LDAP Integration
•Télécharger en tant que PPTX, PDF•
1 j'aime•1,995 vues
Your LDAP Directory, such as Active Directory, already knows lots of things about your users, computers, groups, and more. By leveraging that information, we can learn how to automate and integrate your KACE Appliances using your existing infrastructure. Learn more: http://dell.to/1GDYpr8
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à LDAP Integration
Similaire à LDAP Integration (20)
Plus de Dell World
Plus de Dell World (20)
Dernier
Dernier (20)
LDAP Integration
- 1. Dell World User Forum UFIL510: LDAP Integration Shawn Carson, Senior Trainer Jeff Plaza, Senior Trainer Dell World User Forum
- 2. Dell World User Forum Agenda • What is LDAP? • K1000 Roles • LDAP Authentication & Importing • K1000 LDAP Labels • K1000 Single Sign-On
- 3. Dell World User Forum What is LDAP?
- 4. Dell World User Forum Benefits of using LDAP Authentication • Allows for integrated authentication utilizing a Directory Service such as Active Directory • Assigns Roles at first import • One less set of passwords to remember • Can import users from LDAP for Asset tracking • Import more information • Use LDAP info for permissions, software assignment, and more through LDAP labels.
- 5. Dell World User Forum LDAP Process Flow *No passwords stored on appliance User Authenticated and Imported Access Granted User Login LDAP Queried by K1000
- 6. Dell World User Forum LDAP Terminology • OU= Organizational Unit. Remember- each user can be in only one of these. • DC= Domain Component- Top Level Domain identifiers, such as Kace.com • DN= Distinguished Name – Everything has one. This is the complete proper name describing an object. • CN= Common Name, Every object has one. Simplified name of DN for an object. Some default containers are CNs (Computers). • Attributes: Data Fields holding information about a CN, such as a user Telephone Number, Delivery Address, Group Membership
- 7. Dell World User Forum LDAP Overview
- 8. Dell World User Forum LDAP Attributes An Attribute is a data field that helps to classify the Domain Object. These attributes could contain the user’s email address, phone number or a security group they are a part of. • memberOf • objectClass- See more info here: http://msdn.microsoft.com/en- us/library/windows/desktop/ms680938%28v=vs.85%29.aspx • objectGUID • userPrincipalName • More: http://msdn.microsoft.com/en- us/library/windows/desktop/ms675090%28v=vs.85%29.aspx
- 9. Dell World User Forum K1000 LDAP Label Variables The K1000 variables can be placed inside the search filter to pass information from the K1000 into LDAP. This is useful for user login and creating LDAP Labels. • Machine Variables are passed to the filter at machine checkin. • User variables are passed to the filter at User Log in.
- 10. Dell World User Forum Distinguished Names • The Following Domain Tree: • Battlestar.Local – (OU) Galactica › (OU) Pilots o (OU) Viper • This would be listed as Follows: – OU=Viper,OU=Pilots,OU=Galactica,DC=Battlestar,DC=Local Most Restrictive ================> Least Restrictive
- 11. Dell World User Forum Search Filter • () = Parentheses - Standard logical delineator for organizing the order of operation or evaluation. • & = Ampersand - Signifies that both* conditions MUST be true (AND) • | = Pipe - Signifies that one condition MUST be true (OR) In an LDAP Search Filter the follow basic syntax is used: • (condition) • (&(condition1)(condition2)) • (|(condition1)(condition2)) • The way this would look with an actual LDAP filter is as follows: • (&(objectClass=Person)( memberOf=CN=Security Group,OU=Pilots,OU=Galactica,DC=Battlestar,DC=Local))
- 12. Dell World User Forum Roles
- 13. Dell World User Forum Creating & Understanding Existing Roles • Dell KACE K1000 has four default Roles – Administrator – Read Only Administrator – User Console Only – No Access • Default Roles cannot be changed or deleted. They can be duplicated • Use custom roles for your users • Dell KACE K2000 has two Roles – Admin – Login Not Allowed • Custom Roles are not allowed
- 14. Dell World User Forum LDAP Authentication
- 15. Dell World User Forum Configuring LDAP Authentication • Configure one query per role* • Authentication works in cascading order – Admins on top, Users on bottom, everything else in between – Remove unnecessary queries
- 16. Dell World User Forum LDAP Authentication Detail • Enter Hostname/IP and Port – LDAP: server/IP & 389 – LDAPS: ldaps://server/IP & 636 • Enter Base DN – Where am I starting my search? – Search is recursive, it will search subdirectories • Enter Search Filter – How am I narrowing my search? – KBOX_USER is a variable replaced at runtime • Provide credentials for K1000 – Read access to LDAP is needed
- 17. Dell World User Forum LDAP Search Filters • Base filter: (samaccountname=KBOX_USER) • Users only: (objectCategory=user) • Membership: (memberof=CN=Kace_Admins,CN=Users,DC=kace,DC=local) Available operators: • AND & • OR | • NOT ! • Operators are placed in front of operands, not in between!! • (&(samaccountname=KBOX_USER)(|(This)(Or This))(!(But not this)))
- 18. Dell World User Forum LDAP Example: Multiple Security Groups Or Group 1 Group 2 Group 3
- 19. Dell World User Forum LDAP Example: Excluding Users But not Member of Kace_Admins Member of London or Berlin or Paris
- 20. Dell World User Forum LDAP Authentication Examples 20
- 21. Dell World User Forum LDAP Authentication Examples Pt. 2 21
- 22. Dell World User Forum Exercise: Enabling External LDAP Authentication
- 23. Dell World User Forum LDAP Import – Step 1 • Refine your attributes list – Supplement default list if needed • Label Attribute – Typically “memberof” – Creates blank LDAP Labels – Change Prefix as desired – Remove if not used • Set Max # Rows • Set Email Recipients • Set Scheduling
- 24. Dell World User Forum LDAP Import – Step 2 • Map the first four attributes – LDAP UID = objectguid – User Name = samaccountname – Full Name = name, displayname – Email = mail* • Map other fields as needed – Custom attributes come into play – Must have identified them in step 1 – Must be in preview table • Assign role • Create user labels as desired
- 25. Dell World User Forum LDAP Import – Step 3 • Review import data – Look for errors or bad data • Import when ready!
- 26. Dell World User Forum LDAP Labels
- 27. Dell World User Forum Understanding LDAP Labels • Similar to Smart Labels, but uses LDAP info • LDAP User Labels are essential for efficient Service Desk or User Portal usage • LDAP Machine Labels are highly useful as a compliment to Smart Labels
- 28. Dell World User Forum LDAP Label Creation We need a manual label first • Home > Labels > Label Management > Choose Action > New Manual Label
- 29. Dell World User Forum LDAP label creation Home > Labels > LDAP Labels> Choose Action > New
- 30. Dell World User Forum Exercise: LDAP Label Creation
- 31. Dell World User Forum Alternative to LDAP Labels – LDAP Smart Labels • Based upon Custom Inventory Field – RegistryValueReturn(HKLMSOFTWAREMicrosoftWindowsCurrentVersionGroup PolicyStateMachine, Distinguished-Name, TEXT) • Lists complete AD path to machine account
- 32. Dell World User Forum Alternative to LDAP Labels – LDAP Smart Labels Pt. 2 • Create Smart Labels targeting the Custom Inventory
- 33. Dell World User Forum Single Sign-On
- 34. Dell World User Forum Single Sign-On • Kace.uservoice.com top feature request first implemented in v5.5 • Settings > Control Panel > Security Settings • Single Sign-On allows your users to log into the K1000 Appliance without having to enter their User name or password. • The K1000 can only use one domain for single sign-on.
- 35. Dell World User Forum Exercise: Single Sign-On
- 36. Dell World User Forum Using Single Sign-On To use single sign-on, you must enter the hostname of the K1000 appliance in the browser, entering the IP address will direct you to the login page. Supported browsers are: • Chrome – Chrome requires no modifications at this time. • Firefox – In Firefox, type about:config in the address bar – In the search field type the following: network.negotiate-auth.trusted-uris – In the search results, double-click the name of the preference – In the string value box, enter the URL of the Kace Appliance then click OK.
- 37. Dell World User Forum Using Single Sign-On Pt. 2 • Internet Explorer – In IE, click Tools Internet Options Security – Select the appropriate security policy: – Add K1000 to trusted sites – Click custom level then scroll to the bottom of the list. – Select automatic logon with current username and password. If this option is not set, Internet explorer cannot automatically log into the Kace Appliance even if single sign-on is enabled on the Kace Appliance.
- 38. Dell World User Forum Thank you.
- 39. Dell World User Forum KACE Support Portal Migrating to Dell Software Support Portal • Starting in November, all KACE Support Portal material will be migrated to the Dell Software Support Portal • All service requests will be submitted by the portal or by phone • Same great content – Knowledge base articles – Video tutorials – Product documentation – JumpStart training • Check out the Support Portal Getting Started videos
Notes de l'éditeur
- Base DN Base Distinguished Name (DN) refers to the BASE LEVEL wherein anyone or anything you want to search for might be kept. For the above: a Base DN to include a user, it would have to be: OU=Users,DC=KACE,DC=com if you wanted to authenticate based on a Security group, then the group must also be located under the Base DN, meaning I may need to shift my entry point up. *** WHEN AUTHENTICATING ON A GROUP, DO SO OFF OF A SECURITY GROUP, NOT A DISTRIBUTION GROUP. DOING BOTH CAN CAUSE DUPLICATION OF ITEMS INSIDE THE APPLIANCE
- memberOf - Specifies which security groups and OUs an object is a member of. You can have many memberOf attributes. objectClass - Provides the class of the object. This could be Person or Computer any number of possibilities provided by your directory application See more info here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680938%28v=vs.85%29.aspx objectGUID - This is a Unique Identifier for the object. It is set by the system when the object is created and cannot be changed. userPrincipalName - This attribute contains the UPN that is shorter than the distinguished name and easier to remember. By convention, this can map to the user email name if your directory services doesn’t have the email address populated.
- evice: Labels applied to device records. This is useful if you want to automatically group devices by name, description, and other LDAP criteria. Each time a device checks in to the appliance, this query runs against the LDAP server. The admin value in the Search Filter field is replaced with the name of the user that is logged in to the device. If a result is returned, the device is assigned the label specified in theAssociated Label Name field. During the filter processing, the K1000 replaces all KBOX_ defined variables with their respective runtime values. Supported variables include: KBOX_COMPUTER_NAME KBOX_COMPUTER_DESCRIPTION KBOX_COMPUTER_MAC KBOX_COMPUTER_IP KBOX_USERNAME KBOX_USER_DOMAIN KBOX_DOMAINUSER KBOX_CUSTOM_INVENTORY_* The KBOX_CUSTOM_INVENTORY_* field can be used to check a custom inventory value. The * is replaced with the Display Name of the custom inventory rule. Allowed characters are [a-z0-9.-]. Any other characters are replaced with an underscore (_). • User: Labels applied to user records. This is useful if you want to automatically group users by domain, location, budget code, or other LDAP criteria. LDAP Labels are applied to or removed from user records when users are imported to the appliance manually or according to a schedule. Supported variables include: KBOX_USER_NAME KBOX_FULL_NAME KBOX_EMAIL KBOX_DOMAIN KBOX_BUDGET_CODE KBOX_LOCATION KBOX_WORK_PHONE KBOX_HOME_PHONE KBOX_MOBILE_PHONE KBOX_PAGER_PHONE KBOX_CUSTOM_1 KBOX_CUSTOM_2 KBOX_CUSTOM_3 KBOX_CUSTOM_4 KBOX_ROLE_ID KBOX_API_ENABLED KBOX_LOCALE_BROWSER_ID KBOX_HD_DEFAULT_QUEUE_ID KBOX_LDAP_UID NOTE: To test a label, replace KBOX_ variables with real values, then select Test.
- Distinguished Names are formed by listing the objects from most restrictive to the least restrictive. Each section should declare what you are calling (ex. DC=, CN= etc..) and be seperated by a comma
- We can use logical operators in the Search filter, so all the rules of DNs apply but we can now add additional filter options () = Parentheses - Standard Mathematical delineator for organizing the order of operation or evaluation. & = Ampersand - Signifies that both* conditions MUST be true (AND) | = Pipe - Signifies that one condition MUST be true (OR) In an LDAP Search Filter the follow basic syntax is used: (condition) or (&(condition1)(condition2)) or (|(condition1)(condition2)) (condition) - Only look for entries where this condition is true (&(condition1)(condition2)) - Only look for entries where Condition1 AND Condition2 are true (|(condition1)(condition2)) - Only look for entries where either Condition1 OR Condition2 is true The way this would look with an actual LDAP filter is as follows: (&(objectClass=Person)( memberOf=CN=Security Group,OU=Pilots,OU=Galactica,DC=Battlestar,DC=Local))
- Can do one query per domain if desired. This is more simple to set up, but requires manual elevation of users needing permissions beyond the default role. Be certain to discuss the default servers! REMOVE THEM!
- For normal LDAP (Not LDAPS), if you have a particularly large environment you can try using Port 3268 instead of 389. This calls info from the Global Catalog. It’s a faster query in general and is not limited to a single domain. This can resolve timeout issues if you have a very large directory structure. If the GC service is shut off on the server targeted by the query, this will obviously fail. Base DN: Make sure you have no extra spaces or line feeds in there. It will cause the query to fail. Search Filter: Make sure you have no extra spaces or line feeds in there. It will cause the query to fail. Credentials: Login can be as shown, user principle name (user@domain.com) or Distinguished Name (cn=Bob,OU=Users,DC=domain,DC=com)
- Stress that if you're going against an OU, it's far better to use a simple Search Filter and use the OU as your Base DN.
- Discuss no extra lines, no extra spaces!
- All users of the domain, that are part of the K1 Users group will be authenticated. Note that the DN for the K1 Users group points to a different OU than your user accounts are likely to be. (Security Groups OU) Not the most efficient due to searching the entire AD tree to find a single entry. If all of the K1 Users group are in the same OU, it would be far better to use a more open filter with a more focused Base DN.
- Both methods may provide you with the same list of users. Option 2 is significantly more efficient in that it is a much more focused search (Base DN in the correct OU), and has far fewer criteria to compare against (Search Filter).
- Mention that the top part of the screen, cut off in the picture, is just the filter that we started the import from. It cannot be edited in this screen.
- Discuss mapping options. Make sure to point out the Labels section in the very lower left of the image. If mail is not an attribute that is populated in the directory services, userPrincipalName can be used instead.
- Based off LDAP Attiributes. How often do we change these? While the LDAP label itself is dynamic, it will only change when we change AD. LDAP User Labels are very useful in service desk applications Especially if you have high staff turnover They automatically update after a change is made in AD, at the next User login or next User Import Only way to automate putting your users into labels LDAP Machine Labels are very useful as well They are also updated after changes in AD are made, but they are updated at machine inventory Remember, that machines are mobile. Just because the machine account exists in a particular location’s OU, doesn’t mean that it actually IS in that physical location, when you deploy software, patches or scripts it. Good for showing where a machine is assigned, and use a Smart Label to show where that machine actually is (By IP for example).
- There are two types of User filters. If the Search Filter contains the name of label and the user, then if there is any result row, the user must be in the label specified above. In this case you do not need to fill in the Label Attribute. In the second case, the search only specifies the name of the user which has an attribute like memberOf that lists all the labels that user is in. In this case, we need to know the name of the attribute to retrieve. Fill in the name of the attribute for Label Attribute. If any of these results match a User Filter label then the label will be set on the user. If specified, the Label Prefix will be prepended to the results of the Label Attribute so construct the label name. This would need to match the prefix that was specified during Import User.
- Portal: http://www.software.dell.com/support Ticket Entry: https://support.software.dell.com/create-service-request Videos: https://support.software.dell.com/essentials/getting-started