/build/static/layout/Breadcrumb_cap_w.png

LDAP Label Help

Hi Guys,

I'm trying to make a LDAP label. When I enter the below query and test it, I get the correct number of members in the distribution list, but when I enable it every computer gets labeled with it. I want everyone in the "company-remote" distribution list to be labeled as remote.

My search base DN:

DC=us,DC=company,DC=com

My search filter:
(&(objectCategory=person)(|(objectClass=contact)(objectClass=user))(memberOf=CN=company-remote,OU=Not categorized,DC=us,DC=company,DC=com))

Edit: Or if I can get everyone in an certain OU with a remote label that would work as well, as everyone in the compay-remote DL is also in a remote OU.

Any help would be greatly appreciated. As I have been trying to get this to work for weeks!

0 Comments   [ + ] Show comments

Answers (11)

Posted by: GillySpy 14 years ago
7th Degree Black Belt
0
The goal with the filter in practice is to get it to return one result. To do this you will need to use one of the KBOX variables in your filter. like name=KBOX_COMPUTER_NAME

Then the filter will not always be true because it will add the current machine as part of the criteria
Posted by: CrashnBrn 14 years ago
Senior Yellow Belt
0
ORIGINAL: GillySpy

The goal with the filter in practice is to get it to return one result. To do this you will need to use one of the KBOX variables in your filter. like name=KBOX_COMPUTER_NAME

Then the filter will not always be true because it will add the current machine as part of the criteria


Thanks for the reply GillySpy, I'm a little confused by the KBOX variables. Since I want multiple computers to be labeled with a single Label wouldent using name=KBOX_COMPUTER_NAME only find one computer?

Also I'm assuming that we are replacing that with the actual name of the computer :) so in turn it would find the the user in our Active Directory then match the computer with the user?
Posted by: dchristian 14 years ago
Red Belt
0
CrashnBrn,

Are you trying to make a machine label or user label?

If everyone is in the same OU this is simple.

Just make the OU part of your search base DN.
OU=REMOTE_OU,DC=us,DC=company,DC=com

For machines the search filter is
(name=KBOX_COMPUTER_NAME)

For users the search filter is
(samaccountname=KBOX_USER_NAME)
Posted by: GillySpy 14 years ago
7th Degree Black Belt
0
Since you want the machine to be labelled based on the user you want to use KBOX_USERNAME but the filter will be of type "machine"

Some thing like:
(&(objectCategory=person)(|(objectClass=contact)(objectClass=user))(memberOf=CN=company-remote,OU=Not categorized,DC=us,DC=company,DC=com)(samaccountname=KBOX_USERNAME))
Posted by: CrashnBrn 14 years ago
Senior Yellow Belt
0
ORIGINAL: GillySpy

Since you want the machine to be labelled based on the user you want to use KBOX_USERNAME but the filter will be of type "machine"

Some thing like:
(&(objectCategory=person)(|(objectClass=contact)(objectClass=user))(memberOf=CN=company-remote,OU=Not categorized,DC=us,DC=company,DC=com)(samaccountname=KBOX_USERNAME))


I am trying to make a label for using the names in a distribution group but for computers. I'm still a little confused about how this works, the above does not return any results. I get " Error,No Entries Found: Errno-7 Bad search filter"

Is LDAP is only supposed to return a single result? Is it possible to include ever user from a distribution group into a single label?

Currently when I use the query I posted in the first post this is what I see:



Again, I would like all 43 people's machines to be labeled as remote when they connect to kbox.

Sorry if I'm not directly answering specific questions, and thanks for all the help thus far :)
Posted by: GillySpy 14 years ago
7th Degree Black Belt
0
KBOX_USERNAME is a variable that is replaced with the username of the user logged into the machine. To test it you need to substitute in KBOX_USERNAME with a specific value or with * (wildcard).
Posted by: CrashnBrn 14 years ago
Senior Yellow Belt
0
ORIGINAL: GillySpy

KBOX_USERNAME is a variable that is replaced with the username of the user logged into the machine. To test it you need to substitute in KBOX_USERNAME with a specific value or with * (wildcard).


if I add sameaccountname=* at the end of my query or even name=* or a users name, I get " Error,No Entries Found: Errno-7 Bad search filter"
Posted by: GillySpy 14 years ago
7th Degree Black Belt
0
I was making an assumption that samaccountname was an attribute in your system. What is the attribute for username?

After adjusting for the correct attribute name if you are still having an issue with your search filter could you paste it here?
Posted by: CrashnBrn 14 years ago
Senior Yellow Belt
0
ORIGINAL: GillySpy

I was making an assumption that samaccountname was an attribute in your system. What is the attribute for username?

After adjusting for the correct attribute name if you are still having an issue with your search filter could you paste it here?



The attribute for account name is: sAMAccountName

So I tried this query:

(&(objectCategory=person)(|(objectClass=contact)(objectClass=user))(memberOf=CN=company-remote,OU=Not categorized,DC=us,DC=company,DC=com)(sAMAccountName=*))

Except it labels every machines that connects are remote instead of just the users in the company-remote distribution list. I don't get what I'm missing. The computers are named differently, but the users who log in match up with the account name for the users in the distribution list.

Thanks.

Edit: This shortened code produces the same results above but still does not work. (labels every machine remote)

(&(sAMAccountName=*)(memberOf=CN=company-remote,OU=Not categorized,DC=us,DC=company,DC=com))


I'm totally stumped. The users that are getting labeled remote do not show up if I replace their usernames in the ldap browser when setting up the filter, meaning they should not get labeled. At this point the query looks almost the same as the example one that came on the kbox appliance.
Posted by: GillySpy 14 years ago
7th Degree Black Belt
0
Correct, you need to use the following in the production filter because the variable replacement only happens on a production filter not in test.

(&(objectCategory=person)(|(objectClass=contact)(objectClass=user))(memberOf=CN=company-remote,OU=Not categorized,DC=us,DC=company,DC=com)(sAMAccountName=KBOX_USERNAME))
Posted by: CrashnBrn 14 years ago
Senior Yellow Belt
0
KBOX_USERNAME ORIGINAL: GillySpy

Correct, you need to use the following in the production filter because the variable replacement only happens on a production filter not in test.

(&(objectCategory=person)(|(objectClass=contact)(objectClass=user))(memberOf=CN=company-remote,OU=Not categorized,DC=us,DC=company,DC=com)(sAMAccountName=KBOX_USERNAME))






GillySpy you are a lifesaver! I completely misunderstood that the KBOX_USERNAME was a variable that kbox uses (I don't know how I missed that). Thanks so much! Everything works now.

--Jason
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ