Forum Discussion

Chris_FP's avatar
Chris_FP
Icon for Cirrus rankCirrus
Apr 25, 2017

BIG-IQ not mapping AD groups to User Groups

I'm currently trying to get a BIG-IQ instance working correctly with a customers AD service. This service already works 100% fine with the existing BIG-IP devices confirming that the AD setup is ok. I've no doubt this is a PICNIC error on my part but I'm not an LDAP/AD person by trade.

 

We have managed to get the BIG-IQ to authenticate users so we know we have connectivity to the AD side of things.

 

I've created a user group to map people who are in the F5Admins group so that they should automatically be given the role of Administrator.

 

What I've found out from performing an ldapsearch is that the username they type in (format Xnnnnnnnnn) doesn't appear in the search for the F5Admins group members and for some reason the BIG-IP's can handle this but the BIG-IQ cannot.

 

Below is the output from the ldapsearch:- (sanitised output)

 

ldapsearch -x -h 1.2.3.4 -b "ou=xxxxx Global Groups,dc=xxxxx,dc=xxx,dc=uk" -s sub "(cn="F5Admins")" -v -D "cn=XXXX,ou=XXXXX Accounts,dc=xxxxx,dc=xxx,dc=uk" -W

 

ldap_initialize( ldap://1.2.3.4 )

 

Enter LDAP Password:

 

filter: (cn=F5Admins)

 

requesting: All userApplication attributes

 

extended LDIF

 

 

LDAPv3

 

base with scope subtree

 

filter: (cn=F5Admins)

 

requesting: ALL

 

 

F5Admins, (output snipped)

 

dn: CN=F5Admins,OU=XXXX,ou=xxxxx Global Groups,dc=xxxxx,dc=xxx,dc=uk

 

objectClass: top

 

objectClass: group

 

cn: F5Admins

 

member: CN=Doe J (John),OU=xxxxx Admins,DC=xland,DC=xxx,DC=uk

 

member: CN=Doe J (Jane),OU=xxxxx Users,DC=xland,DC=xxx,DC=uk

 

member: CN=Doe J (Jack),OU=xxxxx Users,DC=xland,DC=xxx,DC=uk

 

(output snipped but contains simlar user information)

 

distinguishedName: CN=F5Admins,OU=Misc,OU=xxxxx Global Groups,DC=xland,DC=xxx,DC=uk

 

I am unable to provide screenshots of the other parts of the config as it contains information that the customer doesn't want to be made public.

 

  • Below is a screenshot of when I try to search when modifying the User Group - basically no matter what I type in the search filter, I always get the "No remote groups.." message. I tried adding the group DN manually but that doesn't work either.

     

     

  • Hi Bill,

     

    I didn't unfortunately. I'd love somebody to let me know what needs to be done.