It is possible to import LDAP labels during an LDAP import, however, it is unlikely that all labels imported would be utilized, thus filling up the LDAP label list with multiple unused queries. It is possible to manually create necessary LDAP labels, but it is a multi-step process. This article will go over creating an LDAP user label and provide an example when using a security group for a filter.
Search filters are environment specific. For more information, please see: How to setup LDAP Authentication
For more information on this topic, please see the KACE-SMA Course 3 Appliance Fundamentals-Web-based Training.
Creating an LDAP label requires multiple parts, each with its own steps. The two main parts of creating an LDAP label are:
NOTE: The Enabled check box should not be chosen until the label is fully tested and the proper KACE variable has been added. See information about the Advanced Search in step 8 below.
NOTE: Filters are environment specific, but do require the proper KACE variable to apply properly. Please see LDAP Filters Tips and Tricks for more information.
NOTE: Attempting to use Test in an LDAP Label Detail will fail if the KACE variable exists. For testing, use an asterisk (*) where the KACE variable will go, and then once the filter is confirmed, change the asterisk (*) to the proper KACE variable. Failing to change the asterisk to the proper KACE variable before enabling the LDAP label can cause the incorrect users / devices (or all users / devices) to be applied to the label. For more information, please see Testing and Applying LDAP Labels
NOTE: LDAP user labels DO NOT automatically update. It will be necessary to use a custom rule or create an import on a schedule (typically this will need to be for all users). LDAP user labels are evaluated on user import, but it will be necessary to import every user regularly to keep labels in sync. Users are not removed from the label when they are removed/moved in the directory.