Step One: Collect Information from LDAP Server
- The following information is needed from the LDAP Server in order to setup the LDAP authentication on the KACE appliance
- Server Hostname or IP ADDRESS of the LDAP Server
- LDAP Port number default 389, LDAPs (secured) port number is 636
- Search Base DN - The starting location of the LDAP Tree
- LDAP login and password that has permissions to query the directory (In Active Directory every user has this priviledge by default so it does not have to be an administrative account, however, we recommend an administrative account for testing)
Step Two: LDAP Browser to Test
- On the KACE K1000 appliance, run the LDAP Browser with the information above to see if it is able to log in, navigate, and browse through the LDAP server tree structure. Also able to see users and the user’s attributes as well
- To access the LDAP Browser within the K1000 appliance: Home -> Label -> LDAP Browser
-
- Experiment with different Search Bases and Search Filters. If you can return results here then it will work in the authentication. If you cannot return results then it will not work there either
Step Three: KACE Appliance setup
- On the KACE K1000 appliance:
- Logon to the K1000 appliance and go to the Settings -> Control Panel -> User Authentication
- On the KACE K2000 appliance:
- Logon to the K2000 appliance and go to Settings and Maintenance -> Control Panel -> User Authentication
- Enable Edit Mode and click on "External LDAP Server Authentication"
- Click on Add "New Server" and fill out the following fields:
- Server Friendly Name: LDAP Server profile
- Server Hostname or IP address
- Search Base DN - The starting point for where the LDAP should start
- Search filter - leave as (samaccountname=KBOX_USER)
- LDAP login – Format to use: either administrator@kace.com or cn=administrator,dc=kace,dc=com
- LDAP password
- Press the Apply button to save all the settings.
Testing
Go back into edit mode of the same LDAP profile and run a test to see if it is able to do a successful authentication
-
- On the Search filter, change the KBOX_USER variable to a specific user For Example: (samaccountname=Gerald)
- Next to the Test these settings:
- Enter the LDAP password (matching the user provided in the LDAP Login field ) into the Test User Password: box
- press the Test LDAP Settings button.
It will print out message of a successful or failure attempt like this:
Once it is successful, please replace the username in the Search filter back to KBOX_USER before saving it. KBOX_USER is a variable that gets replaced when you authenticate.
For Example: (samaccountname=KBOX_USER)
NOTE: Be sure to delete all LDAP authentication sources that are not used or put a valid LDAP Server IP address if not being used.
Beef it up
Now that you have a working configuration you can refine your settings.
- Perhaps you want to authenticate against a specific OU
e.g.
Search Base DN: OU=Support,OU=Kace,DC=Corp,DC=Kace,DC=com
Search Filter: samaccountname=KBOX_USER
- Or you want to include several groups in one role
e.g.
Search Base DN: OU=Users,CN=Kace,CN=com
Search Filter: (&(memberOf=CN=Miami Office,OU=KACEGroups,DC=Copr,DC=Kace,DC=com)(samaccountname=KBOX_USER))
- This example is a filter that excludes inactive accounts in a group called sales
e.g.
(&(!(msExchUserAccountControl=2))(&(memberOf=CN=Western,OU=Sales,DC=Copr,DC=Kace,DC=com)(samaccountname=KBOX_USER)))
- This includes only active accounts in a group called sales (note that there may be a difference):
e.g.
(&((msExchUserAccountControl=0))(&(memberOf=CN=Western,OU=Sales,DC=Copr,DC=Kace,DC=com)(samaccountname=KBOX_USER)))
- This is what a filter might look like in a Novell E-directory setup:
e.g.
(&(cn=KBOX_USER)(groupMembership=cn=GROUP NAME,ou=IT,o=Acme))
Troubleshooting
- Multiple users are getting locked out
- The reference account used in the authentication has failed too many times because the password was mistyped in one of the authentication sources. Fix the password and unlock the account.
- Only one person in the entire company can log in
- It is likely that you have a specific user name specified in the search filter (e.g. samaccountname=jdoe). This means that you only get a match when he logs in. * Only certain group of people can log in
- You have mutiple auth sources and only one of them is correct
- The reference account ("LDAP Login" field) that you provided only has permissions on certain OUs
- Only the admin can log in
- The local KACE appliance admin (user=admin) is a reserved account that bypasses the LDAP authentication no matter if it is turned on or not. You cannot connect it to the LDAP auth source.
- Logging in is really slow
- At least one of your authentication sources is failing and waiting to timeout before erroring. Typically this means you have not deleted one of the default OEM authentication sources and is pointing to a non-existent LDAP server. You should delete any auth source that you have not configured
- Users promoted to my AD "Admin" group that is assigned to an auth source for the KACE appliance admin role still login and connect as "Users"
- Once a role is assigned to an account in the KACE appliance (which happens on first login or import) it will not be changed regardless of auth settings. You must manually change the role for that user to reflect the change on the KACE appliance.
- Admins that were demoted to my AD "User" group still connect as KACE appliance admins
- same as above. They are still able to authenticate via the auth source defined for the User role, but their role does not dynamically change in the KACE appliance
- My search results during testing are successful but return 0 rows.
- You are not using the correct Search Base or the Correct LDAP Login account -- try an administrator or a different search base
- My memberOf information has an asterisk in it so it doesn't work when I search on it E.g. memberOf=CN=Sales,OU=*Distribution Lists,DC=company,DC=com
Resources
.