You can use ticket rules to keep your LDAP filters in sync with new or modified user information. As long as the user information is kept up to date with a scheduled import the rules will keep the user's labels up to date.
The basic way that this works is:
- A scheduled LDAP import runs daily (or more often) on the groups that need to be kept up to date. Typically this means on everyone, but not necessarily.
- When the LDAP runs it will be setup to email the special queue that we created. This email will create a ticket in that queue
- The ticket will trigger a rule that will update any missing label information
- The ticket will trigger a rule that will delete any obsolete label information
The complete conditions for this FAQ to work are:
- You must create a separate queue to handle the processing of this information. This queue will only have one owner and two submitters. The owner can be anyone you designate (e.g. admin). The submitters are not negotiable -- one submitter will be the same as the owner you designated and the other owner will be a special user. Details below. This separate queue will have all its email on events turned off.
- The LDAP membership information (e.g. memberOf for Active Directory) must be imported into the custom_4 field of the users that you want to update
- You must still create an LDAP filter.
- This filter must represent the memberOf information above. The filter doesn't actually have to do any LDAP evaluations but it is recommended that it does.
- The name of each filter must end with an underscore then the name of the LDAP group or simply be the name of the LDAP group. E.g. if the AD group is called "KACE SMA appliance Admins" then the filter can be called "ldap_K1000 appliance Admins" or "K1000 appliance Admins_" or "_K1000 appliance Admins" or "ldap filter_K1000 appliance Admin"
- The name of the LDAP group cannot have any underscores in it. E.g. "K1000 appliance_Admins" is illegal
- The name of the LDAP label associated to the filter cannot have any underscores in the portion of the name that matches the memberOf information. E.g. for an LDAP group called "K1000 appliance Admins" the label cannot be called "ldap_K1000 appliance_Admins" nor "ldap_filter_K1000 appliance_Admins"
Schedule your LDAP user import
Note: an import is also an update automatically so if you are using LDAP you should have a scheduled import. Follow the documentation on this. It is set at Settings | User Authentication | Bell icon
. The key elements that you need for this to work are:
- a schedule on your import (in step 1)
- a recipient (in step 1)E.g.
- import the memberOf attribute and map it to the custom_4 field of your user record. After an import your user record might look like this:
You must create an LDAP filter for your users. See documentation on this. As an example we have the following filter:
Create a label called FilterQueueSubmitters
- Go to Home | Label | Label Management and create a new label called FilterQueueSubmitters
Create the following user in your K1000 appliance:
Go to Settings > Users
and create a new user with this information (note that you will have to give values relevant to your appliance
- user name: reporter@K1000 appliance.questkace.local
- email: reporter@K1000 appliance.questkace.local
- label: FilterQueueSubmitters
Create a Special Queue
- Go to Service Desk | Configuration | Queues and add a new queue called Queue to detect ldap import
- Open the configuration page for this queue and do the following:
- Uncheck all "Email on events" checK1000 appliancees
- Uncheck allow all users as submitters and specify FilterQueueSubmitters
- Uncheck Accept email from unknown users
- Check Allow users with an Administrator role to read and edit tickets in the End User Console
- Optional: specify a label for ticket owners
Create this rule
Create Rule To Add Labels
Create Rule to Delete Labels