Download pptx - LDAP Integration

Transcript
Page 1: LDAP Integration

1Dell World User Forum

UFIL510: LDAP Integration

Shawn Carson, Senior TrainerJeff Plaza, Senior Trainer

Dell WorldUser Forum

Page 2: LDAP Integration

2Dell World User Forum

Agenda

• What is LDAP?

• K1000 Roles

• LDAP Authentication & Importing

• K1000 LDAP Labels

• K1000 Single Sign-On

Page 3: LDAP Integration

3 Dell World User Forum

What is LDAP?

Page 4: LDAP Integration

4Dell World User Forum

Benefits of using LDAP Authentication

• Allows for integrated authentication utilizing a Directory Service such as Active

Directory

• Assigns Roles at first import

• One less set of passwords to remember

• Can import users from LDAP for Asset tracking

• Import more information

• Use LDAP info for permissions, software assignment, and more through LDAP labels.

Page 5: LDAP Integration

5Dell World User Forum

LDAP Process Flow

*No passwords stored on appliance

User Authenticat

ed and Imported

Access GrantedUser Login

LDAP Queried by

K1000

Page 6: LDAP Integration

6Dell World User Forum

LDAP Terminology

• OU= Organizational Unit. Remember- each user can be in only one of these.

• DC= Domain Component- Top Level Domain identifiers, such as Kace.com

• DN= Distinguished Name – Everything has one. This is the complete proper name describing an object.

• CN= Common Name, Every object has one. Simplified name of DN for an object. Some default containers are CNs (Computers).

• Attributes: Data Fields holding information about a CN, such as a user Telephone Number, Delivery Address, Group Membership

Page 7: LDAP Integration

7Dell World User Forum

LDAP OverviewDC=ne

t DC=com

DC=KACE

OU=Users

samaccountname=KBOX_USER

OU=Computers

DC=org

Page 8: LDAP Integration

8Dell World User Forum

LDAP Attributes

An Attribute is a data field that helps to classify the Domain Object. These attributes could contain the user’s email address, phone number or a security group they are a part of.

• memberOf

• objectClass- See more info here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680938%28v=vs.85%29.aspx

• objectGUID

• userPrincipalName

• More: http://msdn.microsoft.com/en-us/library/windows/desktop/ms675090%28v=vs.85%29.aspx

Page 9: LDAP Integration

9Dell World User Forum

K1000 LDAP Label VariablesThe K1000 variables can be placed inside the search filter to pass information from the K1000 into LDAP. This is useful for user login and creating LDAP Labels.

• Machine Variables are passed to the filter at machine checkin.

• User variables are passed to the filter at User Log in.

Page 10: LDAP Integration

10Dell World User Forum

Distinguished Names

• The Following Domain Tree:

• Battlestar.Local – (OU) Galactica

› (OU) Pilotso (OU) Viper

• This would be listed as Follows:– OU=Viper,OU=Pilots,OU=Galactica,DC=Battlestar,DC=Local

Most Restrictive ================> Least Restrictive

Page 11: LDAP Integration

11Dell World User Forum

Search Filter

• () = Parentheses - Standard logical delineator for organizing the order of operation or evaluation.

• & = Ampersand - Signifies that both* conditions MUST be true (AND)

• | = Pipe - Signifies that one condition MUST be true (OR)

In an LDAP Search Filter the follow basic syntax is used:

• (condition)

• (&(condition1)(condition2))

• (|(condition1)(condition2))

• The way this would look with an actual LDAP filter is as follows:

• (&(objectClass=Person)( memberOf=CN=Security Group,OU=Pilots,OU=Galactica,DC=Battlestar,DC=Local))

Page 12: LDAP Integration

12 Dell World User Forum

Roles

Page 13: LDAP Integration

13Dell World User Forum

Creating & Understanding Existing Roles

• Dell KACE K1000 has four default Roles– Administrator– Read Only Administrator– User Console Only– No Access

• Default Roles cannot be changed or deleted. They can be duplicated

• Use custom roles for your users

• Dell KACE K2000 has two Roles– Admin– Login Not Allowed

• Custom Roles are not allowed

Page 14: LDAP Integration

14 Dell World User Forum

LDAP Authentication

Page 15: LDAP Integration

15Dell World User Forum

Configuring LDAP Authentication

• Configure one query per role*

• Authentication works in cascading order– Admins on top, Users on bottom, everything else in between– Remove unnecessary queries

Page 16: LDAP Integration

16Dell World User Forum

LDAP Authentication Detail

• Enter Hostname/IP and Port– LDAP: server/IP & 389– LDAPS: ldaps://server/IP & 636

• Enter Base DN– Where am I starting my search?– Search is recursive, it will search subdirectories

• Enter Search Filter– How am I narrowing my search?– KBOX_USER is a variable replaced at runtime

• Provide credentials for K1000– Read access to LDAP is needed

Page 17: LDAP Integration

17Dell World User Forum

LDAP Search Filters

• Base filter: (samaccountname=KBOX_USER)

• Users only: (objectCategory=user)

• Membership: (memberof=CN=Kace_Admins,CN=Users,DC=kace,DC=local)

Available operators:

• AND &

• OR |

• NOT !

• Operators are placed in front of operands, not in between!!

• (&(samaccountname=KBOX_USER)(|(This)(Or This))(!(But not this)))

Page 18: LDAP Integration

18Dell World User Forum

LDAP Example: Multiple Security Groups

Or

Group 1

Group 2

Group 3

Page 19: LDAP Integration

19Dell World User Forum

LDAP Example: Excluding Users

But not Member of Kace_Admins

Member of London or Berlin or Paris

Page 20: LDAP Integration

20Dell World User Forum

LDAP Authentication Examples

20

Page 21: LDAP Integration

21Dell World User Forum

LDAP Authentication Examples Pt. 2

21

Page 22: LDAP Integration

Dell World User Forum

Exercise: Enabling External LDAP Authentication

Page 23: LDAP Integration

23Dell World User Forum

LDAP Import – Step 1

• Refine your attributes list– Supplement default list

if needed

• Label Attribute– Typically “memberof”– Creates blank LDAP Labels– Change Prefix as desired– Remove if not used

• Set Max # Rows

• Set Email Recipients

• Set Scheduling

Page 24: LDAP Integration

24Dell World User Forum

LDAP Import – Step 2

• Map the first four attributes– LDAP UID = objectguid– User Name = samaccountname– Full Name = name, displayname– Email = mail*

• Map other fields as needed– Custom attributes come into play– Must have identified them in step 1– Must be in preview table

• Assign role

• Create user labels as desired

Page 25: LDAP Integration

25Dell World User Forum

LDAP Import – Step 3

• Review import data– Look for errors or bad data

• Import when ready!

Page 26: LDAP Integration

26 Dell World User Forum

LDAP Labels

Page 27: LDAP Integration

27Dell World User Forum

Understanding LDAP Labels

• Similar to Smart Labels, but uses LDAP info

• LDAP User Labels are essential for efficient Service Desk or User Portal usage

• LDAP Machine Labels are highly useful as a compliment to Smart Labels

Page 28: LDAP Integration

28Dell World User Forum

LDAP Label Creation

We need a manual label first

• Home > Labels > Label Management > Choose Action > New Manual Label

Page 29: LDAP Integration

29Dell World User Forum

LDAP label creationHome > Labels > LDAP Labels> Choose Action > New

Page 30: LDAP Integration

Dell World User Forum

Exercise: LDAP Label Creation

Page 31: LDAP Integration

31Dell World User Forum

Alternative to LDAP Labels – LDAP Smart Labels

• Based upon Custom Inventory Field– RegistryValueReturn(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\

Machine, Distinguished-Name, TEXT)

• Lists complete AD path to machine account

Page 32: LDAP Integration

32Dell World User Forum

Alternative to LDAP Labels – LDAP Smart Labels Pt. 2

• Create Smart Labels targeting the Custom Inventory

Page 33: LDAP Integration

33 Dell World User Forum

Single Sign-On

Page 34: LDAP Integration

34Dell World User Forum

Single Sign-On

• Kace.uservoice.com top feature request first implemented in v5.5

• Settings > Control Panel > Security Settings

• Single Sign-On allows your users to log into the K1000 Appliance without having to enter their User name or password.

• The K1000 can only use one domain for single sign-on.

Page 35: LDAP Integration

Dell World User Forum

Exercise: Single Sign-On

Page 36: LDAP Integration

36Dell World User Forum

Using Single Sign-On

To use single sign-on, you must enter the hostname of the K1000 appliance in the browser, entering the IP address will direct you to the login page.

Supported browsers are:

• Chrome– Chrome requires no modifications at this time.

• Firefox– In Firefox, type about:config in the address bar– In the search field type the following: network.negotiate-auth.trusted-uris– In the search results, double-click the name of the preference– In the string value box, enter the URL of the Kace Appliance then click OK.

Page 37: LDAP Integration

37Dell World User Forum

Using Single Sign-On Pt. 2

• Internet Explorer– In IE, click Tools Internet Options Security– Select the appropriate security policy:– Add K1000 to trusted sites– Click custom level then scroll to the bottom of the list.– Select automatic logon with current username and password. If this option is not set, Internet

explorer cannot automatically log into the Kace Appliance even if single sign-on is enabled on the Kace Appliance.

Page 38: LDAP Integration

38 Dell World User Forum

Thank you.

Page 39: LDAP Integration

39 Dell World User Forum

KACE Support Portal Migrating to Dell Software Support Portal

• Starting in November, all KACE Support Portal material will be migrated to the Dell Software Support Portal

• All service requests will be submitted by the portal or by phone

• Same great content– Knowledge base articles– Video tutorials– Product documentation– JumpStart training

• Check out the Support Portal Getting Started videos


Recommended