Hi all, not sure if I'm barking up the wrong tree or approaching this the wrong way with my kbox, but here's what I'm looking to do

We have around 1200 AD users and probably around 100 Security Groups actively used. We take advantage of these for server folder security mostly. An average AD user can be a member of anywhere between 2-20 security groups, depending on their role.

I'm looking to import all of these security groups as individual LDAP labels in my kbox, so that I can use the User Console to publish software that I only want available to certain users in certain roles. For example, I only want MS Project available to users who are a member of a "Project MGMT" security group. We have 10-12 "Project MGMT" security groups for each agency in my network. 

I'm looking for a way of capturing all of the security groups as individual labels during the User Import, otherwise it will take me forever and a day to create all the labels myself and do many many smaller imports with narrower searches. Currently, if I import my entire "User Groups" OU, and I have a user that is a member of, say, 4 different groups, the label is getting imported like this:

"ldap_Domain Users, Domain Admins, Desktop Lite, Local Admins"

rather than this

"ldap_Domain Users"
"ldap_Domain Admins"
"ldap_Desktop Lite"
"ldap_Local Admins"

Does anyone have experience with something like this? I'm wondering if there is a better way to approach this, or maybe some more intelligent logic I can build into my query.

Thanks!
5 Comments   [ + ] Show Comments

Comments

  • I really need to get the exact same thing working. I was looking at the LDAP labels and saw a bug / workaround to do some imports, but it's much more of a hack than a good solution.
  • First question is, what version of the K1000 are you using? User LDAP labels don't work in 6.0 currently (which I REALLY wish I would have known before upgrading).
    • I'm on 6.0, so I 'spose this is consistent with your findings =\
      • Same here. It's been over 3 months with no patch. I called support and they said it's with engineering...
  • Here is the list of major issues with 6.0
    http://www.kace.com/support/resources/kb/solutiondetail?sol=125815
  • Hotfix was issued which is supposed to resolve this. I am recreating my LDAP labels now to see if I can get it to work or not.
    • Awesome! Can you let us know the hotfix # if it's working so we can request it from support please?
  • Unfortunately not... LOL Still getting all users added to all LDAP labels when using the standard method, and also when using the "work around" that is supposed to assign users to manual labels. I have communicated with Kace Support and they were going to escalate my issue to Tier 2 support. Not sure why the hotfix says it addresses this issue when it doesn't..... :-(
Please log in to comment

Answers

2
So it turns out the instructions were slightly... wrong.  But only SLIGHTLY!  There is a variable in the query which is wrong, and once changed it works fine.  Here is my LDAP label for the "Work around" method.  Note I've blanked out my server address and stuff.


I set my search DN to the base level of my domain because I have many, many levels and I need it to search all of them.  Then I set the filter as shown.  The part that was wrong is this first variable.  It HAS to say KBOX_USER_NAME  If you hit the TEST button, it comes back with 0, but it actually works!!  Just incase you are curious, the UserAccountControl part says to ignore any disabled accounts (we don't delete users, just disable and move them).

Also note, that the KB article says to put something like "LDAP_" as your label prefix.  Well we had already imported our labels and used the prefix "user_" so that is why mine is set that way.

I hope this helps!!
Answered 09/10/2014 by: Chris.Burgess
Orange Belt

Please log in to comment
Answer this question or Comment on this question for clarity