/build/static/layout/Breadcrumb_cap_w.png

K1000 LDAP - Importing Multiple Security Groups

Hi all, not sure if I'm barking up the wrong tree or approaching this the wrong way with my kbox, but here's what I'm looking to do

We have around 1200 AD users and probably around 100 Security Groups actively used. We take advantage of these for server folder security mostly. An average AD user can be a member of anywhere between 2-20 security groups, depending on their role.

I'm looking to import all of these security groups as individual LDAP labels in my kbox, so that I can use the User Console to publish software that I only want available to certain users in certain roles. For example, I only want MS Project available to users who are a member of a "Project MGMT" security group. We have 10-12 "Project MGMT" security groups for each agency in my network. 

I'm looking for a way of capturing all of the security groups as individual labels during the User Import, otherwise it will take me forever and a day to create all the labels myself and do many many smaller imports with narrower searches. Currently, if I import my entire "User Groups" OU, and I have a user that is a member of, say, 4 different groups, the label is getting imported like this:

"ldap_Domain Users, Domain Admins, Desktop Lite, Local Admins"

rather than this

"ldap_Domain Users"
"ldap_Domain Admins"
"ldap_Desktop Lite"
"ldap_Local Admins"

Does anyone have experience with something like this? I'm wondering if there is a better way to approach this, or maybe some more intelligent logic I can build into my query.

Thanks!
Asked 10 years ago 3767 views
5 Comments   [ + ] Show comments
  • I really need to get the exact same thing working. I was looking at the LDAP labels and saw a bug / workaround to do some imports, but it's much more of a hack than a good solution. - ddevore 10 years ago
  • First question is, what version of the K1000 are you using? User LDAP labels don't work in 6.0 currently (which I REALLY wish I would have known before upgrading). - Chris.Burgess 10 years ago
    • I'm on 6.0, so I 'spose this is consistent with your findings =\ - dgretch 10 years ago
      • Same here. It's been over 3 months with no patch. I called support and they said it's with engineering... - ddevore 10 years ago
  • Here is the list of major issues with 6.0
    http://www.kace.com/support/resources/kb/solutiondetail?sol=125815 - Chris.Burgess 10 years ago
  • Hotfix was issued which is supposed to resolve this. I am recreating my LDAP labels now to see if I can get it to work or not. - Chris.Burgess 10 years ago
    • Awesome! Can you let us know the hotfix # if it's working so we can request it from support please? - ddevore 10 years ago
  • Unfortunately not... LOL Still getting all users added to all LDAP labels when using the standard method, and also when using the "work around" that is supposed to assign users to manual labels. I have communicated with Kace Support and they were going to escalate my issue to Tier 2 support. Not sure why the hotfix says it addresses this issue when it doesn't..... :-( - Chris.Burgess 10 years ago

Answers (1)

Posted by: Chris.Burgess 10 years ago
Orange Belt
2
So it turns out the instructions were slightly... wrong.  But only SLIGHTLY!  There is a variable in the query which is wrong, and once changed it works fine.  Here is my LDAP label for the "Work around" method.  Note I've blanked out my server address and stuff.


I set my search DN to the base level of my domain because I have many, many levels and I need it to search all of them.  Then I set the filter as shown.  The part that was wrong is this first variable.  It HAS to say KBOX_USER_NAME  If you hit the TEST button, it comes back with 0, but it actually works!!  Just incase you are curious, the UserAccountControl part says to ignore any disabled accounts (we don't delete users, just disable and move them).

Also note, that the KB article says to put something like "LDAP_" as your label prefix.  Well we had already imported our labels and used the prefix "user_" so that is why mine is set that way.

I hope this helps!!
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ