For best results, it is necessary to filter the users first, test the string, and then add the KACE variable.
To create a filter that queries more than one security group and will work in the K1000:
- Go to Home | Label Management
- Click LDAP Browser
- Fill in the Hostname or IP Address of the LDAP server
- Fill in the appropriate port (389 or 636 for ldaps)
- Fill in Login (the credentials of the account the K1000 will use to log in to the LDAP server and read accounts)
- username@domain
- domain\username
- Full distinguished name (DN) of the user.
- Example: CN=service_account,CN=Users,DC=company,DC=com
- Enter the Password of the above user
- Click Test
- Click Next
- Choose a Search Base DN from the drop down
- The domain should be sufficient for this example. Example: DC=company,DC=com
- Click on Filter Builder
- Enter the following (information for first group):
- Attribute Name: memberof
- Relational Operator: =
- Attribute Value: CN=Group1,OU=OrgazationalUnitGroupisIn,DC=company,DC=com (the full Distinguished Name of the first group desired)
- Click Add
- Change the Conjunction Operator of the first line to OR
- Enter the following (information for second group):
- Attribute Name: memberof
- Relational Operator: =
- Attribute Value: CN=Group2,OU=OrgazationalUnitGroupisIn,DC=company,DC=com (the full Distinguished Name of the second group desired)
- Either click Add again and follow the steps above for more groups or click OK to place the new filter in the test box
- The filter will look similar to this (with environment specific names):
- (|(memberof=CN=Group1,OU=OrgazationalUnitGroupisIn,DC=company,DC=com)(memberof=CN=Group2,OU=OrgazationalUnitGroupisIn,DC=company,DC=com))
- Copy the filter and save it in a text document (notepad)
- Edit the filter to add the appropriate KACE variable:
- If for authentication, add the following before the filter created above: (&(samaccountname=KBOX_USER) and add the following after the filter: )
- The final result would look like this: (&(samaccountname=KBOX_USER)(|(memberof=CN=Group1,OU=OrgazationalUnitGroupisIn,DC=company,DC=com)(memberof=CN=Group2,OU=OrgazationalUnitGroupisIn,DC=company,DC=com)))
- If for an LDAP label, add the following before the filter created above: (&(samaccountname=KBOX_USER_NAME) and add the following after the filter: )
- The final result would look like this: (&(samaccountname=KBOX_USER_NAME)(|(memberof=CN=Group1,OU=OrgazationalUnitGroupisIn,DC=company,DC=com)(memberof=CN=Group2,OU=OrgazationalUnitGroupisIn,DC=company,DC=com)))
Note: Please see LDAP Filters Tips and Tricks for more information on LDAP label KACE variables.
- Copy the new filter from the notepad and place it back in LDAP Browser, in the Search Filter box and click Search to test the new filter
Note: If using a KACE variable for a label (KBOX_USER_NAME), it will be necessary to change that variable to an asterisk (*) for testing purposes. See Testing and Applying LDAP Labels for more information.