Chat now with support
Chat with Support

KACE Systems Management Appliance 9.1 Common Documents - Administrator Guide

About the KACE Systems Management Appliance (SMA) Getting started
Configuring the appliance
Requirements and specifications Power-on the appliance and log in to the Administrator Console Access the Command Line Console Tracking configuration changes Configuring System-level and Admin-level General Settings Configure appliance date and time settings Enable Two-Factor Authentication for all users Verifying port settings, NTP service, and website access Configuring network and security settings Configuring Agent settings Configuring session timeout and auto-refresh settings Configuring locale settings Configuring the default theme Configure data sharing preferences About DIACAP compliance requirements Configuring Mobile Device Access Enable fast switching for organizations and linked appliances Linking Quest KACE appliances Configuring history settings
Setting up and using labels to manage groups of items Configuring user accounts, LDAP authentication, and SSO Using Replication Shares Managing credentials Configuring assets
About the Asset Management component Using the Asset Management Dashboard About managing assets Adding and customizing Asset Types and maintaining asset information Managing Software assets Managing physical and logical assets Maintaining and using manual asset information Managing locations Managing contracts Managing licenses Managing purchase records
Setting up License Compliance Managing License Compliance Setting up Service Desk Configure the Cache Lifetime for Service Desk widgets Creating and managing organizations Importing and exporting appliance resources
Managing inventory
Using the Inventory Dashboard Using Device Discovery Managing device inventory
About managing devices Features available for each device management method About inventory information Tracking changes to inventory settings Managing inventory information Finding and managing devices Provisioning the KACE SMA Agent Manually deploying the KACE SMA Agent Using Agentless management Adding devices manually in the Administrator Console or by using the API Forcing inventory updates Managing MIA devices Obtaining Dell warranty information
Managing applications on the Software page Managing Software Catalog inventory
About the Software Catalog Viewing Software Catalog information Adding applications to the Software Catalog Managing License assets for Software Catalog applications Associate Managed Installations with Cataloged Software Using software metering Using Application Control Update or reinstall the Software Catalog
Managing process, startup program, and service inventory Writing custom inventory rules
Deploying packages to managed devices
Distributing software and using Wake-on-LAN Broadcasting alerts to managed devices Running scripts on managed devices Managing Mac profiles Using Task Chains
Patching devices and maintaining security
About patch management Subscribing to and downloading patches Creating and managing patch schedules Managing patch inventory Managing Dell devices and updates Maintaining device and appliance security
Using reports and scheduling notifications Monitoring servers
Getting started with server monitoring Working with monitoring profiles Managing monitoring for devices Working with alerts
Using the Service Desk
Configuring Service Desk Using the Service Desk Dashboard Managing Service Desk tickets, processes, and reports
Overview of Service Desk ticket lifecycle Creating tickets from the Administrator Console and User Console Creating and managing tickets by email Viewing tickets and managing comments, work, and attachments Merging tickets Using the ticket escalation process Using Service Desk processes Using Ticket Rules Run Service Desk reports Archiving, restoring, and deleting tickets Managing ticket deletion
Managing Service Desk ticket queues About User Downloads and Knowledge Base articles Customizing Service Desk ticket settings Configuring SMTP email servers
Maintenance and troubleshooting
Maintaining the appliance Troubleshooting the KACE SMA
Appendixes Glossary About us Legal notices

Configure and test LDAP user authentication

Configure and test LDAP user authentication

You can configure and test connections from the KACE SMA to an external LDAP server.

1.
Go to the Admin-level Authentication Settings page:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
c.
On the Control Panel, click User Authentication.
2.
Select the LDAP Authentication option:

Option

Description

Local Authentication

Enable local authentication (the default). If local authentication is enabled, the password is authenticated against the existing entries in the local database at Settings > Users.

LDAP Authentication

Enable external user authentication using an LDAP server or Active Directory server.

If LDAP Authentication is enabled, the password is authenticated against the external LDAP server.

For assistance with authentication, contact Quest Support at https://support.quest.com/contact-support.

Button

Action

Schedule a user import for the server.

Modify the server definition. For information about the fields in this section, see Table 5.

Remove the server.

Change the order of the server in the list of servers.

4.
Optional: Click New to add an LDAP server. You can have more than one LDAP server configured.

Table 5. Server information

Option

Description

Name

The name you want to use to identify the server.

Host Name or IP Address

The IP address or the hostname of the LDAP server. If the IP address is not valid, the appliance waits to timeout, resulting in login delays during LDAP authentication.

Port

The LDAP port number, which is usually 389 (LDAP) or 636 (secure LDAP).

Base DN

The criteria used to search for accounts.

This criteria specifies a location or container in the LDAP or Active Directory structure, and the criteria should include all the users that you want to authenticate. Enter the most specific combination of OUs, DCs, or CNs that match your criteria, ranging from left (most specific) to right (most general). For example, this path leads to the container with users that you need to authenticate:

OU=end_users,DC=company,DC=com.

NOTE: Domain Users is a special group that is not added to the memberof attribute values. For Domain Users members, use this format: (primaryGroupId=513).

Advanced Search

The search filter. For example:

(&(sAMAccountName=KBOX_USERNAME)(memberOf=CN=financial,DC=example,DC=com))

Login

The credentials of the account the KACE SMA uses to log in to the LDAP server to read accounts. For example:

LDAP Login:CN=service_account,CN=Users,

DC=company,DC=com.

If user name and password are not provided, the tree lookup is not performed.

Each LDAP Label can connect to a different LDAP or Active Directory server.

Password

The password of the account the KACE SMA uses to log in to the LDAP server.

Role

(Required) The user’s role:

Administrator: The user can log in to and access all features of the Administrator Console and User Console.
Read Only Administrator: The user can log in, but cannot modify any settings in the Administrator Console or User Console.
User Console Only: The user can log in only to the User Console.
No Access: The user cannot log in to the Administrator Console or User Console. No Access is the default role.
6.
Click Save.
a.
Select the LDAP Authentication.
b.
Click the Edit button next to the server on which the user account you are testing is located .
c.
In the Advanced Search: box, replace KBOX_USER with the username to test. The syntax is sAMAccountName=username.
d.
Enter the user’s password in the Password for test field.
e.
Click Test.

If the test is successful, the authentication setup is complete for this user, and other users in the same LDAP container.

Importing users from an LDAP server

Importing users from an LDAP server

You can import user information from LDAP servers to create user accounts on the KACE SMA. This provides administrators, such as Service Desk staff, with a richer set of data to use when working with users.

There are two ways to import user information:

Import user information manually

Import user information manually

You can import user information manually by specifying criteria to identify the users you want to import.

1.
Go to the Users page:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
b.
On the left navigation bar, click Settings, then click Users.
c.
Select Choose Action > Import Users.
NOTE: Use the LDAP Browser to specify the Search Base DN and Search Filter. See Use the LDAP Browser.

Option

Description

Server

The IP address or the hostname of the LDAP server. If the IP address is not valid, the appliance waits to timeout, resulting in login delays during LDAP authentication.

Port

The LDAP port number, which is usually 389 (LDAP) or 636 (secure LDAP).

Base DN

The criteria used to search for accounts.

This criteria specifies a location or container in the LDAP or Active Directory structure, and the criteria should include all the users that you want to authenticate. Enter the most specific combination of OUs, DCs, or CNs that match your criteria, ranging from left (most specific) to right (most general). For example, this path leads to the container with users that you need to authenticate:

OU=end_users,DC=company,DC=com.

Advanced Search

The search filter. For example:

(&(sAMAccountName=KBOX_USERNAME)(memberOf=CN=financial,DC=example,DC=com))

Login

The credentials of the account the KACE SMA uses to log in to the LDAP server to read accounts. For example:

LDAP Login:CN=service_account,CN=Users,

DC=company,DC=com.

If user name and password are not provided, the tree lookup is not performed. Each LDAP Label can connect to a different LDAP or Active Directory server.

Password

The password of the account the KACE SMA uses to log in to the LDAP server.

Option

Description

Attributes to retrieve

Specify the LDAP attributes to retrieve. For example:

sAMAccountName, objectguid, mail, memberof, displayname, sn, cn, userPrincipalName, name, description, manager

The LDAP attributes specified in this field can be mapped to KACE SMA User attributes on the next page. If this field is blank, the appliance retrieves all LDAP attributes. Leaving this field blank increases the time required to import attributes and is not recommended.

IMPORTANT: To retrieve the manager object associated with the user, you must add the manager attribute to the list, and to specify this mapping in a later step.

Label Attribute

Enter a label attribute. For example: memberof.

This setting returns a list of groups this user is a member of. The union of all the label attributes forms the list of labels you can import. If the search filter contains both the label names and user names, the label attribute is not required.

Label Prefix

Enter the label prefix. For example: ldap_

The label prefix is a string that is added to the beginning of all the labels.

Binary Attributes

Enter the binary attributes. For example: objectsid.

Binary attributes indicates which attributes should be treated as binary for purposes of storage.

Maximum Number of Rows

Enter the maximum number of rows to retrieve. This limits the result set that is returned in the next step.

Debug Output

Select the check box to view the debug output.

4.
Click Next.
The Define mapping between User attributes and LDAP attributes page appears.

Option

Description

Ldap Uid

The identifier for the user. Recommended value: objectguid.

User Name

The name of the user. Recommended value: name.

Email

The email address for the user. Recommended value: mail.

Manager

The manager of the user. This mapping is mandatory only if you want to retrieve the manager information. Recommended value: manager.

IMPORTANT: To retrieve the manager object associated with the user, you must also add the manager attribute to the Attributes to retrieve box.

Option

Description

Api Enabled

Whether users are enabled to access the KACE SMA using the KACE GO app. Access is enabled if the field contains a numerical value. Access is disabled if the field contains no value. Therefore, to enable access, select an attribute that returns a numerical value. To disable access, select No Value.

Ams Id

Not used in the KACE SMA 6.4 release. Recommended value: No Value.

6.
Optional: In the Role drop-down list, select the role for the imported users. See Add or edit User Roles.
7.
Optional: In the Labels drop-down list, select the label to apply to imported users. See About labels.
8.
In the Search Results section below the attribute mapping drop-down lists, verify that the list of users to import is correct, and the information listed for each user is what you expect. To refine your search, click the Back button and revise the search parameters and attributes.
For example, to change the number of Search Results, change the Maximum Number of Rows on the Choose attributes to import page.
9.
Click Next to display the Import Data into the KACE SMA page.
Only users with values for the required attributes, Ldap Uid, User Name, Email, and Manager are imported. Records that do not have these values are listed in the Users with invalid data section.
11.
Click Import Now to start the import.

The Users page appears, and the imported users appear on the list. The imported users can access the features of the Administrator Console, User Console based on the role to which they are assigned.

Import user information according to a schedule

Import user information according to a schedule

To keep user data current, schedule regular user data imports from your LDAP server.

1.
Go to the Admin-level Authentication Settings page:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
c.
On the Control Panel, click User Authentication.
2.
Select LDAP Authentication, then click the Schedule button next to the server name in the list of servers to schedule a user import:
The User Import: Schedule – Choose attributes to import page appears.

The following Read Only Administrator Server Details are displayed:

Option

Description

Server

The IP address or the hostname of the LDAP server. If the IP address is not valid, the appliance waits to timeout, resulting in login delays during LDAP authentication.

Port

The LDAP port number, which is usually 389 (LDAP) or 636 (secure LDAP).

Base DN

The criteria used to search for accounts.

This criteria specifies a location or container in the LDAP or Active Directory structure, and the criteria should include all the users that you want to authenticate. Enter the most specific combination of OUs, DCs, or CNs that match your criteria, ranging from left (most specific) to right (most general). For example, this path leads to the container with users that you need to authenticate:

OU=end_users,DC=company,DC=com.

Advanced Search

The search filter. For example:

(&(sAMAccountName=KBOX_USERNAME)(memberOf=CN=financial,DC=example,DC=com))

Login

The credentials of the account the KACE SMA uses to log in to the LDAP server to read accounts. For example:

LDAP Login:CN=service_account,CN=Users,

DC=company,DC=com.

If user name and password are not provided, the tree lookup is not performed. Each LDAP Label can connect to a different LDAP or Active Directory server.

Password

The password of the account the KACE SMA uses to log in to the LDAP server.

Option

Description

Attributes to retrieve

Specify the LDAP attributes to retrieve. For example:

sAMAccountName, objectguid, mail, memberof, displayname, sn, cn, userPrincipalName, name, description, manager

The LDAP attributes specified in this field can be mapped to KACE SMA User attributes on the next page. If this field is blank, the appliance retrieves all LDAP attributes. Leaving this field blank increases the time required to import attributes and is not recommended.

IMPORTANT: To retrieve the manager object associated with the user, you must add the manager attribute to the list, and to specify this mapping in a later step.

Label Attribute

Enter a label attribute. For example: memberof.

This setting returns a list of groups this user is a member of. The union of all the label attributes forms the list of labels you can import. If the search filter contains both the label names and user names, the label attribute is not required.

Label Prefix

Enter the label prefix. For example: ldap_

The label prefix is a string that is added to the beginning of all the labels.

Binary Attributes

Enter the binary attributes. For example: objectsid.

Binary attributes indicates which attributes should be treated as binary for purposes of storage.

Maximum Number of Rows

Enter the maximum number of rows to retrieve. This limits the result set that is returned in the next step.

Debug Output

Select the check box to view the debug output.

4.
In the Email Recipients section, click the Edit button to enter the recipient’s email address .
5.
Select users in the Recipients drop-down list.
6.
In the Schedule section, specify schedule options:

Option

Description

None

Run in combination with an event rather than on a specific date or at a specific time. This option is useful if you want to patch servers manually, or perform patch actions that you do not want to run on a schedule.

Every _ hours

Run at a specified interval.

Every day/specific day at HH:MM

Run daily at a specified time, or run on a designated day of the week at a specified time.

Run on the nth of every month/specific month at HH:MM

Run on the nth day every month, (for example, the first or the second) day of every month, or a specific month, at the specified time.

Run on the nth weekday of every month/specific month at HH:MM

Run on the specific weekday of every month, or a specific month, at the specified time.

Custom

Run according to a custom schedule.

Use standard 5-field cron format (extended cron format is not supported):

Use the following when specifying values:

Spaces ( ): Separate each field with a space.
Asterisks (*): Include the entire range of values in a field with an asterisk. For example, an asterisk in the hour field indicates every hour.
Commas (,): Separate multiple values in a field with a comma. For example, 0,6 in the day of the week field indicates Sunday and Saturday.
Hyphens (-): Indicate a range of values in a field with a hyphen. For example, 1-5 in the day of the week field is equivalent to 1,2,3,4,5, which indicates Monday through Friday.
Slashes (/): Specify the intervals at which to repeat an action with a slash. For example, */3 in the hour field is equivalent to 0,3,6,9,12,15,18,21. The asterisk (*) specifies every hour, but /3 restricts this to hours divisible by 3.

Examples:

View Task Schedule

Click to view the task schedule. The Task Schedule dialog box displays a list of scheduled. Click a task to review the task details. For more information, see View task schedules.

7.
Click Next to display the User Import: Schedule - Define mapping between User attributes and LDAP Attributes page.

Option

Description

Ldap Uid

The identifier for the user. Recommended value: objectguid.

User Name

The name of the user. Recommended value: name.

Email

The email address for the user. Recommended value: mail.

Manager

The manager of the user. This mapping is mandatory only if you want to retrieve the manager information. Recommended value: manager.

IMPORTANT: To retrieve the manager object associated with the user, you must also add the manager attribute to the Attributes to retrieve box.

Option

Description

Api Enabled

Whether users are enabled to access the KACE SMA using the KACE GO app. Access is enabled if the field contains a numerical value. Access is disabled if the field contains no value. Therefore, to enable access, select an attribute that returns a numerical value. To disable access, select No Value.

Ams Id

Not used in the KACE SMA 6.4 release. Recommended value: No Value.

9.
Optional: In the Role drop-down list, select the role for the imported users. See Add or edit User Roles.
11.
Optional: In the Labels drop-down list, select the label to apply to imported users. See About labels.
12.
In the Search Results section below the attribute mapping drop-down lists, verify that the list of users to import is correct, and the information listed for each user is what you expect. To refine your search, click the Back button and revise the search parameters and attributes.
For example, to change the number of Search Results, change the Maximum Number of Rows on the Choose attributes to import page.
13.
Click Next to display the Import Data into the KACE SMA page.
Only users with values for the required attributes, Ldap Uid, User Name, Email, and Manager, are imported. Records that do not have these values are listed in the Users with invalid data section.
Click Back to change settings.
Click Import to save the schedule and import user information immediately. The import begins, and the schedule is set to run according to the options selected in Scheduling section.
Click Finish to save the schedule without importing user information. The schedule is set to run according to the options selected in the Scheduling section.
Related Documents