What I'm going to describe could possibly be very detailed and may require some specific examples. If that is the case then I would be happy to provide what is necessary. What I'm hoping for though is that it is something common and maybe I just missed a checkbox or something like that (fingers crossed).

I've got the AD set up and I have a couple of different OUs defined. I go to create a LDAP machine label to organize these so I can do reports and patching and the such using a label. I have one OU for the test servers. It has two items in it. I create the LDAP label and give it the path in the Search Base DN. When I click Test LDAP Label, it returns two items. Perfect. Then when I list all my labels my LDAP label shows 27 machines. I created another label for the test workstations. It has 18 machines. I gave the path and ran the test and it returns 18 machines. Then I go to Label Management and my test workstations LDAP label shows 27 machines. The same 27 as the first one I created. Another admin created a LDAP for the production servers. He has five in there. We go back to Label Management, 27 machines.

This list of 27 is a mix of our inventory. Some workstations, some servers, some VMs. Some are from the OU definitions, most are not. And now I just discovered something. I have 45 machines in the Inventory with the Agent installed. 27 are connected and 18 are not. So when I create a LDAP label it is returning all the machines that have the Agent installed. I must be missing another filter criteria. Has anyone else come across this in their setup? Thanks for the help!

0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Community Chosen Answer

2

P.S. It would be really helpful if you provided the LDAP label details.  

A machine ldap label is evaluated at inventory time. My guess is that your filter does not contain a KBOX_ variable.  For example:

(&(name=KBOX_COMPUTER_NAME)(memberOf=CN=BuildingA,DC=kace,DC=com))

All LDAP machine labels require at least one KBOX_ variable to be meaningful.  A variable allows it to be true or false depending upon a value that is given at inventory. If you do not use a variable then your LDAP label will either always be true or false.  This is because there is nothing dynamic provided to change the filter's evaluation at run time (inventory time). 

Consider a filter that looks like this:

 

(&(name=*)(memberOf=CN=BuildingA,DC=kace,DC=com))

 

This is likely always true because if you ran this query you'd get at least one result.  Also no matter what machine checks in you're always asking the same question.  This is fine for a test of your filter (e.g. in the LDAP browser) to see what is returned but not suitable for the LDAP label definition.

Now consider this:

 

(&(name=BILLPC-WN7)(memberOf=CN=BuildingA,DC=kace,DC=com))

 

Even this will always be true or false at check-in time. This is a great test to see if BILLPC-WN7 will return but if used as the label definition you will have a problem. Even if MaryPC-WN7 is checking in there is nothing to evluate this in the context of MaryPC-WN7 -- BILLPC-WN7 has been hard-coded.

So make sure that when you save your LDAP label for production that you are using at least one KBOX_ variable

Answered 12/20/2012 by: GillySpy
Seventh Degree Black Belt

  • It sounds like you don't have it also filtering by computer name. You can't simply have a search of the OU. See GillySpy's answer. This exact thing happened to me and it was because I left off the bit name=kbox_computer_name
  • Nice. I feel like I'm close. What I had in there was
    (objectClass=computer)
    so I took that out and used
    (&(name=KBOX_COMPUTER_NAME)(memberOf=OU=Test,OU=Servers,OU=SEARDE,DC=host,DC=hpc,DC=mil))
    When I do the LDAP test now it returns 0 entries.
Please log in to comment

Answers

0

You have to wait for the machine to check in before the label gets applied

Answered 12/19/2012 by: jdornan
Red Belt

  • The label is getting applied. The problem is that it is getting applied to too many machines. In this case, ALL machines that have done an inventory since the label was created :(
  • I misread that G. No more itninja after midnight :)
  • You can do ITNinja after midnight? Oh wow, that it is going to change things. :)
Please log in to comment
Answer this question or Comment on this question for clarity