KACE Product Support

Followup  to dead thread https://www.itninja.com/question/ldap-based-labels-for-kace-1k

I hope I don't make anyone's head spin here.

I have a new active directory user that I'm trying to make a Kbox read only admin. This account is in a ServiceAccounts OU. I have existing kbox admins in an OU_Admins OU. I have a group named Kbox_Admins that has the new and old admins as members.That group is in the ServiceAccounts OU.

I have an ldap authentication configuration that is querying the Kbox_Admins group, but it only recognizes the old members. The new member does not show up. If I move the new user into OU_Admins, kbox ldap can find it. When I move it back to ServiceAccounts, ldap can't find it.

There is clearly a setting that is restricting the ldap search to user accounts in OU_Admins, even though my admin ldap config is set to search the group membership. I could move the new account into OU_Admins, but I'd like to keep separated if possible. If been looking through the Kace ldap documention, but haven't found anything yet. I have LDAP labels that I created years ago, but they aren't enabled.

One other related tidbit - if I edit the existing admin ldap auth and then go into the ldap browser, the base DN auto populates with a few choices. If I choose the root of our tree, I can browse the whole tree. I created a new ldap auth using the same ldap server, ldap read account, etc. When I go into the ldap browser from there, the base dn does not auto populate. If I choose custom and type in the same root, it is not browsable.

FWIW I am running 10.1.99, but I've been upgrading since the 5.x days (when I had a physical appliance). I don't know if some settings have become hidden at some point.

HELP ME, OBI-WAN!