrals using the 'referrals' property of the 'auth ldap system-auth' object. In BIG-IP v14.1.2.3+ and BIG-IP v15.0.1.1+, you can configure the use of referrals using the 'systemauth.referrals' db key.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips