The account needs read-only access to the Search Base DN field on the LDAP server. The account does not need write access, because the appliance does not write to the LDAP server.
In addition, the account must have a password that never expires. Because the password never expires, make sure it is very secure. The user can change the password (that complies with the appropriate security requirements), however, the password must be updated on the appliance. You can give the account a username, such as KACE_Login, or you can attempt to connect to the LDAP server using an anonymous bind.
You can configure and test connections from the appliance to an external LDAP server.
◦ |
Log in to the appliance Administrator Console, https://appliance_hostname/admin. Or, if Show organization menu in admin header is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information. |
◦ |
Log in to the appliance System Administration Console, https://appliance_hostname/system, or select System from the drop-down list in the top-right corner of the page. |
2. |
a. |
b. |
On the Control Panel, in the User Authentication section. click Configure Trust with LDAP (Administrator Console only), or Configure Trust with LDAP (System Administration Console only). |
3. |
4. |
Enable local authentication (the default). If local authentication is enabled, the password is authenticated against the existing entries in the local database at Settings > Users. | |
Enable external user authentication using an LDAP server or Active Directory server. If LDAP Authentication is enabled, the password is authenticated against the external LDAP server. For assistance with authentication, contact Quest Support at https://support.quest.com/contact-support. |
Modify the server definition. For information about the fields in this section, see Table 5. | |
6. |
| |||||||||||||
The LDAP port number, which is usually 389 (LDAP) or 636 (secure LDAP). | |||||||||||||
The criteria used to search for accounts. OU=end_users,DC=company,DC=com.
| |||||||||||||
The search filter. For example: (&(sAMAccountName=KBOX_USERNAME)(memberOf=CN=financial,DC=example,DC=com)) | |||||||||||||
LDAP Login:CN=service_account,CN=Users, If user name and password are not provided, the tree lookup is not performed. Each LDAP Label can connect to a different LDAP or Active Directory server. | |||||||||||||
The password of the account the appliance uses to log in to the LDAP server. | |||||||||||||
|
8. |
a. |
b. |
c. |
In the Advanced Search: box, replace KBOX_USER with the username to test. The syntax is sAMAccountName=username. |
d. |
e. |
There are two ways to import user information:
1. |
a. |
Log in to the appliance Administrator Console, https://appliance_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information. |
b. |
c. |
NOTE: Use the LDAP Browser to specify the Search Base DN and Search Filter. See Use the LDAP Browser. |
Specify the LDAP attributes to retrieve. For example:
| |||
Enter a label attribute. For example: memberof. | |||
Enter the label prefix. For example: ldap_ The label prefix is a string that is added to the beginning of all the labels. | |||
Enter the binary attributes. For example: objectsid. Binary attributes indicates which attributes should be treated as binary for purposes of storage. | |||
4. |
5. |
In the drop-down list next each attribute, select the value to use for appliance User attributes during import. Values in the drop-down list are the values specified in the Attributes to retrieve field on the previous page. |
The identifier for the user. Recommended value: objectguid. | |||
|
Not used. Recommended value: No Value. |
6. |
Optional: In the Role drop-down list, select the role for the imported users. See Add or edit User Roles. |
7. |
Optional: In the Labels drop-down list, select the label to apply to imported users. See About labels. |
8. |
In the Search Results section below the attribute mapping drop-down lists, verify that the list of users to import is correct, and the information listed for each user is what you expect. To refine your search, click the Back button and revise the search parameters and attributes. |
9. |
10. |
11. |
The Users page appears, and the imported users appear on the list. The imported users can access the features of the Administrator Console, User Console based on the role to which they are assigned.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center