Last Modified: Dec 13, 2019
See more info
Known Affected Versions:
14.1.0, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 14.1.2, 22.214.171.124, 126.96.36.199, 15.0.0, 15.0.1
Opened: Jul 17, 2019
On a BIG-IP system configured with remote LDAP/Active Directory authentication, attempting to login to the Configuration Utility or to the command-line interface may proceed very slowly or fail.
The BIG-IP system may accept LDAP referrals that it is unable to process, resulting in authentication timeouts/failures.
-- LDAP/Active Directory 'system-auth' authentication configured. -- The Active Directory enables LDAP referrals (the default). -- There are a large number of Active Directory servers in the enterprise, or the BIG-IP system does not have complete network connectivity to all Active Directory servers (caused by firewalls or special routes).
To temporarily disable the referrals: 1. Edit one of the configuration files: -- /etc/nslcd.conf -- /config/bigip/auth/pam.d/ldap/system-auth.conf 2. Add add the following line: referrals no 3. Restart nslcd service to apply change: systemctl restart nslcd Note: This change is not persistent and will be lost whenever MCPD reloads the configuration, or when other changes are made to system-auth configuration values.
Changes to LDAP referrals value in configuration are now saved, so this issue no longer occurs.