Hi Guys,

I'm trying to make a LDAP label. When I enter the below query and test it, I get the correct number of members in the distribution list, but when I enable it every computer gets labeled with it. I want everyone in the "company-remote" distribution list to be labeled as remote.

My search base DN:

DC=us,DC=company,DC=com

My search filter:
(&(objectCategory=person)(|(objectClass=contact)(objectClass=user))(memberOf=CN=company-remote,OU=Not categorized,DC=us,DC=company,DC=com))

Edit: Or if I can get everyone in an certain OU with a remote label that would work as well, as everyone in the compay-remote DL is also in a remote OU.

Any help would be greatly appreciated. As I have been trying to get this to work for weeks!
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
The goal with the filter in practice is to get it to return one result. To do this you will need to use one of the KBOX variables in your filter. like name=KBOX_COMPUTER_NAME

Then the filter will not always be true because it will add the current machine as part of the criteria
Answered 12/16/2010 by: GillySpy
Seventh Degree Black Belt

Please log in to comment
0
ORIGINAL: GillySpy

The goal with the filter in practice is to get it to return one result. To do this you will need to use one of the KBOX variables in your filter. like name=KBOX_COMPUTER_NAME

Then the filter will not always be true because it will add the current machine as part of the criteria


Thanks for the reply GillySpy, I'm a little confused by the KBOX variables. Since I want multiple computers to be labeled with a single Label wouldent using name=KBOX_COMPUTER_NAME only find one computer?

Also I'm assuming that we are replacing that with the actual name of the computer :) so in turn it would find the the user in our Active Directory then match the computer with the user?
Answered 12/16/2010 by: CrashnBrn
Senior Yellow Belt

Please log in to comment
0
CrashnBrn,

Are you trying to make a machine label or user label?

If everyone is in the same OU this is simple.

Just make the OU part of your search base DN.
OU=REMOTE_OU,DC=us,DC=company,DC=com

For machines the search filter is
(name=KBOX_COMPUTER_NAME)

For users the search filter is
(samaccountname=KBOX_USER_NAME)
Answered 12/17/2010 by: dchristian
Red Belt

Please log in to comment
0
Since you want the machine to be labelled based on the user you want to use KBOX_USERNAME but the filter will be of type "machine"

Some thing like:
(&(objectCategory=person)(|(objectClass=contact)(objectClass=user))(memberOf=CN=company-remote,OU=Not categorized,DC=us,DC=company,DC=com)(samaccountname=KBOX_USERNAME))
Answered 12/17/2010 by: GillySpy
Seventh Degree Black Belt

Please log in to comment
0
ORIGINAL: GillySpy

Since you want the machine to be labelled based on the user you want to use KBOX_USERNAME but the filter will be of type "machine"

Some thing like:
(&(objectCategory=person)(|(objectClass=contact)(objectClass=user))(memberOf=CN=company-remote,OU=Not categorized,DC=us,DC=company,DC=com)(samaccountname=KBOX_USERNAME))


I am trying to make a label for using the names in a distribution group but for computers. I'm still a little confused about how this works, the above does not return any results. I get " Error,No Entries Found: Errno-7 Bad search filter"

Is LDAP is only supposed to return a single result? Is it possible to include ever user from a distribution group into a single label?

Currently when I use the query I posted in the first post this is what I see:



Again, I would like all 43 people's machines to be labeled as remote when they connect to kbox.

Sorry if I'm not directly answering specific questions, and thanks for all the help thus far :)
Answered 12/17/2010 by: CrashnBrn
Senior Yellow Belt

Please log in to comment
0
KBOX_USERNAME is a variable that is replaced with the username of the user logged into the machine. To test it you need to substitute in KBOX_USERNAME with a specific value or with * (wildcard).
Answered 12/17/2010 by: GillySpy
Seventh Degree Black Belt

Please log in to comment
0
ORIGINAL: GillySpy

KBOX_USERNAME is a variable that is replaced with the username of the user logged into the machine. To test it you need to substitute in KBOX_USERNAME with a specific value or with * (wildcard).


if I add sameaccountname=* at the end of my query or even name=* or a users name, I get " Error,No Entries Found: Errno-7 Bad search filter"
Answered 12/17/2010 by: CrashnBrn
Senior Yellow Belt

Please log in to comment
0
I was making an assumption that samaccountname was an attribute in your system. What is the attribute for username?

After adjusting for the correct attribute name if you are still having an issue with your search filter could you paste it here?
Answered 12/17/2010 by: GillySpy
Seventh Degree Black Belt

Please log in to comment
0
ORIGINAL: GillySpy

I was making an assumption that samaccountname was an attribute in your system. What is the attribute for username?

After adjusting for the correct attribute name if you are still having an issue with your search filter could you paste it here?



The attribute for account name is: sAMAccountName

So I tried this query:

(&(objectCategory=person)(|(objectClass=contact)(objectClass=user))(memberOf=CN=company-remote,OU=Not categorized,DC=us,DC=company,DC=com)(sAMAccountName=*))

Except it labels every machines that connects are remote instead of just the users in the company-remote distribution list. I don't get what I'm missing. The computers are named differently, but the users who log in match up with the account name for the users in the distribution list.

Thanks.

Edit: This shortened code produces the same results above but still does not work. (labels every machine remote)

(&(sAMAccountName=*)(memberOf=CN=company-remote,OU=Not categorized,DC=us,DC=company,DC=com))


I'm totally stumped. The users that are getting labeled remote do not show up if I replace their usernames in the ldap browser when setting up the filter, meaning they should not get labeled. At this point the query looks almost the same as the example one that came on the kbox appliance.
Answered 12/17/2010 by: CrashnBrn
Senior Yellow Belt

Please log in to comment
0
Correct, you need to use the following in the production filter because the variable replacement only happens on a production filter not in test.

(&(objectCategory=person)(|(objectClass=contact)(objectClass=user))(memberOf=CN=company-remote,OU=Not categorized,DC=us,DC=company,DC=com)(sAMAccountName=KBOX_USERNAME))
Answered 12/19/2010 by: GillySpy
Seventh Degree Black Belt

Please log in to comment
0
KBOX_USERNAME ORIGINAL: GillySpy

Correct, you need to use the following in the production filter because the variable replacement only happens on a production filter not in test.

(&(objectCategory=person)(|(objectClass=contact)(objectClass=user))(memberOf=CN=company-remote,OU=Not categorized,DC=us,DC=company,DC=com)(sAMAccountName=KBOX_USERNAME))






GillySpy you are a lifesaver! I completely misunderstood that the KBOX_USERNAME was a variable that kbox uses (I don't know how I missed that). Thanks so much! Everything works now.

--Jason
Answered 12/19/2010 by: CrashnBrn
Senior Yellow Belt

Please log in to comment
Answer this question or Comment on this question for clarity