KACE Product Support Question

LDAP Search Filter for Authentication

04/25/2016 4199 views
Ok I am having an issue setting up K1000 for LDAP Authentication.  I add the external server.  Give it the host name for my Domain Controller and the proper port. My AD tree is "ICT.ad.somename.com" All my users are in one OU so my search base DN looks like this:


I set up a basic user in my domain "KACE". When I put in a search filter like this "(&(ObjectClass=person)(!(ObjectClass=Computer))" and enter the LDAP Login Field "ICT\Kace" then test the settings it gives me the right number of entries found.

However when I go to "apply" the settings it says: "KBOX_USER need to be part of Search Filter" so I change the Search Filter to "(&(samaccountname=KBOX_USER)(ObjectClass=user)(!(ObjectClass=Computer)))" and the test completes but comes up with 0 entires found. 

I change the search field to "(&(samaccountname=*)(ObjectClass=person)(!(ObjectClass=Computer)))" and it is successful in finding all the users but still won't apply stating "KBOX_USER need to be part of Search Filter". 

I don't know how to get around this.  Anyone help?
Answer Summary:
2 Comments   [ + ] Show comments


  • The way the KBOX_USER works is as a filter. The KBOX_USER will be replaced with the samaccountname of whoever is logging in. This is used to make sure that the user who is logging in is authenticated or not. The KBOX_USER is needed in the ldap filter.

    I'm going to link an ldap filter article also.

    Link: https://support.software.dell.com/k1000-systems-management-appliance/kb/112277

    Hopefully that helps you understand. If not
    • TY. I had already ran through that and it makes sense its just not working like it should
  • Can you successfully test and login if you create a filter that applies to only one account, e.g. "(&(samaccountname=KBOX_USER)(samaccountname=jsmith))" ?
    • Tried that and it worked. Went back in and put the group in using (&(memberOf=CN=ITADMIN,OU=Employees,DC=ICT,DC=ad,DC=somename,DC=com)(samaccountname=KBOX_USER)) and tests fine but no user log in is allowed.

Answer Chosen by the Author

We´re putting the users in different groups with different roles. In AD we have a group called GROUP_KACE_ADMIN (e.g, see the distinguished name in code section) and put all admins in this group and another group for default users.

Answered 04/26/2016 by: aragorn.2003
Red Belt

  • TY. I tried using the ITADMIN group using that format and it worked. Now on to the hard stuff, MSI building.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ