For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mark_22062's avatar
Mark_22062
Icon for Nimbostratus rankNimbostratus
May 20, 2013

APM - AD Nested Groups Limited?

Hi there,   I am trying to configure remote access to an application using AD Query. The query is configured to check membership of a group "F5_Application", this group has a number of nested gro...
BIG-IP Access Policy Manager (APM)
remote access
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
May 20, 2013
Two things could be happening.

 

 

1. The memberOf attribute is not returned if the user is a member of only one group. If you look at the AD query in a Wireshark, you'll see that the AD returns "attributes: 0 items" if you filter strictly on the memberOf value. However, without the filter, the query will return primaryGroupID, which is the SID of that one (primary) group (ex. 513 = Domain Users). I would recommend applying at least two groups to all users (even if one of them is an empty group).

 

 

2. I don't believe there's any specific limitation to the number and depth of nested groups. If you're adding and removing group memberships for testing and not seeing the differences, it's probably because APM has cached the information. If this is a test unit, you can issue the following to reset the APD cache: bigstart restart apd.