Forum Discussion
BIG-IQ not mapping AD groups to User Groups
I'm currently trying to get a BIG-IQ instance working correctly with a customers AD service. This service already works 100% fine with the existing BIG-IP devices confirming that the AD setup is ok. I've no doubt this is a PICNIC error on my part but I'm not an LDAP/AD person by trade.
We have managed to get the BIG-IQ to authenticate users so we know we have connectivity to the AD side of things.
I've created a user group to map people who are in the F5Admins group so that they should automatically be given the role of Administrator.
What I've found out from performing an ldapsearch is that the username they type in (format Xnnnnnnnnn) doesn't appear in the search for the F5Admins group members and for some reason the BIG-IP's can handle this but the BIG-IQ cannot.
Below is the output from the ldapsearch:- (sanitised output)
ldapsearch -x -h 1.2.3.4 -b "ou=xxxxx Global Groups,dc=xxxxx,dc=xxx,dc=uk" -s sub "(cn="F5Admins")" -v -D "cn=XXXX,ou=XXXXX Accounts,dc=xxxxx,dc=xxx,dc=uk" -W
ldap_initialize( ldap://1.2.3.4 )
Enter LDAP Password:
filter: (cn=F5Admins)
requesting: All userApplication attributes
extended LDIF
LDAPv3
base with scope subtree
filter: (cn=F5Admins)
requesting: ALL
F5Admins, (output snipped)
dn: CN=F5Admins,OU=XXXX,ou=xxxxx Global Groups,dc=xxxxx,dc=xxx,dc=uk
objectClass: top
objectClass: group
cn: F5Admins
member: CN=Doe J (John),OU=xxxxx Admins,DC=xland,DC=xxx,DC=uk
member: CN=Doe J (Jane),OU=xxxxx Users,DC=xland,DC=xxx,DC=uk
member: CN=Doe J (Jack),OU=xxxxx Users,DC=xland,DC=xxx,DC=uk
(output snipped but contains simlar user information)
distinguishedName: CN=F5Admins,OU=Misc,OU=xxxxx Global Groups,DC=xland,DC=xxx,DC=uk
I am unable to provide screenshots of the other parts of the config as it contains information that the customer doesn't want to be made public.
- Chris_FPCirrus
Hi Bill,
I didn't unfortunately. I'd love somebody to let me know what needs to be done.
- Bill_Kehn_27007Nimbostratus
Hello, just wondering if you ever were able to resolve this?
Thanks! Bill
- Chris_FPCirrus
Below is a screenshot of when I try to search when modifying the User Group - basically no matter what I type in the search filter, I always get the "No remote groups.." message. I tried adding the group DN manually but that doesn't work either.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com