LDAP Integration

1Dell World User Forum

UFIL510: LDAP Integration

Shawn Carson, Senior TrainerJeff Plaza, Senior Trainer

Dell WorldUser Forum

Agenda

• What is LDAP?

• K1000 Roles

• LDAP Authentication & Importing

• K1000 LDAP Labels

• K1000 Single Sign-On

3 Dell World User Forum

What is LDAP?

Benefits of using LDAP Authentication

• Allows for integrated authentication utilizing a Directory Service such as Active

Directory

• Assigns Roles at first import

• One less set of passwords to remember

• Can import users from LDAP for Asset tracking

• Import more information

• Use LDAP info for permissions, software assignment, and more through LDAP labels.

LDAP Process Flow

*No passwords stored on appliance

User Authenticat

ed and Imported

Access GrantedUser Login

LDAP Queried by

LDAP Terminology

• OU= Organizational Unit. Remember- each user can be in only one of these.

• DC= Domain Component- Top Level Domain identifiers, such as Kace.com

• DN= Distinguished Name – Everything has one. This is the complete proper name describing an object.

• CN= Common Name, Every object has one. Simplified name of DN for an object. Some default containers are CNs (Computers).

• Attributes: Data Fields holding information about a CN, such as a user Telephone Number, Delivery Address, Group Membership

LDAP OverviewDC=ne

t DC=com

DC=KACE

OU=Users

samaccountname=KBOX_USER

OU=Computers

DC=org

LDAP Attributes

An Attribute is a data field that helps to classify the Domain Object. These attributes could contain the user’s email address, phone number or a security group they are a part of.

• memberOf

• objectClass- See more info here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680938%28v=vs.85%29.aspx

• objectGUID

• userPrincipalName

• More: http://msdn.microsoft.com/en-us/library/windows/desktop/ms675090%28v=vs.85%29.aspx

K1000 LDAP Label VariablesThe K1000 variables can be placed inside the search filter to pass information from the K1000 into LDAP. This is useful for user login and creating LDAP Labels.

• Machine Variables are passed to the filter at machine checkin.

• User variables are passed to the filter at User Log in.

Distinguished Names

• The Following Domain Tree:

• Battlestar.Local – (OU) Galactica

› (OU) Pilotso (OU) Viper

• This would be listed as Follows:– OU=Viper,OU=Pilots,OU=Galactica,DC=Battlestar,DC=Local

Most Restrictive ================> Least Restrictive

Search Filter

• () = Parentheses - Standard logical delineator for organizing the order of operation or evaluation.

• & = Ampersand - Signifies that both* conditions MUST be true (AND)

• | = Pipe - Signifies that one condition MUST be true (OR)

In an LDAP Search Filter the follow basic syntax is used:

• (condition)

• (&(condition1)(condition2))

• (|(condition1)(condition2))

• The way this would look with an actual LDAP filter is as follows:

• (&(objectClass=Person)( memberOf=CN=Security Group,OU=Pilots,OU=Galactica,DC=Battlestar,DC=Local))

Creating & Understanding Existing Roles

• Dell KACE K1000 has four default Roles– Administrator– Read Only Administrator– User Console Only– No Access

• Default Roles cannot be changed or deleted. They can be duplicated

• Use custom roles for your users

• Dell KACE K2000 has two Roles– Admin– Login Not Allowed

• Custom Roles are not allowed

LDAP Authentication

Configuring LDAP Authentication

• Configure one query per role*

• Authentication works in cascading order– Admins on top, Users on bottom, everything else in between– Remove unnecessary queries

LDAP Authentication Detail

• Enter Hostname/IP and Port– LDAP: server/IP & 389– LDAPS: ldaps://server/IP & 636

• Enter Base DN– Where am I starting my search?– Search is recursive, it will search subdirectories

• Enter Search Filter– How am I narrowing my search?– KBOX_USER is a variable replaced at runtime

• Provide credentials for K1000– Read access to LDAP is needed

LDAP Search Filters

• Base filter: (samaccountname=KBOX_USER)

• Users only: (objectCategory=user)

• Membership: (memberof=CN=Kace_Admins,CN=Users,DC=kace,DC=local)

Available operators:

• AND &

• OR |

• NOT !

• Operators are placed in front of operands, not in between!!

• (&(samaccountname=KBOX_USER)(|(This)(Or This))(!(But not this)))

LDAP Example: Multiple Security Groups

Group 1

Group 2

Group 3

LDAP Example: Excluding Users

But not Member of Kace_Admins

Member of London or Berlin or Paris

LDAP Authentication Examples

LDAP Authentication Examples Pt. 2

Dell World User Forum

Exercise: Enabling External LDAP Authentication

LDAP Import – Step 1

• Refine your attributes list– Supplement default list

if needed

• Label Attribute– Typically “memberof”– Creates blank LDAP Labels– Change Prefix as desired– Remove if not used

• Set Max # Rows

• Set Email Recipients

• Set Scheduling

• Map the first four attributes– LDAP UID = objectguid– User Name = samaccountname– Full Name = name, displayname– Email = mail*

• Map other fields as needed– Custom attributes come into play– Must have identified them in step 1– Must be in preview table

• Assign role

• Create user labels as desired

• Review import data– Look for errors or bad data

• Import when ready!

LDAP Labels

Understanding LDAP Labels

• Similar to Smart Labels, but uses LDAP info

• LDAP User Labels are essential for efficient Service Desk or User Portal usage

• LDAP Machine Labels are highly useful as a compliment to Smart Labels

LDAP Label Creation

We need a manual label first

• Home > Labels > Label Management > Choose Action > New Manual Label

LDAP label creationHome > Labels > LDAP Labels> Choose Action > New

Exercise: LDAP Label Creation

Alternative to LDAP Labels – LDAP Smart Labels

• Based upon Custom Inventory Field– RegistryValueReturn(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\

Machine, Distinguished-Name, TEXT)

• Lists complete AD path to machine account

Alternative to LDAP Labels – LDAP Smart Labels Pt. 2

• Create Smart Labels targeting the Custom Inventory

Single Sign-On

• Kace.uservoice.com top feature request first implemented in v5.5

• Settings > Control Panel > Security Settings

• Single Sign-On allows your users to log into the K1000 Appliance without having to enter their User name or password.

• The K1000 can only use one domain for single sign-on.

Exercise: Single Sign-On

Using Single Sign-On

To use single sign-on, you must enter the hostname of the K1000 appliance in the browser, entering the IP address will direct you to the login page.

Supported browsers are:

• Chrome– Chrome requires no modifications at this time.

• Firefox– In Firefox, type about:config in the address bar– In the search field type the following: network.negotiate-auth.trusted-uris– In the search results, double-click the name of the preference– In the string value box, enter the URL of the Kace Appliance then click OK.

Using Single Sign-On Pt. 2

• Internet Explorer– In IE, click Tools Internet Options Security– Select the appropriate security policy:– Add K1000 to trusted sites– Click custom level then scroll to the bottom of the list.– Select automatic logon with current username and password. If this option is not set, Internet

explorer cannot automatically log into the Kace Appliance even if single sign-on is enabled on the Kace Appliance.

Thank you.

KACE Support Portal Migrating to Dell Software Support Portal

• Starting in November, all KACE Support Portal material will be migrated to the Dell Software Support Portal

• All service requests will be submitted by the portal or by phone

• Same great content– Knowledge base articles– Video tutorials– Product documentation– JumpStart training

• Check out the Support Portal Getting Started videos

LDAP Integration

Software

Ldap (Arabic)

LDAP Server Howto

LDAP - National Chiao Tung University · 2015-12-24 · What is LDAP Lightweight Directory Access Protocol (LDAP) • LDAP v3: RFC 3377 • RFC 2251-2256, 2829, 2830, 3377 Why LDAP

Ldap admin

Ldap Authentication

Ldap it-slideshares.blogspot.com

Introduce LDAP

Introduction à LDAP

LDAP von Sebastian Streitberger. Inhalt Was ist LDAP? Geschichte und Versionen von LDAP Schema und Verzeichniseinträge LDAP Konzepte und Architektur Praktisches

Ldap sqlnet

Harbor integration with Kubernetes - Huodongjia.com · Key Features • Web Admin GUI • User management & access control – User self-registration and password reset – AD/LDAP

Lightweight Directory Access Protocol Objectives –Install dan menggunakan LDAP Contents –Struktur database LDAP –Scenario –Konfigurasi LDAP server –Konfigurasi

LDAP Presentation

Manual LDAP

SPARCS 10 이대근 (harry). Contents Directory Service What is LDAP? Installation Configuration ldap-utils User authentication with LDAP

Introducción a LDAP

LDAP em VDM++

Yeferson ldap

LDAP Basics

17. LDAP - sparcs.org · Practice •LDAP Authentication –$ apt-get install libnss-ldap libpam-ldap nss-updatedb nscd ldap-auth-client Should debconf manage LDAP configuration?