Last Modified: Jul 12, 2023
Known Affected Versions:
14.1.0, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 14.1.2, 184.108.40.206, 220.127.116.11, 15.0.0, 15.0.1
15.1.0, 18.104.22.168, 22.214.171.124
Opened: Jul 17, 2019 Severity: 2-Critical
On a BIG-IP system configured with remote LDAP/Active Directory authentication, attempting to login to the Configuration Utility or to the command-line interface may proceed very slowly or fail.
The BIG-IP system may chase LDAP referrals that reference LDAP servers that are unreachable, resulting in authentication timeouts/failures.
-- LDAP/Active Directory 'system-auth' authentication configured. -- The Active Directory enables LDAP referral chasing (the default). -- There are a number of Active Directory servers in the enterprise, or the BIG-IP system does not have complete network connectivity to all Active Directory servers (caused by firewalls or special routes).
Which workaround to use to temporarily disable referrals chasing depends on the version you have. -- For BIG-IP 14.1.0 - 126.96.36.199, and 15.0.0 - 188.8.131.52 1. Edit the configuration files -- /etc/nslcd.conf 2. Add add the following line to the end of the file: referrals no 3. Restart nslcd service to apply change: systemctl restart nslcd Important: This change is not persistent, and will be lost whenever MCPD reloads the BIG-IP configuration (tmsh load sys config), or when other changes are made to system-auth configuration values. -- For BIG-IP 184.108.40.206 (and later 14.1.x releases), and 220.127.116.11 (and later 15.0.x.x releases), a db key has been added to allow this setting to be controlled. After making the db key change, the BIG-IP configuration must be saved and then loaded again, in order to update nslcd.conf tmsh modify sys db systemauth.referrals value no tmsh save sys config tmsh load sys config
In BIG-IP v15.1.0 and later, you can configure the use of referrals using the 'referrals' property of the 'auth ldap system-auth' object. In BIG-IP v18.104.22.168+ and BIG-IP v22.214.171.124+, you can configure the use of referrals using the 'systemauth.referrals' db key.