Extended Attribute LDAP mapping for DistinguishedName in Active Directory

ChrisSVCarter
New Contributor II

I'm trying to get clients to report their Active Directory distinguishedName attribute in their inventory data to allow us to build smart groups based on AD OUs. With help from previous posts on here I found a way to do it via a script Extended Attribute. However, seeing as there's meant to be functionality to do this with an Extended Attribute of type LDAP Attribute Mapping, I'd rather do it that way - problem is I can't get that to work!

My non-working Extended Attribute is configured as follows:

Data Type: String
Inventory Display: General
Input Type: LDAP Attribute Mapping
LDAP Attribute: distinguishedName

I've also ensured that "Collect user and location information from LDAP" is enabled in Computer Inventory Collection.

The attribute appears in the inventory for computers but is empty.

As I say I can get this with a script, but I'm concerned why this isn't working for us given that we plan to use a few more similar attributes for things like mapping user's workspaces etc.

Anyone have any idea what the problem might be? Could it be object permissions in the AD perhaps?

2 REPLIES 2

freddie_cox
Contributor III

I do not know that it is capable of grabbing the LDAP attributes of the computer in this manner.

When I setup an Extension Attribute as you have described and the laptop is assigned to an LDAP user I get the User's distinguishedName from AD rather than the computer when I do an inventory update.

Maybe someone can correct me on that in case there is something I am doing wrong.

bentoms
Release Candidate Programs Tester

I'm pretty sure that the LDAP mappings are only for user attributes.

Once you've done the mappings & tick the box to collect the data, you then need a script to submit the username to start the process.

I knocked up a post on how I do it: http://macmule.com/2014/05/04/submit-user-information-from-ad-into-the-jss-at-login-v2/