Bug ID 950153: LDAP remote authentication fails when empty attribute is returned

Last Modified: Jul 24, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1

Fixed In:
17.1.1, 16.1.5, 15.1.10

Opened: Oct 01, 2020

Severity: 3-Major

Symptoms

LDAP/AD Remote authentication fails and the authenticating service may crash. The failure might be intermittent.

Impact

Logging in via the GUI will fail silently Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log The logs will be similar to : info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000] info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0

Conditions

LDAP/AD server SearchResEntry includes attribute with empty or NULL value. This can be seen in tcpdump of the LDAP communication in following ways 1. No Value for attribute . Example in tcpdump taken on affected user : vals: 1 item AttributeValue: 2. 1. NULL Value for attribute . Example in tcpdump taken on affected user : vals: 1 item AttributeValue: 00

Workaround

There is no Workaround on the LTM side. For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips