If you want to search for multiple groups then you can use the below examples as a guide.
You can also use the Filter Builder (see appendix) to help build the query for you.
Search Base DN: DC=dellkace,DC=local
Search Filter (before KACE variable): (|(memberof=CN=Group2,CN=Users,DC=dellkace,DC=local)(memberof=CN=Group1,CN=Users,DC=dellkace,DC=local))
Search Filter (after KACE variable): (&(samaccountname=KBOX_USER) (|(memberof=CN=Group2,CN=Users,DC=dellkace,DC=local)(memberof=CN=Group1,CN=Users,DC=dellkace,DC=local)))
Notice how all we did was add “(&(samaccountname=KBOX_USER)” at the beginning of the search filter and a single end parentheses “)” to the end. This is the simplest way to ensure that complex search filters will work correctly. Filter the users first and make sure your string is correct then add the KACE variable.
Appendix: Using the Filter Builder in LDAP Search Filters
LDAP Search Filters
The ability to write search filters is the backbone of successful usage of LDAP on the KACE appliances. In this appendix we will cover using the LDAP Browser and Filter Builder to form LDAP search filters along with a little bit of freehand writing that will make this process easier. It is a little convoluted as you will create part of the search filter to return the correct number of search results then combine that filter with the required KBOX variable to complete it and make it work with the appliance.
From the setup of LDAP authentication servers, LDAP labels and Step 1 of the User import process you will see a button labeled LDAP Browser. Click that button to access the browser. You will need to enter your LDAP server details here if they are not already present. Click test to test your connection. Once it shows connected as below you may click next.
We are now in the LDAP Browser. We will show how to navigate to a group in order to create a search filter for that group. In the LDAP Browser, remove any entry in the search filter box. Your Search Base DN should already be populated. Click Browse and then navigate to the group you wish to create the filter against. (in this case BMWK1000Admins). Select the group and copy the entry next to the distinguishedName attribute. See the graphic below.
Next we will use the filter builder to create the search filter that will search within the specified group. Enter the attribute “memberof” in the Attribute Name field and copy the Distinguished Name into the Attribute Value. This will make the search filter look for users that are a member of the specified group. It will look like this.
Click OK and now your LDAP browser should look something like this.
Press the search button to display the results. If the number of results shown is correct then we can now complete our search filter with the KBOX_USER variable.
You will add the “(&(samaccountname=KBOX_USER)” at the beginning of the search filter. You will also add a single “)” to the end.
EXAMPLE
Before:
(memberof=CN=BMWK1000Admins,CN=Users,DC=dellkace,DC=local)
After:
(&(samaccountname=KBOX_USER)(memberof=CN=BMWK1000Admins,CN=Users,DC=dellkace,DC=local))
Click next. Confirm that the settings are correct on this page and click next again. Users that are a part of the group specified in the search filter will now be able to login to the KBOX interface.
LDAP Refference Guide
For a full LDAP refference guide, please review the following PDF document.
KACE LDAP Refference Guide.pdf