/build/static/layout/Breadcrumb_cap_w.png

LDAP Auth on K2000

Is anyone successfully using group membership (memberof) in their search filters on the 2000? I've been banging my head against the wall. I know I have the right syntax because the filter I want works on the 1000.

Finally got this to work on the 2000:

 

(&(samaccountname=KBOX_USER)(|(cn=admin1)(cn= admin2)(cn= admin3)(cn= admin4)))

Accomplishes the same thing, but the group membership would be cleaner.

 

Asked 11 years ago 6885 views
1 Comment   [ + ] Show comment
  • All,

    Did anyone find anything on this? I have the same problem with my K2000. It will no longer import users using ldap. It tests successfully but pulls zero users even though there are users in that OU. Any help would be appreciated.

    Service account has access to the OUs



    OK: LDAP Search successful with 0 entries found.
    OK: Secondary bind using [] successful
    OK: LDAP Test Successful. Closing connection. - agahlbeck 7 years ago
    • I just had this same issue. I got it to work by what Corey said below. Do this:

      (&(MemberOf=CN=groupname,OU=ouname,OU=ouname,DC=domainname,DC=com)(samaccountname=KBOX_USER)

      samaccountname is on top on the K1000. It needs to be on the bottom on the K2000. Doing this fixed my issue. - wimberlye 6 years ago

Answers (7)

Posted by: dugullett 11 years ago
Red Belt
2

Are you trying to import them as users or admin users? 

Posted by: cserrins 11 years ago
Red Belt
2

Try this:

(&(MemberOf=CN=groupname,OU=ouname,OU=ouname,DC=domainname,DC=com)(samaccountname=KBOX_USER)

 

Corey
Lead L3 Enterprise Solutions Engineer, K2000
If my response was helpful, please rate it!

Posted by: philologist 11 years ago
Red Belt
2

Hi TPR,

  I do have this specific thing working, though my syntax is slightly different.  It shouldn't make a difference, but may be worth a try:

(&(samaccountname=KBOX_USER)(memberof=CN=Group,OU=Organizational Unit,OU=OU2,DC=FDQNP1,DC=fdqnp2,DC=fdqnp3))

  My OUs and FDQN pieces are all capitalized exactly as they are in AD, and I have the samaccountname search first.  My memberof is all lower case.  Should it matter?  Probably not.

  For my LDAP Login, I specifically call out the full path to a privileged account using

CN=username,CN=Container1,DC=FDQNP1,DC=fdqnp2,DC=fdqnp3

  Again, I also duplicate the case.  Should it matter?  The only thing I can say is that the KACE OS is a *nix variant, so perhaps the LDAP implementation cares, even if Windows AD does not.

  Finally, again watching case, I have the Search Base DSN narrow things down to the main OU rather than the KACE default Base DN.

OU=OU2,DC=FDQNP1,DC=fdqnp2,DC=fdqnp3

  I also use an IP for the Servername rather than a Hostname.

  Past that, is it possible you might have special characters in an OU or group name?  I know I have gotten away with %, but you may or may not get away with some others like &, which I have definitely seen people use for things like OU=Users & Computers or CN=Sales & Marketing.

Comments:
  • Thanks, phil. I have used the FQDN for testing, but no luck. I thought I had a breakthrough when I used the softerra ldap browser and discovered that the memberof attribute was not being read by my ldap user, but I fixed that and still no luck.

    Maybe the group name is a problem because it has a dash, but since I have it working with a filter that uses the samaccount and any of 4 specified CNs (like in my OP), I'll probably just live with it that way. - tpr 11 years ago
  • create a group with a simple name nest the group with the dash in it, ldap query the simple group name, AD should pass the members (users) of the top most group not the nested group name - SMal.tmcc 11 years ago
Posted by: tpr 11 years ago
2nd Degree Black Belt
1

Thanks for the responses. Sorry, I wasn't clear in my original post. I've already tried the (&(MemberOf=CN=groupname,OU=ouname,OU=ouname,DC=domainname,DC=com)(samaccountname=KBOX_USER)) syntax in my search filter. When I run the test in the ldap config page, I get "successful" messages, but 0 results returned, and I can't actually log in. When I set the filter like in my OP, or drop the memberof requirement altogether, I can log in with the admin account. That's why I was asking specifically if anyone is using memberof in their filter. It sort of looks to me as if ldap is working on my kbox, but memberof is not recognized as a legit parameter. Seems farfetched, but no more so than a few other things I've seen.

Posted by: SMal.tmcc 11 years ago
Red Belt
1

If could also be the account you ldap attach to the domain with may not have the proper rights to the group attribute.  Try testing with a superuser that has all rights in the domain.   This will help you know if the kbox end or the domain end is the problem.

Posted by: jagadeish 11 years ago
Red Belt
-2

I hope the below link should help you..

http://download.kace.com/support/kb/pdf.php?cat=55&id=738

Comments:
  • Thanks, but that link opens up a pdf that says:
    LDAP Integration:
    Author:
    Last update: Dec 31 1969, 4:00 pm - tpr 11 years ago
  • I think something went wrong...

    Here it is..

    http://www.ujgq.kbox.com/support/kb/index.php?action=artikel&cat=55&id=738&artlang=en - jagadeish 11 years ago
  • Goes to the same link posted above: http://www.kace.com/support/resources/kb/article/How-to-setup-LDAP-Authentication-Integration#Step_Three_KBOX_Server_setup - SMal.tmcc 11 years ago

Posted by:

tpr 2nd Degree Black Belt
Ninja since: 12 years ago

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:

KACE Product Support Questions
question

Related Questions

Link

Related Links

Post

Related Posts

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ