BIG-IQ not mapping AD groups to User Groups
I'm currently trying to get a BIG-IQ instance working correctly with a customers AD service. This service already works 100% fine with the existing BIG-IP devices confirming that the AD setup is ok. I've no doubt this is a PICNIC error on my part but I'm not an LDAP/AD person by trade. We have managed to get the BIG-IQ to authenticate users so we know we have connectivity to the AD side of things. I've created a user group to map people who are in the F5Admins group so that they should automatically be given the role of Administrator. What I've found out from performing an ldapsearch is that the username they type in (format Xnnnnnnnnn) doesn't appear in the search for the F5Admins group members and for some reason the BIG-IP's can handle this but the BIG-IQ cannot. Below is the output from the ldapsearch:- (sanitised output) ldapsearch -x -h 1.2.3.4 -b "ou=xxxxx Global Groups,dc=xxxxx,dc=xxx,dc=uk" -s sub "(cn="F5Admins")" -v -D "cn=XXXX,ou=XXXXX Accounts,dc=xxxxx,dc=xxx,dc=uk" -W ldap_initialize( ldap://1.2.3.4 ) Enter LDAP Password: filter: (cn=F5Admins) requesting: All userApplication attributes extended LDIF LDAPv3 base with scope subtree filter: (cn=F5Admins) requesting: ALL F5Admins, (output snipped) dn: CN=F5Admins,OU=XXXX,ou=xxxxx Global Groups,dc=xxxxx,dc=xxx,dc=uk objectClass: top objectClass: group cn: F5Admins member: CN=Doe J (John),OU=xxxxx Admins,DC=xland,DC=xxx,DC=uk member: CN=Doe J (Jane),OU=xxxxx Users,DC=xland,DC=xxx,DC=uk member: CN=Doe J (Jack),OU=xxxxx Users,DC=xland,DC=xxx,DC=uk (output snipped but contains simlar user information) distinguishedName: CN=F5Admins,OU=Misc,OU=xxxxx Global Groups,DC=xland,DC=xxx,DC=uk I am unable to provide screenshots of the other parts of the config as it contains information that the customer doesn't want to be made public.