For more information on this topic, please see the KACE-SMA Course 1 Installing the KACE SMA-Web-based Training.
The KACE SMA allows you to manage user authentication either locally, on the Users tab under Service Desk, or via LDAP. LDAP Authentication is enabled by clicking Settings | User Authentication | External LDAP Server Authentication.
Even when LDAP authentication is enabled, the user named “admin” gets special treatment and is always authenticated locally.
For any other user name, the steps for authentication depend on the server settings.
When local authentication is enabled, the log in and password are authenticated against the entry in the appliance database. The account role is manually configured by assigning a role to the account.
If LDAP authentication is enabled, the appliance uses the configured directory service (such as LDAP) for user authentication. This allows users to log in to the appliance Administrator Interface or User Portal using their domain username and password.
Multiple authentication servers can be configured. For each server, user imports can be scheduled and individual server definitions set up. The users are authenticated against each server you configure in the order that the servers are listed. All servers must have a valid IP address or host name. Otherwise, the appliance times out, resulting in login delays when using LDAP authentication.
After LDAP authentications succeeds, there is one more check against the local database which can override the read-only admin vs full admin permissions determined by LDAP. This could be useful if you want to just setup one LDAP query for authentication of admins and manage the readonly vs. full admin determination in the local database.
Note that the users Role is assigned the first time that the user is created on the Appliance. If the user changes groups and is authenticated against a different server for example a user was in a group that authenticates against the server with the Admin role and later is switch to a group that is assigned a User role, you must manually change the role on the Appliance.
LDAPS configuration should only be attempted after a regular LDAP connection has been established.
By default, LDAPS communications needs to be conducted on port 636. Make sure any firewalls between the K1000 appliance and your LDAP server allow this connection. LDAPS is configured on the K1000 apppliance in much the same way LDAP is, however you need to insert 'ldaps://' before the LDAP server hostname or IP in K1000 Settings | User Authentication | External LDAP Server Authentication.
EXAMPLE:
LDAP: '192.168.1.1' or 'MYPDC'
LDAPS: 'ldaps://192.168.1.1' or 'ldaps://MYPDC'
This needs to be done for all 3 user types (Admins, ReadOnly Admins, Users). Change the LDAP Port Number from 389 to 636. All other settings should remain the same.
If LDAP or LDAPS authentication is activated all local users except the login: admin cannot be used anymore. This means that there is no option to use LDAP users and local users at the same time.
NOTE: You do not need to have your SSL certificate uploaded to the appliance for LDAPS to work successfully, even if using a non-standard or self-signed cert. The SMA's code is written to accept the connection regardless if the SSL cert chain can not be verified.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center