/build/static/layout/Breadcrumb_cap_w.png

LDAP lookups

What I'm going to describe could possibly be very detailed and may require some specific examples. If that is the case then I would be happy to provide what is necessary. What I'm hoping for though is that it is something common and maybe I just missed a checkbox or something like that (fingers crossed).

I've got the AD set up and I have a couple of different OUs defined. I go to create a LDAP machine label to organize these so I can do reports and patching and the such using a label. I have one OU for the test servers. It has two items in it. I create the LDAP label and give it the path in the Search Base DN. When I click Test LDAP Label, it returns two items. Perfect. Then when I list all my labels my LDAP label shows 27 machines. I created another label for the test workstations. It has 18 machines. I gave the path and ran the test and it returns 18 machines. Then I go to Label Management and my test workstations LDAP label shows 27 machines. The same 27 as the first one I created. Another admin created a LDAP for the production servers. He has five in there. We go back to Label Management, 27 machines.

This list of 27 is a mix of our inventory. Some workstations, some servers, some VMs. Some are from the OU definitions, most are not. And now I just discovered something. I have 45 machines in the Inventory with the Agent installed. 27 are connected and 18 are not. So when I create a LDAP label it is returning all the machines that have the Agent installed. I must be missing another filter criteria. Has anyone else come across this in their setup? Thanks for the help!

Asked 11 years ago 1688 views
0 Comments   [ + ] Show comments

Answers (2)

Posted by: GillySpy 11 years ago
7th Degree Black Belt
2

P.S. It would be really helpful if you provided the LDAP label details.  

A machine ldap label is evaluated at inventory time. My guess is that your filter does not contain a KBOX_ variable.  For example:

(&(name=KBOX_COMPUTER_NAME)(memberOf=CN=BuildingA,DC=kace,DC=com))

All LDAP machine labels require at least one KBOX_ variable to be meaningful.  A variable allows it to be true or false depending upon a value that is given at inventory. If you do not use a variable then your LDAP label will either always be true or false.  This is because there is nothing dynamic provided to change the filter's evaluation at run time (inventory time). 

Consider a filter that looks like this:

 

(&(name=*)(memberOf=CN=BuildingA,DC=kace,DC=com))

 

This is likely always true because if you ran this query you'd get at least one result.  Also no matter what machine checks in you're always asking the same question.  This is fine for a test of your filter (e.g. in the LDAP browser) to see what is returned but not suitable for the LDAP label definition.

Now consider this:

 

(&(name=BILLPC-WN7)(memberOf=CN=BuildingA,DC=kace,DC=com))

 

Even this will always be true or false at check-in time. This is a great test to see if BILLPC-WN7 will return but if used as the label definition you will have a problem. Even if MaryPC-WN7 is checking in there is nothing to evluate this in the context of MaryPC-WN7 -- BILLPC-WN7 has been hard-coded.

So make sure that when you save your LDAP label for production that you are using at least one KBOX_ variable

Comments:
  • It sounds like you don't have it also filtering by computer name. You can't simply have a search of the OU. See GillySpy's answer. This exact thing happened to me and it was because I left off the bit name=kbox_computer_name - mixduptransistor 11 years ago
  • Nice. I feel like I'm close. What I had in there was
    (objectClass=computer)
    so I took that out and used
    (&(name=KBOX_COMPUTER_NAME)(memberOf=OU=Test,OU=Servers,OU=SEARDE,DC=host,DC=hpc,DC=mil))
    When I do the LDAP test now it returns 0 entries. - AndrewQ 11 years ago
Posted by: jdornan 11 years ago
Red Belt
0

You have to wait for the machine to check in before the label gets applied

Comments:
  • The label is getting applied. The problem is that it is getting applied to too many machines. In this case, ALL machines that have done an inventory since the label was created :( - GillySpy 11 years ago
  • I misread that G. No more itninja after midnight :) - jdornan 11 years ago
  • You can do ITNinja after midnight? Oh wow, that it is going to change things. :) - AndrewQ 11 years ago

Posted by:

AndrewQ Green Belt
Ninja since: 11 years ago

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:

Systems Management Questions
question

Related Questions

Link

Related Links

Post

Related Posts

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ