An Active Directory (AD) group defines access permissions for the LDAP server similar to Extreme roles. You can map an Active Directory group to an Extreme role with the ldap-server maprole command. The command confers all access privileges defined by the Active Directory group to the Extreme role to which it is mapped.
A user on an AD server must be assigned a nonprimary group, and that group name must be either matched or mapped to one of the existing roles on the device.
After successful authentication, the user is assigned a role from a nonprimary group (defined on the AD server) based on the matched or mapped device role.
A user logging in to the device that is configured to use LDAP and has a valid LDAP user name and password will be assigned LDAP user privileges if the user is not assigned a role from any nonprimary group.