/bundles/itninjaweb/img/Breadcrumb_cap_w.png
I wanted/needed to pull users via LDAP based on security groups. After using this Advanced Search for each LDAP security group I was able to pull the users into Kace even though running the Test option fails for some reason: (&(samaccountname=KBOX_USER)(memberOf=CN=Security Group,OU=Groups,OU=X,DC=Y,DC=Z))

Now I want to create LDAP labels for each of those groups. I figured I would be able to just copy/paste but every time I use KBOX_USER I get a flag when I go to save saying it's an invalid token with a list of valid tokens. I tried to use KBOX_USER_NAME instead like it suggests but get no results. When I do an LDAP Browse when I use KBOX_USER I see all my users in the results but when I try to use KBOX_USER_NAME like it wants I go no results.

The help documentation that pops up on the on the top right of the LDAP Labels shows KBOX_USERNAME as the example but that doesn't even seem to be a valid token either. I figured maybe I need to have those variables match. I went back over to Settings > Control Panel > User Authentication and tried to change to KBOX_USER_NAME but that breaks my User Auth pull. Only KBOX_USER works there

I have no idea what I'm doing wrong. In a perfect world how I want this setup to have User Authentication run nightly, add/remove users appropriately based on if they get added/removed from security groups, have the LDAP Labels see that, and act appropriately.


-------And PS: Why is Advance Search on the right and Base DN on the left but in LDAP Labels but switched in User Authentication. That just kind of urks me to be honest.-------
3 Comments   [ - ] Hide Comments

Comments

  • I believe your ultimate goal here is not possible, this part:
    "I want this setup to have User Authentication run nightly, add/remove users appropriately based on if they get added/removed from security groups, have the LDAP Labels see that, and act appropriately. "

    This will not happen, because LDAP labels are evaluated only when the user logs in.

    See this URL:
    https://support.quest.com/kace-systems-management-appliance/kb/131519

    You will need SQL Custom Rules to achieve that.
  • Thanks. I'll look into that.

    I did manage to get the LDAP Label work using the LDAP Browser. For some reason KBOX_USER is the only thing that works but weirdly enough using LDAP Browser actually Saves and Enabled it when you finish and go back even though you can't actually choose "Save" on the main LDAP Label Detail page due to getting:

    "The Advanced Search Field contains invalid tokens. Valid tokens are KBOX_LDAP_UID, KBOX_USER_NAME, KBOX_FULL_NAME, KBOX_EMAIL, KBOX_ADDITIONAL_EMAILS, KBOX_DOMAIN, KBOX_MANAGER_ID, KBOX_LOCATION_ID, KBOX_BUDGET_CODE, KBOX_WORK_PHONE, KBOX_HOME_PHONE, KBOX_MOBILE_PHONE, KBOX_PAGER_PHONE, KBOX_DEVICE_COUNT, KBOX_1, KBOX_2, KBOX_3, KBOX_4."

    But the Label works... I'm literally getting pieces of this working through a slew of errors.
  • I am running into the exact problem, although your workaround is not working for me. I happen to be on v7.2.101.
Please log in to comment

Answer this question or Comment on this question for clarity

Answers

0

The filter “KBOX_USER” is not supported for LDAP labels.

Please use any of the following supported variables: https://support.quest.com/kace-systems-management-appliance/kb/112277/ldap-filters-tips-and-tricks

Once you are using any of the supported LDAP variables for LDAP labels, The Test LDAP Filter... button to review the results might not work. You want to run the Authentication LDAP user instead for those users to get applied to the LDAP label. 

Answered 03/02/2018 by: grvenega
White Belt

Please log in to comment