LDAP Integration
-
Upload
dell-world -
Category
Software
-
view
116 -
download
3
Transcript of LDAP Integration
1Dell World User Forum
UFIL510: LDAP Integration
Shawn Carson, Senior TrainerJeff Plaza, Senior Trainer
Dell WorldUser Forum
2Dell World User Forum
Agenda
• What is LDAP?
• K1000 Roles
• LDAP Authentication & Importing
• K1000 LDAP Labels
• K1000 Single Sign-On
3 Dell World User Forum
What is LDAP?
4Dell World User Forum
Benefits of using LDAP Authentication
• Allows for integrated authentication utilizing a Directory Service such as Active
Directory
• Assigns Roles at first import
• One less set of passwords to remember
• Can import users from LDAP for Asset tracking
• Import more information
• Use LDAP info for permissions, software assignment, and more through LDAP labels.
5Dell World User Forum
LDAP Process Flow
*No passwords stored on appliance
User Authenticat
ed and Imported
Access GrantedUser Login
LDAP Queried by
K1000
6Dell World User Forum
LDAP Terminology
• OU= Organizational Unit. Remember- each user can be in only one of these.
• DC= Domain Component- Top Level Domain identifiers, such as Kace.com
• DN= Distinguished Name – Everything has one. This is the complete proper name describing an object.
• CN= Common Name, Every object has one. Simplified name of DN for an object. Some default containers are CNs (Computers).
• Attributes: Data Fields holding information about a CN, such as a user Telephone Number, Delivery Address, Group Membership
7Dell World User Forum
LDAP OverviewDC=ne
t DC=com
DC=KACE
OU=Users
samaccountname=KBOX_USER
OU=Computers
DC=org
8Dell World User Forum
LDAP Attributes
An Attribute is a data field that helps to classify the Domain Object. These attributes could contain the user’s email address, phone number or a security group they are a part of.
• memberOf
• objectClass- See more info here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680938%28v=vs.85%29.aspx
• objectGUID
• userPrincipalName
• More: http://msdn.microsoft.com/en-us/library/windows/desktop/ms675090%28v=vs.85%29.aspx
9Dell World User Forum
K1000 LDAP Label VariablesThe K1000 variables can be placed inside the search filter to pass information from the K1000 into LDAP. This is useful for user login and creating LDAP Labels.
• Machine Variables are passed to the filter at machine checkin.
• User variables are passed to the filter at User Log in.
10Dell World User Forum
Distinguished Names
• The Following Domain Tree:
• Battlestar.Local – (OU) Galactica
› (OU) Pilotso (OU) Viper
• This would be listed as Follows:– OU=Viper,OU=Pilots,OU=Galactica,DC=Battlestar,DC=Local
Most Restrictive ================> Least Restrictive
11Dell World User Forum
Search Filter
• () = Parentheses - Standard logical delineator for organizing the order of operation or evaluation.
• & = Ampersand - Signifies that both* conditions MUST be true (AND)
• | = Pipe - Signifies that one condition MUST be true (OR)
In an LDAP Search Filter the follow basic syntax is used:
• (condition)
• (&(condition1)(condition2))
• (|(condition1)(condition2))
• The way this would look with an actual LDAP filter is as follows:
• (&(objectClass=Person)( memberOf=CN=Security Group,OU=Pilots,OU=Galactica,DC=Battlestar,DC=Local))
12 Dell World User Forum
Roles
13Dell World User Forum
Creating & Understanding Existing Roles
• Dell KACE K1000 has four default Roles– Administrator– Read Only Administrator– User Console Only– No Access
• Default Roles cannot be changed or deleted. They can be duplicated
• Use custom roles for your users
• Dell KACE K2000 has two Roles– Admin– Login Not Allowed
• Custom Roles are not allowed
14 Dell World User Forum
LDAP Authentication
15Dell World User Forum
Configuring LDAP Authentication
• Configure one query per role*
• Authentication works in cascading order– Admins on top, Users on bottom, everything else in between– Remove unnecessary queries
16Dell World User Forum
LDAP Authentication Detail
• Enter Hostname/IP and Port– LDAP: server/IP & 389– LDAPS: ldaps://server/IP & 636
• Enter Base DN– Where am I starting my search?– Search is recursive, it will search subdirectories
• Enter Search Filter– How am I narrowing my search?– KBOX_USER is a variable replaced at runtime
• Provide credentials for K1000– Read access to LDAP is needed
17Dell World User Forum
LDAP Search Filters
• Base filter: (samaccountname=KBOX_USER)
• Users only: (objectCategory=user)
• Membership: (memberof=CN=Kace_Admins,CN=Users,DC=kace,DC=local)
Available operators:
• AND &
• OR |
• NOT !
• Operators are placed in front of operands, not in between!!
• (&(samaccountname=KBOX_USER)(|(This)(Or This))(!(But not this)))
18Dell World User Forum
LDAP Example: Multiple Security Groups
Or
Group 1
Group 2
Group 3
19Dell World User Forum
LDAP Example: Excluding Users
But not Member of Kace_Admins
Member of London or Berlin or Paris
20Dell World User Forum
LDAP Authentication Examples
20
21Dell World User Forum
LDAP Authentication Examples Pt. 2
21
Dell World User Forum
Exercise: Enabling External LDAP Authentication
23Dell World User Forum
LDAP Import – Step 1
• Refine your attributes list– Supplement default list
if needed
• Label Attribute– Typically “memberof”– Creates blank LDAP Labels– Change Prefix as desired– Remove if not used
• Set Max # Rows
• Set Email Recipients
• Set Scheduling
24Dell World User Forum
LDAP Import – Step 2
• Map the first four attributes– LDAP UID = objectguid– User Name = samaccountname– Full Name = name, displayname– Email = mail*
• Map other fields as needed– Custom attributes come into play– Must have identified them in step 1– Must be in preview table
• Assign role
• Create user labels as desired
25Dell World User Forum
LDAP Import – Step 3
• Review import data– Look for errors or bad data
• Import when ready!
26 Dell World User Forum
LDAP Labels
27Dell World User Forum
Understanding LDAP Labels
• Similar to Smart Labels, but uses LDAP info
• LDAP User Labels are essential for efficient Service Desk or User Portal usage
• LDAP Machine Labels are highly useful as a compliment to Smart Labels
28Dell World User Forum
LDAP Label Creation
We need a manual label first
• Home > Labels > Label Management > Choose Action > New Manual Label
29Dell World User Forum
LDAP label creationHome > Labels > LDAP Labels> Choose Action > New
Dell World User Forum
Exercise: LDAP Label Creation
31Dell World User Forum
Alternative to LDAP Labels – LDAP Smart Labels
• Based upon Custom Inventory Field– RegistryValueReturn(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\
Machine, Distinguished-Name, TEXT)
• Lists complete AD path to machine account
32Dell World User Forum
Alternative to LDAP Labels – LDAP Smart Labels Pt. 2
• Create Smart Labels targeting the Custom Inventory
33 Dell World User Forum
Single Sign-On
34Dell World User Forum
Single Sign-On
• Kace.uservoice.com top feature request first implemented in v5.5
• Settings > Control Panel > Security Settings
• Single Sign-On allows your users to log into the K1000 Appliance without having to enter their User name or password.
• The K1000 can only use one domain for single sign-on.
Dell World User Forum
Exercise: Single Sign-On
36Dell World User Forum
Using Single Sign-On
To use single sign-on, you must enter the hostname of the K1000 appliance in the browser, entering the IP address will direct you to the login page.
Supported browsers are:
• Chrome– Chrome requires no modifications at this time.
• Firefox– In Firefox, type about:config in the address bar– In the search field type the following: network.negotiate-auth.trusted-uris– In the search results, double-click the name of the preference– In the string value box, enter the URL of the Kace Appliance then click OK.
37Dell World User Forum
Using Single Sign-On Pt. 2
• Internet Explorer– In IE, click Tools Internet Options Security– Select the appropriate security policy:– Add K1000 to trusted sites– Click custom level then scroll to the bottom of the list.– Select automatic logon with current username and password. If this option is not set, Internet
explorer cannot automatically log into the Kace Appliance even if single sign-on is enabled on the Kace Appliance.
38 Dell World User Forum
Thank you.
39 Dell World User Forum
KACE Support Portal Migrating to Dell Software Support Portal
• Starting in November, all KACE Support Portal material will be migrated to the Dell Software Support Portal
• All service requests will be submitted by the portal or by phone
• Same great content– Knowledge base articles– Video tutorials– Product documentation– JumpStart training
• Check out the Support Portal Getting Started videos