Your LDAP Directory, such as Active Directory, already knows lots of things about your users, computers, groups, and more. By leveraging that information, we can learn how to automate and integrate your KACE Appliances using your existing infrastructure. Learn more: http://dell.to/1GDYpr8
4. Dell World User Forum
Benefits of using LDAP Authentication
• Allows for integrated authentication utilizing a Directory Service such as Active Directory
• Assigns Roles at first import
• One less set of passwords to remember
• Can import users from LDAP for Asset tracking
• Import more information
• Use LDAP info for permissions, software assignment, and more through LDAP labels.
5. Dell World User Forum
LDAP Process Flow
*No passwords stored on appliance
User
Authenticated
and Imported
Access
Granted
User Login
LDAP
Queried by
K1000
6. Dell World User Forum
LDAP Terminology
• OU= Organizational Unit. Remember- each user can be in only one of these.
• DC= Domain Component- Top Level Domain identifiers, such as Kace.com
• DN= Distinguished Name – Everything has one. This is the complete proper name describing an
object.
• CN= Common Name, Every object has one. Simplified name of DN for an object. Some default
containers are CNs (Computers).
• Attributes: Data Fields holding information about a CN, such as a user Telephone Number, Delivery
Address, Group Membership
8. Dell World User Forum
LDAP Attributes
An Attribute is a data field that helps to classify the Domain Object. These attributes
could contain the user’s email address, phone number or a security group they are
a part of.
• memberOf
• objectClass- See more info here: http://msdn.microsoft.com/en-
us/library/windows/desktop/ms680938%28v=vs.85%29.aspx
• objectGUID
• userPrincipalName
• More: http://msdn.microsoft.com/en-
us/library/windows/desktop/ms675090%28v=vs.85%29.aspx
9. Dell World User Forum
K1000 LDAP Label Variables
The K1000 variables can be placed inside the search filter to pass information from the K1000
into LDAP. This is useful for user login and creating LDAP Labels.
• Machine Variables are passed to the filter at machine checkin.
• User variables are passed to the filter at User Log in.
10. Dell World User Forum
Distinguished Names
• The Following Domain Tree:
• Battlestar.Local
– (OU) Galactica
› (OU) Pilots
o (OU) Viper
• This would be listed as Follows:
– OU=Viper,OU=Pilots,OU=Galactica,DC=Battlestar,DC=Local
Most Restrictive ================> Least Restrictive
11. Dell World User Forum
Search Filter
• () = Parentheses - Standard logical delineator for organizing the order of operation or evaluation.
• & = Ampersand - Signifies that both* conditions MUST be true (AND)
• | = Pipe - Signifies that one condition MUST be true (OR)
In an LDAP Search Filter the follow basic syntax is used:
• (condition)
• (&(condition1)(condition2))
• (|(condition1)(condition2))
• The way this would look with an actual LDAP filter is as follows:
• (&(objectClass=Person)( memberOf=CN=Security Group,OU=Pilots,OU=Galactica,DC=Battlestar,DC=Local))
13. Dell World User Forum
Creating & Understanding Existing Roles
• Dell KACE K1000 has four default Roles
– Administrator
– Read Only Administrator
– User Console Only
– No Access
• Default Roles cannot be changed or deleted. They can be
duplicated
• Use custom roles for your users
• Dell KACE K2000 has two Roles
– Admin
– Login Not Allowed
• Custom Roles are not allowed
15. Dell World User Forum
Configuring LDAP Authentication
• Configure one query per role*
• Authentication works in cascading order
– Admins on top, Users on bottom, everything else in between
– Remove unnecessary queries
16. Dell World User Forum
LDAP Authentication Detail
• Enter Hostname/IP and Port
– LDAP: server/IP & 389
– LDAPS: ldaps://server/IP & 636
• Enter Base DN
– Where am I starting my search?
– Search is recursive, it will search subdirectories
• Enter Search Filter
– How am I narrowing my search?
– KBOX_USER is a variable replaced at runtime
• Provide credentials for K1000
– Read access to LDAP is needed
17. Dell World User Forum
LDAP Search Filters
• Base filter: (samaccountname=KBOX_USER)
• Users only: (objectCategory=user)
• Membership: (memberof=CN=Kace_Admins,CN=Users,DC=kace,DC=local)
Available operators:
• AND &
• OR |
• NOT !
• Operators are placed in front of operands, not in between!!
• (&(samaccountname=KBOX_USER)(|(This)(Or This))(!(But not this)))
18. Dell World User Forum
LDAP Example: Multiple Security Groups
Or
Group 1
Group 2
Group 3
19. Dell World User Forum
LDAP Example: Excluding Users
But not Member of Kace_Admins
Member of London or Berlin or Paris
22. Dell World User Forum
Exercise: Enabling External
LDAP Authentication
23. Dell World User Forum
LDAP Import – Step 1
• Refine your attributes list
– Supplement default list
if needed
• Label Attribute
– Typically “memberof”
– Creates blank LDAP Labels
– Change Prefix as desired
– Remove if not used
• Set Max # Rows
• Set Email Recipients
• Set Scheduling
24. Dell World User Forum
LDAP Import – Step 2
• Map the first four attributes
– LDAP UID = objectguid
– User Name = samaccountname
– Full Name = name, displayname
– Email = mail*
• Map other fields as needed
– Custom attributes come into play
– Must have identified them in step 1
– Must be in preview table
• Assign role
• Create user labels as desired
25. Dell World User Forum
LDAP Import – Step 3
• Review import data
– Look for errors or bad data
• Import when ready!
27. Dell World User Forum
Understanding LDAP Labels
• Similar to Smart Labels, but uses LDAP info
• LDAP User Labels are essential for efficient Service Desk or User Portal usage
• LDAP Machine Labels are highly useful as a compliment to Smart Labels
28. Dell World User Forum
LDAP Label Creation
We need a manual label first
• Home > Labels > Label Management > Choose Action > New Manual Label
29. Dell World User Forum
LDAP label creation
Home > Labels > LDAP Labels> Choose Action > New
31. Dell World User Forum
Alternative to LDAP Labels – LDAP Smart Labels
• Based upon Custom Inventory Field
– RegistryValueReturn(HKLMSOFTWAREMicrosoftWindowsCurrentVersionGroup PolicyStateMachine,
Distinguished-Name, TEXT)
• Lists complete AD path to machine account
32. Dell World User Forum
Alternative to LDAP Labels – LDAP Smart Labels Pt. 2
• Create Smart Labels targeting the Custom Inventory
34. Dell World User Forum
Single Sign-On
• Kace.uservoice.com top feature request first
implemented in v5.5
• Settings > Control Panel > Security Settings
• Single Sign-On allows your users to log into
the K1000 Appliance without having to enter
their User name or password.
• The K1000 can only use one domain for
single sign-on.
36. Dell World User Forum
Using Single Sign-On
To use single sign-on, you must enter the hostname of the K1000 appliance in the browser,
entering the IP address will direct you to the login page.
Supported browsers are:
• Chrome
– Chrome requires no modifications at this time.
• Firefox
– In Firefox, type about:config in the address bar
– In the search field type the following: network.negotiate-auth.trusted-uris
– In the search results, double-click the name of the preference
– In the string value box, enter the URL of the Kace Appliance then click OK.
37. Dell World User Forum
Using Single Sign-On Pt. 2
• Internet Explorer
– In IE, click Tools Internet Options Security
– Select the appropriate security policy:
– Add K1000 to trusted sites
– Click custom level then scroll to the bottom of the list.
– Select automatic logon with current username and password. If this option is not set, Internet explorer
cannot automatically log into the Kace Appliance even if single sign-on is enabled on the Kace Appliance.
39. Dell World User Forum
KACE Support Portal Migrating to Dell Software Support Portal
• Starting in November, all KACE
Support Portal material will be
migrated to the Dell Software Support
Portal
• All service requests will be submitted
by the portal or by phone
• Same great content
– Knowledge base articles
– Video tutorials
– Product documentation
– JumpStart training
• Check out the Support Portal Getting
Started videos
Notes de l'éditeur
Base DN
Base Distinguished Name (DN) refers to the BASE LEVEL wherein anyone or anything you want to search for might be kept.
For the above:
a Base DN to include a user, it would have to be: OU=Users,DC=KACE,DC=com
if you wanted to authenticate based on a Security group, then the group must also be located under the Base DN, meaning I may need to shift my entry point up.
*** WHEN AUTHENTICATING ON A GROUP, DO SO OFF OF A SECURITY GROUP, NOT A DISTRIBUTION GROUP. DOING BOTH CAN CAUSE DUPLICATION OF ITEMS INSIDE THE APPLIANCE
memberOf - Specifies which security groups and OUs an object is a member of. You can have many memberOf attributes.
objectClass - Provides the class of the object. This could be Person or Computer any number of possibilities provided by your directory application See more info here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680938%28v=vs.85%29.aspx
objectGUID - This is a Unique Identifier for the object. It is set by the system when the object is created and cannot be changed.
userPrincipalName - This attribute contains the UPN that is shorter than the distinguished name and easier to remember. By convention, this can map to the user email name if your directory services doesn’t have the email address populated.
evice: Labels applied to device records. This is useful if you want to automatically group devices by name, description, and other LDAP criteria. Each time a device checks in to the appliance, this query runs against the LDAP server. The admin value in the Search Filter field is replaced with the name of the user that is logged in to the device. If a result is returned, the device is assigned the label specified in theAssociated Label Name field.
During the filter processing, the K1000 replaces all KBOX_ defined variables with their respective runtime values.
Supported variables include:
KBOX_COMPUTER_NAMEKBOX_COMPUTER_DESCRIPTIONKBOX_COMPUTER_MACKBOX_COMPUTER_IPKBOX_USERNAMEKBOX_USER_DOMAINKBOX_DOMAINUSERKBOX_CUSTOM_INVENTORY_*
The KBOX_CUSTOM_INVENTORY_* field can be used to check a custom inventory value. The * is replaced with the Display Name of the custom inventory rule. Allowed characters are [a-z0-9.-]. Any other characters are replaced with an underscore (_).
•
User: Labels applied to user records. This is useful if you want to automatically group users by domain, location, budget code, or other LDAP criteria. LDAP Labels are applied to or removed from user records when users are imported to the appliance manually or according to a schedule.
Supported variables include:
KBOX_USER_NAMEKBOX_FULL_NAMEKBOX_EMAILKBOX_DOMAINKBOX_BUDGET_CODEKBOX_LOCATIONKBOX_WORK_PHONEKBOX_HOME_PHONEKBOX_MOBILE_PHONEKBOX_PAGER_PHONEKBOX_CUSTOM_1KBOX_CUSTOM_2KBOX_CUSTOM_3KBOX_CUSTOM_4KBOX_ROLE_IDKBOX_API_ENABLEDKBOX_LOCALE_BROWSER_IDKBOX_HD_DEFAULT_QUEUE_IDKBOX_LDAP_UID
NOTE: To test a label, replace KBOX_ variables with real values, then select Test.
Distinguished Names are formed by listing the objects from most restrictive to the least restrictive. Each section should declare what you are calling (ex. DC=, CN= etc..) and be seperated by a comma
We can use logical operators in the Search filter, so all the rules of DNs apply but we can now add additional filter options
() = Parentheses - Standard Mathematical delineator for organizing the order of operation or evaluation.
& = Ampersand - Signifies that both* conditions MUST be true (AND)
| = Pipe - Signifies that one condition MUST be true (OR)
In an LDAP Search Filter the follow basic syntax is used:
(condition) or (&(condition1)(condition2)) or (|(condition1)(condition2))
(condition) - Only look for entries where this condition is true
(&(condition1)(condition2)) - Only look for entries where Condition1 AND Condition2 are true
(|(condition1)(condition2)) - Only look for entries where either Condition1 OR Condition2 is true
The way this would look with an actual LDAP filter is as follows:
(&(objectClass=Person)( memberOf=CN=Security Group,OU=Pilots,OU=Galactica,DC=Battlestar,DC=Local))
Can do one query per domain if desired. This is more simple to set up, but requires manual elevation of users needing permissions beyond the default role.
Be certain to discuss the default servers! REMOVE THEM!
For normal LDAP (Not LDAPS), if you have a particularly large environment you can try using Port 3268 instead of 389. This calls info from the Global Catalog. It’s a faster query in general and is not limited to a single domain. This can resolve timeout issues if you have a very large directory structure. If the GC service is shut off on the server targeted by the query, this will obviously fail.
Base DN: Make sure you have no extra spaces or line feeds in there. It will cause the query to fail.
Search Filter: Make sure you have no extra spaces or line feeds in there. It will cause the query to fail.
Credentials: Login can be as shown, user principle name (user@domain.com) or Distinguished Name (cn=Bob,OU=Users,DC=domain,DC=com)
Stress that if you're going against an OU, it's far better to use a simple Search Filter and use the OU as your Base DN.
Discuss no extra lines, no extra spaces!
All users of the domain, that are part of the K1 Users group will be authenticated. Note that the DN for the K1 Users group points to a different OU than your user accounts are likely to be. (Security Groups OU)
Not the most efficient due to searching the entire AD tree to find a single entry. If all of the K1 Users group are in the same OU, it would be far better to use a more open filter with a more focused Base DN.
Both methods may provide you with the same list of users. Option 2 is significantly more efficient in that it is a much more focused search (Base DN in the correct OU), and has far fewer criteria to compare against (Search Filter).
Mention that the top part of the screen, cut off in the picture, is just the filter that we started the import from. It cannot be edited in this screen.
Discuss mapping options. Make sure to point out the Labels section in the very lower left of the image.
If mail is not an attribute that is populated in the directory services, userPrincipalName can be used instead.
Based off LDAP Attiributes. How often do we change these? While the LDAP label itself is dynamic, it will only change when we change AD.
LDAP User Labels are very useful in service desk applications
Especially if you have high staff turnover
They automatically update after a change is made in AD, at the next User login or next User Import
Only way to automate putting your users into labels
LDAP Machine Labels are very useful as well
They are also updated after changes in AD are made, but they are updated at machine inventory
Remember, that machines are mobile. Just because the machine account exists in a particular location’s OU, doesn’t mean that it actually IS in that physical location, when you deploy software, patches or scripts it. Good for showing where a machine is assigned, and use a Smart Label to show where that machine actually is (By IP for example).
There are two types of User filters. If the Search Filter contains the name of label and the user, then if there is any result row, the user must be in the label specified above. In this case you do not need to fill in the Label Attribute.
In the second case, the search only specifies the name of the user which has an attribute like memberOf that lists all the labels that user is in. In this case, we need to know the name of the attribute to retrieve. Fill in the name of the attribute for Label Attribute. If any of these results match a User Filter label then the label will be set on the user.
If specified, the Label Prefix will be prepended to the results of the Label Attribute so construct the label name. This would need to match the prefix that was specified during Import User.