LDAP Integration

  • View

  • Download

Embed Size (px)

Text of LDAP Integration

1. Dell World User Forum UFIL510: LDAP Integration Shawn Carson, Senior Trainer Jeff Plaza, Senior Trainer Dell World User Forum 2. Dell World User Forum Agenda What is LDAP? K1000 Roles LDAP Authentication & Importing K1000 LDAP Labels K1000 Single Sign-On 3. Dell World User Forum What is LDAP? 4. Dell World User Forum Benefits of using LDAP Authentication Allows for integrated authentication utilizing a Directory Service such as Active Directory Assigns Roles at first import One less set of passwords to remember Can import users from LDAP for Asset tracking Import more information Use LDAP info for permissions, software assignment, and more through LDAP labels. 5. Dell World User Forum LDAP Process Flow *No passwords stored on appliance User Authenticated and Imported Access Granted User Login LDAP Queried by K1000 6. Dell World User Forum LDAP Terminology OU= Organizational Unit. Remember- each user can be in only one of these. DC= Domain Component- Top Level Domain identifiers, such as Kace.com DN= Distinguished Name Everything has one. This is the complete proper name describing an object. CN= Common Name, Every object has one. Simplified name of DN for an object. Some default containers are CNs (Computers). Attributes: Data Fields holding information about a CN, such as a user Telephone Number, Delivery Address, Group Membership 7. Dell World User Forum LDAP Overview 8. Dell World User Forum LDAP Attributes An Attribute is a data field that helps to classify the Domain Object. These attributes could contain the users email address, phone number or a security group they are a part of. memberOf objectClass- See more info here: http://msdn.microsoft.com/en- us/library/windows/desktop/ms680938%28v=vs.85%29.aspx objectGUID userPrincipalName More: http://msdn.microsoft.com/en- us/library/windows/desktop/ms675090%28v=vs.85%29.aspx 9. Dell World User Forum K1000 LDAP Label Variables The K1000 variables can be placed inside the search filter to pass information from the K1000 into LDAP. This is useful for user login and creating LDAP Labels. Machine Variables are passed to the filter at machine checkin. User variables are passed to the filter at User Log in. 10. Dell World User Forum Distinguished Names The Following Domain Tree: Battlestar.Local (OU) Galactica (OU) Pilots o (OU) Viper This would be listed as Follows: OU=Viper,OU=Pilots,OU=Galactica,DC=Battlestar,DC=Local Most Restrictive ================> Least Restrictive 11. Dell World User Forum Search Filter () = Parentheses - Standard logical delineator for organizing the order of operation or evaluation. & = Ampersand - Signifies that both* conditions MUST be true (AND) | = Pipe - Signifies that one condition MUST be true (OR) In an LDAP Search Filter the follow basic syntax is used: (condition) (&(condition1)(condition2)) (|(condition1)(condition2)) The way this would look with an actual LDAP filter is as follows: (&(objectClass=Person)( memberOf=CN=Security Group,OU=Pilots,OU=Galactica,DC=Battlestar,DC=Local)) 12. Dell World User Forum Roles 13. Dell World User Forum Creating & Understanding Existing Roles Dell KACE K1000 has four default Roles Administrator Read Only Administrator User Console Only No Access Default Roles cannot be changed or deleted. They can be duplicated Use custom roles for your users Dell KACE K2000 has two Roles Admin Login Not Allowed Custom Roles are not allowed 14. Dell World User Forum LDAP Authentication 15. Dell World User Forum Configuring LDAP Authentication Configure one query per role* Authentication works in cascading order Admins on top, Users on bottom, everything else in between Remove unnecessary queries 16. Dell World User Forum LDAP Authentication Detail Enter Hostname/IP and Port LDAP: server/IP & 389 LDAPS: ldaps://server/IP & 636 Enter Base DN Where am I starting my search? Search is recursive, it will search subdirectories Enter Search Filter How am I narrowing my search? KBOX_USER is a variable replaced at runtime Provide credentials for K1000 Read access to LDAP is needed 17. Dell World User Forum LDAP Search Filters Base filter: (samaccountname=KBOX_USER) Users only: (objectCategory=user) Membership: (memberof=CN=Kace_Admins,CN=Users,DC=kace,DC=local) Available operators: AND & OR | NOT ! Operators are placed in front of operands, not in between!! (&(samaccountname=KBOX_USER)(|(This)(Or This))(!(But not this))) 18. Dell World User Forum LDAP Example: Multiple Security Groups Or Group 1 Group 2 Group 3 19. Dell World User Forum LDAP Example: Excluding Users But not Member of Kace_Admins Member of London or Berlin or Paris 20. Dell World User Forum LDAP Authentication Examples 20 21. Dell World User Forum LDAP Authentication Examples Pt. 2 21 22. Dell World User Forum Exercise: Enabling External LDAP Authentication 23. Dell World User Forum LDAP Import Step 1 Refine your attributes list Supplement default list if needed Label Attribute Typically memberof Creates blank LDAP Labels Change Prefix as desired Remove if not used Set Max # Rows Set Email Recipients Set Scheduling 24. Dell World User Forum LDAP Import Step 2 Map the first four attributes LDAP UID = objectguid User Name = samaccountname Full Name = name, displayname Email = mail* Map other fields as needed Custom attributes come into play Must have identified them in step 1 Must be in preview table Assign role Create user labels as desired 25. Dell World User Forum LDAP Import Step 3 Review import data Look for errors or bad data Import when ready! 26. Dell World User Forum LDAP Labels 27. Dell World User Forum Understanding LDAP Labels Similar to Smart Labels, but uses LDAP info LDAP User Labels are essential for efficient Service Desk or User Portal usage LDAP Machine Labels are highly useful as a compliment to Smart Labels 28. Dell World User Forum LDAP Label Creation We need a manual label first Home > Labels > Label Management > Choose Action > New Manual Label 29. Dell World User Forum LDAP label creation Home > Labels > LDAP Labels> Choose Action > New 30. Dell World User Forum Exercise: LDAP Label Creation 31. Dell World User Forum Alternative to LDAP Labels LDAP Smart Labels Based upon Custom Inventory Field RegistryValueReturn(HKLMSOFTWAREMicrosoftWindowsCurrentVersionGroup PolicyStateMachine, Distinguished-Name, TEXT) Lists complete AD path to machine account 32. Dell World User Forum Alternative to LDAP Labels LDAP Smart Labels Pt. 2 Create Smart Labels targeting the Custom Inventory 33. Dell World User Forum Single Sign-On 34. Dell World User Forum Single Sign-On Kace.uservoice.com top feature request first implemented in v5.5 Settings > Control Panel > Security Settings Single Sign-On allows your users to log into the K1000 Appliance without having to enter their User name or password. The K1000 can only use one domain for single sign-on. 35. Dell World User Forum Exercise: Single Sign-On 36. Dell World User Forum Using Single Sign-On To use single sign-on, you must enter the hostname of the K1000 appliance in the browser, entering the IP address will direct you to the login page. Supported browsers are: Chrome Chrome requires no modifications at this time. Firefox In Firefox, type about:config in the address bar In the search field type the following: network.negotiate-auth.trusted-uris In the search results, double-click the name of the preference In the string value box, enter the URL of the Kace Appliance then click OK. 37. Dell World User Forum Using Single Sign-On Pt. 2 Internet Explorer In IE, click Tools Internet Options Security Select the appropriate security policy: Add K1000 to trusted sites Click custom level then scroll to the bottom of the list. Select automatic logon with current username and password. If this option is not set, Internet explorer cannot automatically log into the Kace Appliance even if single sign-on is enabled on the Kace Appliance. 38. Dell World User Forum Thank you. 39. Dell World User Forum KACE Support Portal Migrating to Dell Software Support Portal Starting in November, all KACE Support Portal material will be migrated to the Dell Software Support Portal All service requests will be submitted by the portal or by phone Same great content Knowledge base articles Video tutorials Product documentation JumpStart training Check out the Support Portal Getting Started videos