Ok I am having an issue setting up K1000 for LDAP Authentication.  I add the external server.  Give it the host name for my Domain Controller and the proper port. My AD tree is "ICT.ad.somename.com" All my users are in one OU so my search base DN looks like this:

OU=employees,DC=ICT,DC=ad,DC=somename,DC=com

I set up a basic user in my domain "KACE". When I put in a search filter like this "(&(ObjectClass=person)(!(ObjectClass=Computer))" and enter the LDAP Login Field "ICT\Kace" then test the settings it gives me the right number of entries found.

However when I go to "apply" the settings it says: "KBOX_USER need to be part of Search Filter" so I change the Search Filter to "(&(samaccountname=KBOX_USER)(ObjectClass=user)(!(ObjectClass=Computer)))" and the test completes but comes up with 0 entires found. 

I change the search field to "(&(samaccountname=*)(ObjectClass=person)(!(ObjectClass=Computer)))" and it is successful in finding all the users but still won't apply stating "KBOX_USER need to be part of Search Filter". 

I don't know how to get around this.  Anyone help?
Answer Summary:
Cancel
2 Comments   [ + ] Show Comments

Comments

  • The way the KBOX_USER works is as a filter. The KBOX_USER will be replaced with the samaccountname of whoever is logging in. This is used to make sure that the user who is logging in is authenticated or not. The KBOX_USER is needed in the ldap filter.

    I'm going to link an ldap filter article also.

    Link: https://support.software.dell.com/k1000-systems-management-appliance/kb/112277

    Hopefully that helps you understand. If not
    • TY. I had already ran through that and it makes sense its just not working like it should
  • Can you successfully test and login if you create a filter that applies to only one account, e.g. "(&(samaccountname=KBOX_USER)(samaccountname=jsmith))" ?
    • Tried that and it worked. Went back in and put the group in using (&(memberOf=CN=ITADMIN,OU=Employees,DC=ICT,DC=ad,DC=somename,DC=com)(samaccountname=KBOX_USER)) and tests fine but no user log in is allowed.
Please log in to comment

Answer Chosen by the Author

2
We´re putting the users in different groups with different roles. In AD we have a group called GROUP_KACE_ADMIN (e.g, see the distinguished name in code section) and put all admins in this group and another group for default users.

(&(memberOf=CN=GROUP_KACE_ADMIN,OU=SVC_KACE,OU=Services,DC=contoso,DC=com)(samaccountname=KBOX_USER))
Answered 04/26/2016 by: aragorn.2003
Red Belt

  • TY. I tried using the ITADMIN group using that format and it worked. Now on to the hard stuff, MSI building.
Please log in to comment

Answers

Answer this question or Comment on this question for clarity