The problem was the following. There LDAP is realy **bleep**ed! For some users whe must do a samAccountname and for the other memberOf
What I did, with Juniper Support was to make userattributes
The problem for this was, I didn;t have a userattribute MemberOf.
We made the userattribute and configured custom expressions
With testing for a lot of users and everything works fine
Hey Marcel - thanks for the update. Screwy setup! If you get a minute why don't you flag you post as the "solution" so people who see it can jump to what you wrote and learn from it.
If you are having problems and cannot get the Group Search to show you any groups, sniff the traffic between your SA and your LDAP server. if you clear the Member Attribute field, the reply packets that you receive from the LDAP server will contain a list of the available attributes listed under LDAP->LDAP Message Search->ProtocolOp->searchResEntry->attributes->PartialAttributeList.
In my case there were three returned: objectClass, cn, uniqueMember. I then set the Member Attribute field to 'cn' and now my groups show up in the Group Search window and I can add them.
My other problem is that I don't do this often enough to remember exactly what to do for each different type of LDAP server (the one I'm working with now is CentOS Directory Server.