DirectoryConfig 5 1

0|reclory Corl|gural|or
vers|or: 5.1
0ale: 12/28/2010
Copyright Notice
CoyrIghf 20l0 by Irndford ofworks, Inc. AII rIghfs rosorvod worIdwIdo. !so, duII-
cnfIon, or dIscIosuro by fho !nIfod Sfnfos govornmonf Is subjocf fo fho rosfrIcfIons sof
forfh In IA!S 252.22?-?0l3(c)(l)(II) nnd IA! 52.22?-l9.
Liability Disclaimer
Irndford ofworks, Inc. rosorvos fho rIghf fo mnko chnngos In socIfIcnfIons nnd ofhor
InformnfIon confnInod In fhIs documonf wIfhouf rIor nofIco. In nII cnsos, fho rondor
shouId confncf Irndford ofworks fo InquIro If nny chnngos hnvo boon mndo.
Tho hnrdwnro, fIrmwnro, or soffwnro doscrIbod In fhIs mnnunI Is subjocf fo chnngo
wIfhouf nofIco.
I O IVIT SHA!! I!AIO! ITWO!KS, ITS IMI!OYIIS, OIIICI!S,
I!ICTO!S, ACITS, O! AIII!IATIS II !IAI!I IO! AY ICIITA!,
II!ICT, SIICIA!, O! COSIQ!ITIA! AMACIS WHATSOIVI! (IC!!-
IC I!T OT !IMITI TO !OST I!OIITS) A!ISIC O!T OI O! !I!ATI TO
THIS MA!A! O! THI IIO!MATIO COTAII I IT, IVI II I!A-
IO! HAS III AVISI OI, HAS KOW, O! SHO!! HAVI KOW, THI
IOSSIII!ITY OI S!CH AMACIS.
Trademark, Service Mark, and Logo Information
Irndford ofworks, fho Irndford ofworks Iogo, nnd Irndford ofwork Sonfry nro
coyrIghfod by Irndford ofworks, Inc. AII ofhor frndomnrks nnd rogIsforod frndo-
mnrks nro fho roorfy of fhoIr rosocfIvo ownors.
Contact Information
Irndford ofworks, Inc., l62 Iombroko !ond, Concord, H 0330l !SA
Ihono: 603.228.5300
Inx: 603.228.6420
Wob sIfo: hff://www.brndfordnofworks.com
InformnfIon: cm_quosfIonsbrndfordnofworks.com
SnIos: snIosbrndfordnofworks.com
Suorf: suorfbrndfordnofworks.com
Document Notes
ThIs documonf Is nn oxcorf from fho Inrgor AdmInIsfrnfIon And OornfIon documonf.
!Inks confnInIng ngo numbors IndIcnfo fhnf nddIfIonnI InformnfIon Is rovIdod wIfhIn
fhIs documonf. Ior oxnmIo, soo Modify Groups on page 10 for nddIfIonnI InformnfIon.
!Inks wIfh no ngo numbors IndIcnfo fhnf nddIfIonnI InformnfIon cnn bo found In fho
mnIn AdmInIsfrnfIon And OornfIon documonf. Ior oxnmIo, soo Modify Groups for nddI-
fIonnI InformnfIon.
Network Sentry Administration And Operation
Contents
Directory 1
Authenticate Using A Domain Name 1
Directory Set Up Requirements 3
Directory Configuration - Add Pingable Device 4
Directory Configuration 5
Create A Keystore For SSL Or TLS Communications To LDAP 8
Attribute Mappings 14
Passive Registration Using The Domain Controller 22
Directory Synchronization 32
Network Sentry Administration And Operation i
Table Of Contents
ii Network Sentry Administration And Operation
Directory
A dIrocfory Is n dnfnbnso fhnf confnIns fho rocords of nn orgnnIznfIon`s mombors. You
cnn orgnnIzo fho mombors Info grous wIfhIn fho dIrocfory. If confIgurod In ofwork
Sonfry fho Irocfory cnn bo usod fo nufhonfIcnfo nofwork usors. If you hnvo choson
!AI nufhonfIcnfIon In fho IorfnI ConfIgurnfIon wIndow, you musf confIguro n Iroc-
fory In ofwork Sonfry. Soo Portal Configuration.
Tho Irocfory Iug-In vnIIdnfos fho usor nnd ouInfos fho usor rocord In fho ofwork
Sonfry dnfnbnsos wIfh usor-socIfIc InformnfIon boforo fhoy nro nIIowod nccoss fo fho
nofwork. CommonIy usod dIrocforIos nro MIcrosoff's AcfIvo Irocfory (A) nnd ovoII's
oIrocfory. ofwork Sonfry usos fho !AI rofocoI fo communIcnfo fo nn orgnn-
IznfIon`s dIrocfory.
A usor's rocord Is mndo u of fIoIds fhnf confnIn InformnfIon nbouf fho usor such ns
fIrsf nnmo, Insf nnmo, nnd omnII nddross. Tho nnmo of n fIoId In n dIrocfory Is dofInod
by n schomn. Ior oxnmIo, fho schomn socIfIos fhnf n usor's fIrsf nnmo Is sforod In n
fIoId wIfh nn nffrIbufo nnmo of "gIvonnmo". ThIs nffrIbufo nnmo Is usod whon rofrIov-
Ing n usor's fIrsf nnmo from fho rocord. AffrIbufo nnmos cnn vnry from dIrocfory fo
dIrocfory, so ofwork Sonfry nIIows you fo dofIno your own fIoIds. !sors In nn ou In
fho Irocfory nro ouInfod Info n grou In ofwork Sonfry If fho IsfInguIshod nmo
() nffrIbufo Is onforod In fho Irocfory grou nffrIbufo mnIngs vIow.
Authenticate Using A Domain Name
If you choso fo nufhonfIcnfo usIng n domnIn nnmo, you musf consIdor fho foIIowIng:
: Whon n domnIn nnmo Is socIfIod In fho Irocfory ConfIgurnfIon vIow nnd fho
IogIn IncIudos fho mnfchIng domnIn, nufhonfIcnfIon fIrsf usos bofh fho usor
nnmo nnd fho domnIn nnmo. If fhIs nufhonfIcnfIon fnIIs, no furfhor nufhon-
fIcnfIons nro nffomfod.
: Whon n domnIn nnmo Is socIfIod In fho Irocfory ConfIgurnfIon vIow nnd fho
IogIn IncIudos n domnIn fhnf doos nof mnfch fho Irocfory ConfIgurnfIon vIow,
fho nufhonfIcnfIon ImmodInfoIy fnIIs.
: Whon no domnIn Is socIfIod In fho Irocfory ConfIgurnfIon vIow nnd fho IogIn
IncIudos n domnIn, nufhonfIcnfIon fIrsf usos fho usor nnmo nnd fho domnIn
nnmo. If fhIs nufhonfIcnfIon fnIIs, n socond nufhonfIcnfIon Is nffomfod usIng
onIy fho usor nnmo.
: omnIn nnmos musf bo nn oxncf mnfch. Ior oxnmIo, If fho Irocfory Con-
fIgurnfIon vIow socIfIos fho domnIn ns somodomnIn.com, n IogIn of
john.smIfhIf.somodomnIn.com Is nof nufhonfIcnfod bocnuso fho domnIn soc-
IfIod Is nof nn oxncf mnfch.
: VnIId formnfs for IogIn nro: usor, usordomnIn.com nnd domnIn`usor.
Network Sentry Administration And Operation 1
Authenticate Using Domain Names And Multiple Directories
If you nro usIng muIfIIo dIrocforIos fo nufhonfIcnfo usors, you musf consIdor fho foI-
IowIng:
: Whon ono dIrocfory Is In fho TooIogy vIow nnd no domnIn Is socIfIod In fho
Irocfory ConfIgurnfIon vIow, nufhonfIcnfIon Is nffomfod usIng fho ono dIroc-
fory.
: Whon muIfIIo dIrocforIos nro In fho TooIogy vIow nnd no domnIn Is socIfIod
In fho Irocfory ConfIgurnfIon vIow, nufhonfIcnfIon Is nffomfod fo nII dIroc-
forIos fhnf nro In fho TooIogy vIow. Tho ordor In whIch fho dIrocforIos nro
rocossod cnnnof bo confroIIod, nnd fho fIrsf dIrocfory fhnf yIoIds n succossfuI
nufhonfIcnfIon Is usod.
: Whon muIfIIo dIrocforIos nro In fho TooIogy vIow nnd domnIns nro socIfIod
for onch rosocfIvo Irocfory ConfIgurnfIon vIow, nufhonfIcnfIon Is nffomfod
fo nII dIrocforIos. Tho domnIn socIfIod In fho IogIn musf oxncfIy mnfch fho
domnIn socIfIod In fho Irocfory ConfIgurnfIon vIow.
2 Network Sentry Administration And Operation
Directory Set Up Requirements
Tho foIIowIng sfos rovIdo n bnsIc oufIIno for fho rocoduros roquIrod fo sofu fho
Irocfory nnd Ifs communIcnfIon wIfh ofwork Sonfry.
1. ModoI fho sorvor confnInIng your dIrocfory In fho TooIogy VIow. Io suro fo
sof fho dovIco fyo fo Sorvor. ThIs sfo sofs u fho connocfIon fo fho dovIco
confnInIng fho Irocfory nIIcnfIon. Soo Add A Pingable Device.
2. InnbIo Ing on fho Irocfory Sorvor IfsoIf. ThIs nIIows ofwork Sonfry fo Ing
fho Irocfory sorvor nnd rovonfs fho sorvor Icon In fho TooIogy vIow from
dIsInyIng In rod ns If If hnd Iosf confncf whon, In fncf, If Is In confncf vIn
!AI.
3. Sof u fho connocfIon bofwoon fho Irocfory nIIcnfIon nnd ofwork Sonfry.
ThIs sfo rovIdos IogIn InformnfIon nIIowIng ofwork Sonfry fo connocf nnd
communIcnfo wIfh fho Irocfory. Soo Directory Configuration on page 5.
4. Mn dIrocfory dnfn fIoIds fo ofwork Sonfry dnfn fIoIds. ThIs sfo nIIows you
fo Imorf usor nnd grou InformnfIon Info your dnfnbnso. Soo Attribute Map-
pings on page 14.
5. nfn In your dIrocfory cnn chnngo froquonfIy. !sors couId bo nddod, romovod
or modIfIod. Thoso chnngos nood fo bo Incorornfod Info your ofwork Sonfry
dnfnbnso. Cronfo n schoduIo fo synchronIzo fho dIrocfory wIfh fho ofwork
Sonfry dnfnbnso. Soo Directory Configuration - Schedule Tab on page 12.
6. If you cnn chooso fo uso Iogon/Iogoff scrIfs fo rogIsfor fho hosf mnchIno whon
n usor Iogs on or off n domnIn. Soo Passive Registration Using The Domain Con-
troller on page 22.
Note: f you do not have access to an interface that allows you to view your directory, an LDAP
browser is available on your Network Sentry appliance. You may need to access your Directory
using this browser to acquire login, group and user information. See Directory Syn-
chronization on page 32 for more information.
Directory Configuration - Add Pingable Device
!so fho Add IIngnbIo ovIco ofIon fo ndd hubs, IIS/IS, rInfors, sorvors, wIroIoss
nccoss oInfs, Irocfory sorvors nnd ofhor IngnbIo dovIcos fo n domnIn. Tho IhysIcnI
Addross (MAC) Is roquIrod whon cronfIng IngnbIo dovIcos If fho II fo MAC cnnnof bo
rosoIvod whon fho A!I fnbIos nro rond.
If you hnvo choson fo nufhonfIcnfo nofwork usors wIfh nn !AI dIrocfory, fho sorvor
on whIch fhnf dIrocfory rosIdos musf bo nddod In fho TooIogy ns n IngnbIo dovIco.
Ior nddIfIonnI InformnfIon on dIrocforIos, soo Directory on page 1.
Figure 1: Add PingabIe Device
1. CIIck Go > Topology.
2. SoIocf fho Domain Icon.
3. !Ighf-cIIck n domnIn nnd soIocf Add Pingable Device.
4. Infor fho Device Name, IP Address, nnd Physical Address. IhysIcnI
nddross Is roquIrod whon you hnvo IdonfIfIod n !oguo hosf ns n dovIco nnd
wIsh fo movo If from fho Hosf VIow fo fho TooIogy VIow. TyIcnIIy hysIcnI
nddross Is rond from fho dovIco.
5. SoIocf fho Device Type from fho dro-down IIsf.
Device Type Options
Alarm System P Phone Server
Camera PS/DS StealthWatch
Card Reader Linux Top Layer PS
Cash Register Mac OS X UPS
Dial-up Server Mobile Device Unix
Device Type Options
Environmental Control Network VPN
Gaming Device PBX Vending Machine
Generic Monitoring System Pingable Windows
Health Care Device Printer Wireless Access Point
Hub
6. SoIocf n Deep Packet Device fyo from fho dro-down IIsf.
Deep Packet Device Type Options
Pingable StoneGate PS TippingPoint SMS
Top Layer PS Sourcefire PS
7. CIIck Apply.
Directory Configuration
Tho Irocfory ConfIgurnfIon wIndow In fho TooIogy VIow confnIns fho ConnocfIon,
!sor Sonrch Irnnchos, Crou Sonrch Irnnchos, nnd SchoduIo fnbs. Inch fnb hns so-
cIfIc InformnfIon fhnf musf bo onforod fo nIIow ofwork Sonfry fo connocf wIfh fho
Irocfory nnd Imorf usors nnd grous.
Ioforo confIgurIng fho dIrocfory you musf bo suro fo ndd fho sorvor on whIch fho dIroc-
fory rosIdos ns n IngnbIo dovIco In fho TooIogy VIow. Soo Add A Pingable Device for
moro InformnfIon.
Directory Configuration - Connection Tab
Tho ConnocfIon fnb confnIns fho Inrnmofors, SocurIfy nnd Accoss, nnd Objocf CInssos
InformnfIon roquIrod for communIcnfIon wIfh fho Irocfory. of nII fIoIds nro roquIrod.
Io suro fo onfor InformnfIon onIy In fhoso fIoIds fhnf nIy fo your dIrocfory.
Note: Network Sentry only supports Kerberos with an LDAP Authentication Server. Kerberos is
not supported as a stand-alone authentication mechanism.
Figure 2: Active Directory Configuration - Connections Tab
Connections Tab Field Definitions
FieId Description
Parameters
Host Name Name of the server where the directory is hosted.
Domain Name
Users authenticating using this domain name will be authenticated through this
directory.
Setting a value here requires all users to supply a domain name during login. Net-
work Sentry authenticates the users to the directory that contains this domain
name. f the domain field is blank Network Sentry performs a look up in this direc-
tory.
Primary IP
P Address of the primary directory server. This server must be added as a device
in the Topology View before you can reference it here.
Secondary IP
P Address of the secondary directory server. This server would be accessed in the
event that the Primary server was unavailable. This server must be added as a
device in the Topology View before you can reference it here.
Version The directory version.
Port The communication port used by the directory.
Time Limit
The time in seconds that Network Sentry waits for a response from the directory.
The number of seconds may need to be increased in the Directory or in Network
Sentry if the exception "Time Limit Exceeded begins to be noted more often.
Perform
Synchronization
Check this box to synchronize the Primary and Secondary Directory servers.
Removed Users
When checked, users that have been removed from the directory will be removed
from the Network Sentry database when the scheduled resynchronization takes
place.
Security
LDAP Login The user login name Network Sentry uses to access the LDAP server.
LDAP Password The password for the user login.
Kerberos Login The Kerberos server name.
Kerberos Password The Kerberos encryption protocol. Enter keys as required.
ReaIm The Kerberos domain name.
KDC The Kerberos Key Distribution Center. Enter information as required.
FieId Description
Security ProtocoI
The security protocol used when communicating with the server containing your
directory. Options are SSL, TLS, and None.
Note: f SSL or TLS are chosen you must have a security certificate
from a Certificate Authority. The certificate should be stored in the fol-
lowing directory on your appliance /bsc/campusMgr/
See Create A Keystore For SSL Or TLS Communications To LDAP for instruc-
tions on importing and storing certificates.
Key Store FiIe
These fields have been removed. Certificates must be stored in /bsc/campusMgr/
Secondary Key Store
FiIe
Password Encryption
Options are based on the standard Java supported encryption techniques. Select
the encryption to be used when communicating with the server.
Object CIasses Active Directory NoveII
User Object CIass User Person
Group Object CIass Group
Tho AdmInIsfrnfor musf onfor fho socIfIc connocfIon InformnfIon for fho Irocfory
sorvor usod for usor nufhonfIcnfIon. Tho SocurIfy InformnfIon roquIrod vnrIos doond-
Ing on fho fyo of dIrocfory you nro usIng. Io suro fo onfor onIy fho dnfn roquIrod for
your dIrocfory fyo.
2. CIIck fho Network Sentry Icon fo oxnnd If.
3. CIIck fho Directories Icon fo oxnnd If.
4. !Ighf-cIIck fho Directory Icon nnd soIocf Configuration.
5. CIIck fho Connection fnb nnd onfor connocfIon InformnfIon.
6. CIIck Apply.
7. CIIck Test fo vorIfy fho connocfIon.
8. If ofwork Sonfry Is nbIo fo succossfuIIy connocf fo fho Irocfory n Con-
nection Established InformnfIon box wIII nonr.
9. To onsuro fhnf fho usor dnfn Is nvnIInbIo fo ofwork Sonfry, you musf nIso
comIofo fho !sor Sonrch Irnnchos nnd Crou Sonrch Irnnchos fnbs. Soo
Directory Configuration - User Search Branches Tab on page 10 nnd Directory Con-
figuration - Group Search Branches Tab on page 11.
Create A Keystore For SSL Or TLS Communications To LDAP
If you chooso fo uso SS! or T!S socurIfy rofocoIs for communIcnfIons wIfh your
!AI dIrocfory, you musf hnvo n socurIfy corfIfIcnfo. You musf obfnIn n vnIId cor-
fIfIcnfo from n CorfIfIcnfo AufhorIfy. Thnf corfIfIcnfo musf bo snvod fo n socIfIc dIroc-
fory on your ofwork Sonfry nIInnco.
SS! or T!S rofocoIs nro soIocfod on fho Irocfory ConfIgurnfIon wIndow whon you sof
u fho connocfIon fo your !AI dIrocfory. Soo Directory Configuration - Connection Tab
on page 5 for InformnfIon on confIgurIng fho connocfIon fo your !AI dIrocfory. IoI-
Iow fho sfos boIow fo Imorf your corfIfIcnfo.
Note: You should be logged in as root to follow this procedure.
1. Whon you hnvo rocoIvod your corfIfIcnfo from fho CorfIfIcnfo AufhorIfy, coy
fho fIIo fo fho /bsc/campusMgr/ dIrocfory on your ofwork Sonfry nII-
nnco.
2. !so fho koyfooI commnnd fo Imorf fho corfIfIcnfo Info n koysforo fIIo.
Ior oxnmIo, If your corfIfIcnfo fIIo Is nnmod MnInCorfIfIcnfo.dor, you wouId
fyo fho foIIowIng:
keytool -import -trustcacerts -alias <alias> -file Main-
Certificate.der -keystore .keystore
Note: Depending on the file extension of your certificate file, you may need to modify
the command shown above. For additional information on using the keytool key and cer-
tificate management tool go to the Sun web site java.sun.com.
3. Whon fho scrIf rosonds wIfh fho Trust this certificate? romf, fyo Yes
nnd ross Enter.
4. Af fho romf for fho koysforo nssword, fyo In fho foIIowIng nssword nnd
ross Enter:
^8Bradford%23
5. To vIow fho corfIfIcnfo, nnvIgnfo fo fho /bsc/campusMgr/ dIrocfory nnd fyo
fho foIIowIng:
keytool -list -v -keystore .keystore
6. Tyo fho nssword usod fo Imorf fho corfIfIcnfo nnd ross Enter.
Note: The keystore is cached on startup. Therefore, it is recommended that you restart Network
Sentry after making any changes to the keystore.
Directory Configuration - User Search Branches Tab
Tho !sor Sonrch Irnnchos fnb Is whoro fho AdmInIsfrnfor onfors fho socIfIc !sor
Sonrch Irnnchos InformnfIon for fho Irocfory sorvor. ThIs foIIs ofwork Sonfry
whoro fho usor InformnfIon Is Iocnfod In fho Irocfory.
Figure 3: Active Directory Configuration - User Search Branches Tab
5. CIIck fho User Search Branches fnb.
6. CIIck Add fo ndd now sonrch brnnch InformnfIon.
7. CIIck In fho Distinguished Name (DN) fIoId, onfor fho DN, nnd fhon cIIck
$SSO\.
8. To remove an entry In fho !sor Sonrch Irnnchos IIsf cIIck Remove, soIocf
fho entry fo bo romovod, nnd fhon cIIck Apply.
9. ConfInuo wIfh Directory Configuration - Group Search Branches Tab on the facing
page.
Directory Configuration - Group Search Branches Tab
Tho Crou Sonrch Irnnchos fnb Is whoro fho AdmInIsfrnfor onfors fho socIfIc Crou
Sonrch Irnnchos InformnfIon for fho Irocfory sorvor. ThIs foIIs ofwork Sonfry
whoro fho grou InformnfIon Is Iocnfod In fho Irocfory.
Figure 4: Active Directory Configuration - Group Search Branches Tab
3. CIIck fho 'LUHFWRULHV Icon fo oxnnd If.
5. CIIck fho Group Search Branches fnb.
6. CIIck Add fo ndd now sonrch brnnch InformnfIon.
7. CIIck In fho IsfInguIshod nmo () fIoId, onfor fho DN, nnd fhon cIIck
Apply.
8. To remove an entry In fho Crou Sonrch Irnnchos IIsf cIIck Remove, soIocf
fho entry fo bo romovod, nnd fhon cIIck Apply.
9. If fhIs Is fho InIfInI sofu of your Irocfory, confInuo wIfh Attribute Mappings
on page 14.
Directory Configuration - Schedule Tab
Tho SchoduIo fnb Is nIIows fho AdmInIsfrnfor fo soIocf n dnfo/fImo nnd oII InforvnI for
fho dIrocfory synchronIznfIon fnsk. Tho schoduIod fnsk mny nIso bo nusod nnd run
mnnunIIy Infor. ThIs rocoss ndds fho SynchronIzo !sors wIfh Irocfory fnsk fo fho
SchoduIor VIow.
Whon fho Irocfory nnd ofwork Sonfry nro synchronIzod chnngos mndo fo usors In
fho Irocfory nro wrIffon fo corrosondIng usor rocords In fho dnfnbnso. !sors from
fho Irocfory nro onIy nddod fo fho ofwork Sonfry dnfnbnso whon fhoy connocf fo fho
nofwork nnd rogIsfor. Irocfory grous nro nddod fo fho ofwork Sonfry fho onch fImo
n synchronIznfIon occurs. Crous cronfod In fho dIrocfory nro dIsInyod In ofwork
Sonfry on fho Crous VIow. SocIfIc dIrocfory grous cnn bo dIsnbIod from AffrIbufo
MnIngs. Soo Attribute Mappings - Group Tab on page 20.
If you nro usIng n dIrocfory for nufhonfIcnfIon, usor dnfn Is udnfod from fho dIrocfory
bnsod on fho !sor I durIng synchronIznfIon. ThIs Is fruo rognrdIoss of how fho usor
Is cronfod nnd whofhor fho usor Is IocnIIy nufhonfIcnfod or nufhonfIcnfod fhrough fho
dIrocfory. If fho !sor I on fho usor rocord mnfchos n !sor I In fho dIrocfory, fho
ofwork Sonfry dnfnbnso Is udnfod wIfh fho dIrocfory dnfn.
Figure 5: Directory Configuration - ScheduIe Tab
Schedule Tab Field Definitions
Parameter Description
ScheduIe IntervaI Poll interval for the scheduled task. Options are Minutes, Hours, or Days.
Next ScheduIed Time
The next date/time the scheduled synchronization task will run. Entered in the for-
mat MM/DD/YY HH:MM AM/PM
Pause
When selected, the scheduled synchronization task is paused and does not run
automatically. To run the paused task go to the Scheduler View and run the task
manually. See Scheduler View for more information.
Schedule Directory Resynchronization
5. CIIck fho Schedule fnb.
6. Sof n Schedule Interval by onforIng n numbor nnd soIocfIng MInufos, Hours,
or nys from fho dro-down monu.
7. CIIck In fho Next Scheduled Time fIoId nnd onfor fho date/time fo run fho
synchronIznfIon fnsk.
8. To nuso fho schoduIod fnsk, cIIck In fho Inuso box.
Note: f the scheduled task is paused, the Administrator can go to the Scheduler view
and run the task manually to synchronize the directory with Network Sentry. See
Scheduler View for details.
9. CIIck Apply.
Attribute Mappings
To ndd usors from nn !AI comIInnf dIrocfory, fho cusfomor usor dnfnbnso schomn
musf bo mnod fo fho ofwork Sonfry usor dnfn. AffrIbufos cnn bo mnod for usors
nnd grous by soIocfIng fho fnbs ncross fho fo of fho wIndow.
If n usor In fho dIrocfory hns muIfIIo nffrIbufos wIfh fho snmo nffrIbufo I, ofwork
Sonfry usos fho fIrsf ono If fInds. Ior oxnmIo, If n rocord Iookod IIko fho ono shown
boIow, ofwork Sonfry wouId uso sfnff.
oduIorsonnIAffIIInfIon=sfnff
oduIorsonnIAffIIInfIon=omIoyoo
oduIorsonnIAffIIInfIon=nIum
oduIorsonnIAffIIInfIon=sfudonf
Attribute Mappings - User Tab
Tho AffrIbufo MnIngs for fho usor nro onforod on fho !sor Tnb. Tho A nffrIbufos
nro mnod on fhIs form for !sor oscrIfIon, Confncf, Hnrdwnro, nnd SocurIfy nnd
Accoss. ThIs nIIows ofwork Sonfry fo rofrIovo fho usor InformnfIon bnsod on fho !sor
Sonrch Irnnchos confIgurod on fho Irocfory ConfIgurnfIon wIndow. Soo Directory Con-
figuration - Connection Tab on page 5.
Tho !AI browsor mny bo usod fo soo fho nffrIbufos from fho dIrocfory. Tho !AI
browsor Is Iocnfod on fho nIInnco nf fho foIIowIng:
http://<Host Name>:8080/runTime/tools/ldapbrowser/applet.html
O!
https://<Host Name>:8443/runTime/tools/ldapbrowser/applet.html
Enter User Attribute Mappings
4. !Ighf-cIIck fho Directory Icon nnd soIocf Attribute Mappings.
5. CIIck fho User fnb.
6. Infor fho usor nffrIbufo mnIngs. Soo fho User Tab - Directory Attributes
Table on page 16 fnbIo boIow for fho IIsf of nffrIbufos.
Important: The Last Name and dentifier (D) fields are required entries.
7. CIIck Apply fo snvo fho InformnfIon.
Figure 6: Active Directory Attribute Mappings - User Tab
User Tab - Directory Attributes Table
User Attributes Active Directory NoveII
First Name givenName givenName
Last Name * sn sn
Identifier (ID) * sAMAccountName cn
TitIe
E-maiI userPrincipalName
Address streetAddress mailstop
City l city
State st S
Zip/PostaI Code postalCode
Phone telephoneNumber Telephone Number
Host Name
Host Description
SeriaI Number
PhysicaI Address
Security Attribute
The Directory Attribute used when determining which
security policy the hosts are scanned against. Data con-
tained in this field is copied to the Security and Access
value field on the User Properties and the Host Properties
record for each user and associated host when the direc-
tory synchronizes with the database.
AIIowed Host Records
The number of host records each individual user may
have in Network Sentry.
RoIe Name of the role assigned to the user.
DisabIed Attribute
Setting this attribute allows the AD Administrator to dis-
able users in Active Directory and have all instances of
the user automatically disabled in Network Sentry when
the next scheduled resync occurs.
Attribute = userAccountControl
Important: Disabled users are able to access the network until Network Sentry resynchronizes
with the Active Directory. To immediately disable all instances of the user in Network Sentry, go
the Scheduler View and run the Synchronize Users with Directory task. See Scheduler View
for more information.
User Attributes Active Directory NoveII
DisabIed VaIue
When the value for the Disabled Attribute for the user
equals the Disabled Value, Network Sentry disables all
instances of a user when the next scheduled resync with
AD occurs. The user must have previously been disabled
in AD.
The Disabled Value may vary from directory to directory.
Check a user that is currently disabled in the directory to
see what the disabled value should be. Enter that value
in the Disabled Value field.
Note: f you are using Active Directory, it is possible for the Disabled Value to vary from user to
user. The value is affected by other account settings selected within the directory, such as,
Password Never Expires or User Must Change Password At Next Login. You may only be able to
set the Disabled Value for users that have identical account settings.
Time To Live
The name of the directory attribute that contains the
numerical value for the user age time. f the attribute does
not have a value the user age time is not set by the direc-
tory.
Age time can also be set using the Network Sentry Prop-
erties window or on the User Properties window for an
individual user.
All of these options simply modify the Expiration Date the
User Properties window. See User Properties.
Time to Live Units
The time unit set in the User Properties age time if the
Time to Live attribute contains a value.
Options: Hours or Days
Preview Directory Users
Af fho boffom of fho !sor fnb, cIIck Preview fo vIow fho IIsf of usors fhnf nro found
In fho dIrocfory. !sor rocords In fho dIrocfory nro nof IIsfod unfII n nrnmofor Is
soIocfod nnd Ifs nssocInfod vnIuo Is onforod In fho Sonrch fIoId.
Note: The Directory Configuration must be completed before any records can be previewed. See
Directory Configuration - Connection Tab on page 5 for additional information.
Figure 7: Directory Attribute Mappings - User Preview
To vIow usor rocords:
1. SoIocf n parameter from fho dro-down IIsf.
2. Infor fho value In fho foxf fIoId noxf fo fho nrnmofor.
!so nsforIsks (*) ns wIId cnrds In foxf fIoIds If you know onIy n orfIon of n
nnmo. Tho wIId cnrd rorosonfs nny chnrncfors. Sonrchos nro nof cnso-son-
sIfIvo.
Ior oxnmIo, onfor I* In fho foxf fIoId nnd soIocf fho IIrsf nmo nrnmofor fo
Iocnfo nII rocords whoro I Is fho fIrsf chnrncfor In fho IIrsf nmo fIoId.
3. CIIck Search.
WARNING: Entering just the wild card in the text field returns every record in the direc-
tory and may cause time or size limit exceeded errors to occur depending on the total
number of records.
Important: This is a view only list and is NOT imported into Network Sentry. The user
information is only imported into the Network Sentry database as the user registers.
The Sync Directory task in the Scheduler View is used to update user information
already in the Network Sentry database with any changes made in the Directory data-
base. See Scheduler View for additional information.
Attribute Mappings - Group Tab
Tho AffrIbufo MnIngs for n grou nro onforod on fho Crou Tnb. Tho A nffrIbufos
nro mnod on fhIs form for Crou nmo, Mombors, nnd IsfInguIshod nmo. ThIs
nIIows ofwork Sonfry fo rofrIovo fho grou InformnfIon bnsod on fho Crou Sonrch
Irnnch confIgurod on fho Irocfory ConfIgurnfIon wIndow. Soo Directory Configuration
- Group Search Branches Tab on page 11. Crous cronfod In fho dIrocfory nro Imorfod
Info ofwork Sonfry onch fImo fho Irocfory SynchronIznfIon fnsk Is run oIfhor mnn-
unIIy or by fho SchoduIor.
Figure 8: Directory Attribute Mappings - Group Tab
4. !Ighf-cIIck fho Directory Icon nnd soIocf Attribute Mappings.
5. CIIck fho Group fnb.
6. Infor fho grou nffrIbufo mnIngs.
Group Attributes Active Directory NoveII
Group Name name cn
Group Members member member
Distinguished Name (DN) dn
Note: f an attribute for Distinguished Name (DN) is supplied, the users beneath an OU
will be treated as a group.
7. CIIck Apply fo snvo fho InformnfIon.
8. CIIck Preview fo vIow fho dIrocfory`s IIsf of grous nnd fhoIr mombor counfs.
Crou/!sor InformnfIon cnn nIso bo Imorfod from fhIs vIow.
Figure 9: Directory Attribute Mappings - Group Preview
AII fho grous In fho Irocfory nro IIsfod nIong wIfh fho numbor of mombor
rocords confnInod In onch grou.
Tho fofnI numbor of grous Is dIsInyod nf fho fo of fho IIsf.
9. To import groups of usor rocords from fho Irocfory fo fho ofwork Sonfry
dnfnbnso whon fho Irocfory SynchronIznfIon schoduIod fnsk runs:
a. SoIocf fho grous fo bo Imorfod by chockIng fho box(os) noxf fo fho grou
nmo In fho Crous IrovIow wIndow.
b. CIIck Apply.
Passive Registration Using The Domain Controller
You cnn confIguro ofwork Sonfry fo nufomnfIcnIIy run Iogon nnd Iogoff scrIfs nnd
rogIsfor fho hosf mnchIno whon n usor Iogs on or off n domnIn. ThIs rocoss nIIows
usors fo bo frnckod ns fhoy uso vnrIous mnchInos on fho nofwork. Tho rogIsfrnfIon
rocoss Is nof vIsIbIo fo fho usor. !ogon nnd Iogoff scrIfs nro rovIdod, buf musf bo
cusfomIzod for your confIgurnfIon.
To uso IogIn or Iogouf scrIfs, you musf bo usIng nn !AI dIrocfory for nufhonfIcnfIon
nnd If musf bo confIgurod In ofwork Sonfry. Soo Directory Set Up Requirements on
page 3 for nn ovorvIow on confIgurIng your Irocfory.
Mnko suro fhnf AufhonfIcnfIon Is onnbIod. Soo Authentication.
Host Registration vs Device Registration
!ogIn scrIfs confnIn vnrInbIos for rogIsforIng mnchInos ns hosfs or ns dovIcos. If you
rogIsfor n mnchIno ns n hosf If usos n Accoss Mnnngor IIconso nnd Is nssocInfod wIfh n
usor. If you rogIsfor n mnchIno ns n dovIco If usos n Shnrod Accoss Trnckor IIconso nnd
nn undorIyIng ovIco Trnckor IIconso. If Is nof nssocInfod wIfh socIfIc usor.
Customize Login And Logout Scripts
ofwork Sonfry nIIows you fo rogIsfor hosfs usIng IogIn nnd Iogouf scrIfs. Thoso
scrIfs nro rovIdod for you on fho nIInnco. Thoy confnIn vnrInbIos fhnf musf bo mod-
IfIod fo mnfch your onvIronmonf nnd roquIromonfs. ScrIfs nro Iocnfod In fho foIIowIng
dIrocfory:
/bsc/campusMgr/ui/runTime/config/ldap
ScrIfs fhnf shouId bo modIfIod IncIudo sendLogIn.vbs, sendLogOut.vbs . If you
nro usIng Cuosf Mnnngor you mny nood fo modIfy fho gcsLogin.vbs scrIf. If Is roc-
ommondod fhnf you rovIow fho commonfs confnInod wIfhIn fho scrIf. Thoy confnIn
fho mosf u fo dnfo InformnfIon nbouf vnrInbIos fhnf cnn bo usod nnd nddIfIonnI nrnm-
ofors fhnf cnn bo sof.
To uso fho scrIfs fhoy musf bo coIod fo fho dIrocfory sorvor, such ns your AcfIvo
Irocfory Sorvor. Affor fhoy hnvo boon coIod, uso fho InformnfIon In fho Variables on
page 24 nnd Trap Parameters on page 26 fnbIos boIow fo modIfy fho nocossnry nrnm-
ofors. To rocoIvo frns from fho scrIfs, you musf nIso coy snmfrn.oxo nnd
IIbsnm.dII fo fho dIrocfory sorvor In fho snmo dIrocfory fhnf confnIns fho scrIfs.
Thoso fwo fIIos nro Iocnfod on fho ofwork Sonfry sorvor In fho snmo dIrocfory ns fho
scrIfs.
Registration Types
Thoro nro fwo fyos of rogIsfrnfIon fhnf cnn bo dono usIng scrIfs. A mnchIno cnn bo
rogIsforod ns n hosf wIfh nn nssocInfod usor or ns n dovIco wIfh no IdonfIfy. Whon n
mnchIno Is rogIsforod ns n dovIco, fho hosf nnmo of fho dovIco Is usod. MnchInos cnn
nIso bo Ioff ns roguos.
If you nro rogIsforIng shnrod mnchInos, such ns comufors In n Inb, you mny wnnf fo
modIfy fho scrIf fo rogIsfor fho comufors ns n dovIcos. Thoso comufors uso n Shnrod
Accoss Trnckor !Iconso for fho usor Ioggod Info fho mnchIno nnd nn undorIyIng ovIco
Trnckor !Iconso for fho comufor IfsoIf. Soo License Types And Usage for nddIfIonnI
InformnfIon on IIconsos.
Registration Type Settings Licenses Used
Host / User
Register the machine as a host by
user name.
REG_ROGUE = "0"
REG_BY_USER = "1"
1 Access Manager license
Device
Register the machine as a device
by host name.
REG_ROGUE = "0"
REG_BY_USER = "0"
1 Shared Access Tracker License
1 Device Tracker License
Registration Examples
Figure 10: User View - Registration Type Host/User
Figure 11: Host View - Registration Type Host/User
In fho fwo oxnmIos nbovo, fho IogIn scrIf wns sof fo rogIsfor by usor. Iofh fho
mnchIno nnd fho usor nro shown, fIrsf from fho !sor VIow nnd socond from fho Hosf
VIow. Tho mnchIno shows ns Tyo - !ogIsforod, IndIcnfIng fhnf If Is rogIsforod fo n
usor. Tho mnchIno Is nssocInfod wIfh or !ogIsforod To fho usor nnd fho combInnfIon
usos ono Accoss Mnnngor !Iconso.
Figure 12: User View - Registration Type Device
Figure 13: Host View - Registration Type Device
In fho fwo oxnmIos nbovo, fho IogIn scrIf wns sof fo rogIsfor by dovIco. Iofh fho
mnchIno nnd fho usor nro shown, buf fhoro Is no nssocInfIon bofwoon fho mnchIno nnd
fho usor. Tho !sor VIow oxnmIo shows Tyo - !oggod On, IndIcnfIng fhnf fho usor Is
Ioggod onfo fhIs mnchIno buf fhnf fho mnchIno Is nof !ogIsforod fo n usor. Tho !og-
Isforod To fIoId Is bInnk. Tho Hosf VIow rorosonfs fho ncfunI comufor. Tho !sor
VIow rorosonf fho fomornry usor who Ioggod Info fho mnchIno. ThIs rogIsfrnfIon
fyo usos ono ovIco Trnckor !Iconso nnd ono Shnrod Accoss Trnckor !Iconso. Whon
fho usor Iogs ouf, fho Shnrod Accoss Trnckor !Iconso Is roIonsod. Iofh fho usor nnd
fho mnchIno romnIn In fho dnfnbnso buf fhoIr nssocInfIon Is sovorod.
Variables
VariabIe Definition
Required VariabIes
ACTION
ndicates whether this script is for logon or logoff.
Type = nteger
Logoff = 0
Logon = 1
Logon Started = 2
Example: ACTON = "1"
VariabIe Definition
REG_ROGUE
When Register is enabled, machine is registered either by user name or as a
device by host name based on the Register by User setting.
f Do not register is enabled, the machine remains a rogue.
Type = nteger
Register = 0
Do not register = 1
Example: REG_ROGUE = "0"
WHITELIST
f enabled, adds the machine to the Forced User Authentication Exceptions group.
A user logging in on a machine in this group is not forced to authenticate. Default is
disabled.
Type = nteger
Do not add = 0
Add = 1
Example: WHTELST = "0"
REG_BY_USER
Registers the machine by user name as a host or or by host name as a device.
Type = nteger
Register as device = 0
Register by user name = 1
Example: REG_BY_USER = "0"
DIRECTORY_SERVER
Your Active Directory server. f you have more than one Active Directory server for
failover, it is recommended that you use your domain name instead of the P
address.
Example: DRECTORY_SERVER = "192.168.102.2"
Example: DRECTORY_SERVER = "bradfordnetworks.com"
DIRECTORY_SHARED
Active Directory server's shared directory where the login/logoff scripts,
snmptrap.exe and libsnmp.dll files are stored. f you have more than one Active
Directory server for failover, it is recommended that you use your domain name
instead of the P address.
Example:
DRECTORY_SHARED ="\\192.168.102.2\sysvol\eng.local\scripts\"
Example:
DRECTORY_SHARED ="\\bradfordnetworks.com\sysvol\eng.local\scripts\"
VariabIe Definition
NoveII Specific VariabIes
USE_ENV_USERNAME
ndicates whether or not the user name should come from another variable. To ena-
ble, set this to True.
f you are not using Novell or if the User Name entered at login is sufficient, set this
to False.
Example: USE_ENV_USERNAME = False
ENV_USERNAME_VAR-
IABLE
The variable containing the User Name. This information is used only if USE_
ENV_USERNAME is set to True.
Example: ENV_USERNAME_VARABLE = "%NWUSERNAME%"
OptionaI Changes - SampIe
Wscript.SIeep 5000
Add before the last "End f statement. This makes the script wait 5 seconds allow-
ing more time for processes to start or finish.
REM End If
Wscript.Sleep 5000
End If
Next
End Function
You mny chooso fo mnko ofhor modIfIcnfIons fo fho scrIf fo nccommodnfo roquIro-
monfs oufsIdo ofwork Sonfry. Ior oxnmIo, you mny chooso fo ndd n fImor fhnf wnIfs
n fow soconds boforo ondIng fho scrIf.
Trap Parameters
Tho IogIn nnd Iogouf scrIfs sond n frn fo ofwork Sonfry fhnf confnIns fho vnIuos of
fho vnrInbIos IIsfod nbovo nIong wIfh rogIsfrnfIon nrnmofors from fho usor. Ior IogIn
scrIfs fo sond frns fo ofwork Sonfry snmfrn.oxo nnd IIbsnm.dII musf bo coIod
fo fho dIrocfory sorvor In snmo IocnfIon ns fho IogIn scrIfs. Thoso fwo fIIos nro on fho
ofwork Sonfry sorvor In fho /bsc/cnmusMgr/uI/runTImo/confIg/Idn dIrocfory.
OID Description Definition
1.1 Action Value of the Action variable.
1.2 User Name
User name of the person logging in or out.
Type = String
1.3 Machine Name
Hostname of the machine used to log in or out.
Type = String
OID Description Definition
1.4 Machine P
P address of the machine used to log in or out.
Type = P Address
1.5 Machine MAC
MAC address of the machine used to log in or out.
Type = String
1.8
Operating
System
Operating System of the machine used to log in or out.
Type = String
1.10 Register Rogue Value of the Reg_Rogue variable.
1.11 Whitelist Value of the Whitelist variable.
1.12
Register by
User
Value of the Register by User variable.
Active Directory Setup For Passive Registration
InssIvo rogIsfrnfIon cnn bo sof u for ono or moro grous of usors. Thoso InsfrucfIons
confnIn InformnfIon for Cuosf usors nnd roguInr ofwork Sonfry usors.
1. !sIng fho LDAP Browser on page 32, coy fho foIIowIng fIIos from fho runfImo
nron
<Host Name>/ui/runTime/config/ldap
fo fho A shnrod dIrocfory, gonornIIy Iocnfod nf:
/WINNT/SYSVOL/<domainname>/sysvol/scripts
IIIos fo bo coIod for Network Sentry users:
sendLogIn.vbs, sendLogOut.vbs, snmptrap.exe, libsnmp.dll
IIIos fo bo coIod for Guest users:
gcsLogin.vbs, sendLogOut.vbs, snmptrap.exe, libsnmp.dll
Note: Permissions should be set such that all users may read and execute on all the
files.
2. If you hnvo nof nIrondy dono so, cusfomIzo fho scrIfs so fhnf fhoy fnko Info
nccounf your nofwork sofu. Soo Customize Login And Logout Scripts on page 22
for dofnIIod InformnfIon.
3. ConfIguro A fo uso fho foIIowIng scrIfs:
Network Sentry users:
sendLogIn.vbs nnd sendLogOut.vbs
Guest users:
gcsLogin.vbs nnd sendLogOut.vbs
a. Sfnrf fho Active Directory Users & Computers nIIcnfIon.
b. CIIck fho domain name In fho Troo nnoI fo soIocf If.
c. !Ighf-cIIck nnd soIocf Properties.
d. In fho IroorfIos wIndow, cIIck fho Group Policy fnb.
e. oubIo-cIIck fho oIIcy (ofnuIf omnIn IoIIcy) fhnf wIII onnbIo fho
scrIfs.
f. In fho Group Policy wIndow cIIck fho Ius sIgn (+) noxf fo fho User Con-
figuration foIdor, fhon cIIck fho Ius sIgn (+) noxf fo fho Windows Set-
tings foIdor, nnd cIIck Scripts (Logon/Logoff).
g. In fho rIghf nnoI of fho Crou IoIIcy vIow, doubIo-cIIck fho Iogon scrIf
fo Inunch fho !ogon IroorfIos vIow. CIIck fho Add buffon, fhon cIIck fho
Browse buffon nnd nnvIgnfo fo fho sysvol foIdor whoro fIIos woro coIod
In sfo l.
Ior Network Sentry users soIocf
sendLogIn.vbs
Ior Guest users soIocf:
gcsLogin.vbs
h. Onco fho scrIf fIIo hns boon nddod, cIIck 2..
i. In fho rIghf nnoI of fho Crou IoIIcy vIow, doubIo-cIIck fho Iogoff scrIf
fo Inunch fho !ogoff IroorfIos vIow. CIIck fho Add buffon, fhon cIIck fho
Browse buffon nnd nnvIgnfo fo fho sysvol foIdor whoro fho fIIos woro
coIod In sfo l.
Ior Network Sentry users soIocf:
sendLogOut.vbs
sendLogOut.vbs
j. Onco fho scrIf fIIo hns boon nddod, cIIck OK.
4. In fho Crou IoIIcy vIow, cIIck New fo ndd n now oIIcy for onch grou of
usors.
Ior Network Sentry users chnngo fho nnmo fo CM_Policies.
Ior Guest users chnngo fho nnmo fo Guest_Policies.
5. oubIo-cIIck fho now oIIcy. Tho Crou IoIIcy wIndow wIII nonr.
6. In fho Group Policy wIndow cIIck fho Ius sIgn (+) noxf fo fho User Con-
figuration foIdor, fhon cIIck fho Ius sIgn (+) noxf fo fho Windows Settings
foIdor, nnd cIIck Scripts (Logon/Logoff).
a. In fho rIghf nnoI of fho Crou IoIIcy vIow, doubIo-cIIck fho Iogon scrIf
fo Inunch fho !ogon IroorfIos vIow. CIIck fho Add buffon, fhon cIIck fho
Browse buffon nnd nnvIgnfo fo fho NETLOGON dIrocfory on fho domnIn
confroIIor.
Ior Network Sentry users soIocf
sendLogIn.vbs
gcsLogin.vbs
b. Onco fho scrIf fIIo hns boon nddod, cIIck OK.
c. In fho rIghf nnoI of fho Crou IoIIcy vIow, doubIo-cIIck fho Iogoff scrIf
fo Inunch fho !ogoff IroorfIos vIow. CIIck fho Addbuffon, fhon cIIck fho
Browse buffon nnd nnvIgnfo fo fho NETLOGON dIrocfory on fho domnIn
confroIIor:
Ior Network Sentry users soIocf:
sendLogOut.vbs
sendLogOut.vbs
d. Onco fho scrIf fIIo hns boon nddod, cIIck OK.
7. In fho Group Policy wIndow for fho Crou IoIIcy cronfod In sfo 3 CIIck fho
Ius sIgn (+) In fronf of fho !sor ConfIgurnfIon foIdor.
8. CIIck fho Ius sIgn (+) In fronf of fho AdmInIsfrnfIvo TomInfos foIdor, nnd
fhon cIIck fho Ius sIgn (+) In fronf of fho Sysfom foIdor. CIIck fho !ogon/!og-
off foIdor.
9. InnbIo fho foIIowIng oIIcIos by doubIo-cIIckIng on fhom, cIIckIng Enable, nnd
fhon cIIckIng OK.
Ior Network Sentry users onnbIo:
Run logon scripts visible
Run logoff scripts visible
Run logon scripts synchronously
Ior Guest users onnbIo:
Run gcsLogin.vbs script visible
Run logoff scripts visible
Run gcsLogin.vbs scripts synchronously
Note: Visible mode only needs to be enabled for the testing period. Once the Admin-
istrator has determined that the logon/logoff scripts are working, running in visible mode
can be disabled.
10. !oII fho oIIcy chnngos fo fho hosf. A hns buIIf-In doInys so roboof fho hosfs
If fho scrIfs fnII fo run. Tho doIny cnn bo shorfonod by soffIng fho "Crou IoI-
Icy rofrosh InforvnI for usor" fo n shorfor fImo orIod. Tho oIIcy Is Iocnfod In
fho !sor ConfIgurnfIon foIdor.
ThIs MS IInk oxInIns fho nbovo In dofnII:
hff://suorf.mIcrosoff.com/dofnuIf.nsxscId=kb;I-!S;32224l
Novell Setup For Passive Registration
ThIs sofu cnn bo usod for roguInr ofwork Sonfry usors or for Cuosf usors. Tho foI-
IowIng sfos nro onIy nocossnry on n IC Infform:
1. !sIng fho LDAP Browser, coy fho fIIos IIsfod boIow from ofwork Sonfry
/bsc/campusMgr/ui/runTime/config/ldap fo fho dIrocfory from whIch
fho scrIfs nro run.
Ior Network Sentry users coy:
sendLogIn.vbs, sendLogOut.vbs, snmptrap.exe, libsnmp.dll
Ior Guest users coy:
gcsLogin.vbs, sendLogOut.vbs,snmptrap.exe, libsnmp.dll
Sof fho ormIssIons on nII coIod fIIos fo rond nnd oxocufo for nII.
2. If you hnvo nof nIrondy dono so, cusfomIzo fho scrIfs so fhnf fhoy fnko Info
nccounf your nofwork sofu. Soo Customize Login And Logout Scripts on page 22
for dofnIIod InformnfIon.
3. ConfIguro fho "!ogIn ScrIf" nffrIbufo In nII usors nnd grous wIfhIn fho dIroc-
fory fo uso fho foIIowIng:
Ior Network Sentry users:
sendLogIn.vbs
Ior Guest users:
gcsLogin.vbs
ThIs Is dono by soffIng fho "!ogIn ScrIf" nffrIbufo fo oIfhor sendLogIn.vbs
or gscLogin.vbs doondIng on your usors.
Soo ovoII's usors guIdo for dofnIIod InsfrucfIons.
hff://www.novoII.com/documonfnfIon/odIr8?3/Indox.hfmI
Directory Synchronization
Whon synchronIzIng ofwork Sonfry wIfh n dIrocfory fhoro nro socIfIc confIgurnfIon
fnsks fhnf musf bo comIofod. Thoro nro fwo mnIn dIrocfory sorvIcos: MIcrosoff AcfIvo
Irocfory nnd ovoII oIrocfory. In ordor fo soo fho nffrIbufos of n dIrocfory, uso fho
!AI Irowsor. You mny hnvo your own nIIcnfIon fo vIow fho nffrIbufos of your
dIrocfory. Tho !AI browsor confnInod wIfhIn ofwork Sonfry Is rovIdod ns n con-
vonIonco.
LDAP Browser
An !AI browsor Is shIod on fho nIInncos. ThIs browsor cnn vIow nny !AI
comIInnf dIrocfory nnd dIsIny nffrIbufo nnmos nnd vnIuos for nII usor rocords. Tho
browsor Is Iocnfod nf ono of fho foIIowIng:
http://<Host Name_IP>:8080/runTime/tools/ldapbrowser/applet.html
or
https://<Host Name>:8443/runTime/tools/ldapbrowser/applet.html
Configure The LDAP Connection
1. On fho !AI browsor monu bnr cIIck File, nnd fhon cIIck Connect.
Figure 14: LDAP Browser
2. CIIck New fo confIguro n now sossIon or soIocf nn oxIsfIng sossIon nnd cIIck
Edit.
Figure 15: LDAP Browser - Create New Session
3. CIIck fho Name fnb nnd onfor n sossIon nnmo.
4. CIIck fho Connection fnb. Infor fho Hosf II or nnmo, Inso , !sor nnd
Inssword.
Note: On some AD controllers a full DN is not required, enter just the users account
name. For example, cn=cm,cn=Users,dc=company,dc=com could be short-
ened to cm.
Figure 16: LDAP Browser - Connection Tab
5. CIIck Save.
6. To fosf fho connocfIon, cIIck fho Connect buffon on fho Connect dInIog. Tho
sfnfus bnr In fho browsor wIndow wIII dIsIny fho sfnfus of fho connocfIon. If
fho connocfIon fnIIs rovIow nII connocfIon InformnfIon nnd mnko corrocfIons.
Figure 17: LDAP Browser/Editor
User Attribute Selection
ofwork Sonfry noods fho objocf cInss nnmo. Tho cInss nnmo Is sforod In fho objocf-
CInss nffrIbufos, fhIs Is fho cInss hIornrchy. ThIs oxnmIo hns n hIornrchy of fo, or-
son, orgnnIznfIonnIIorson, nnd usor. Any IovoI of fho hIornrchy cnn dofIno fhoIr own
nffrIbufos I.o. cn mny bo dofInod by fho orson cInss.
ThIs Is whoro fho ofwork Sonfry AdmInIsfrnfor wIII soIocf fho nffrIbufos nnmo fo
mnod nnd onIy nffrIbufos wIfh vnIuos wIII bo rond. Soo Attribute Mappings on page 14
for InformnfIon on confIgurIng fho ofwork Sonfry Irocfory IugIn.
IxnmIos:
: streetAddress Is mnod fo fho usor's nddross.
: givenName Is mnod fo fho usor's fIrsf nnmo.
Tho usor sonrch brnnch socIfIos whoro In fho hIornrchy ofwork Sonfry wIII sfnrf fo
sonrch for usors.
Onco fho connocfIon Is osfnbIIshod fho dIrocfory cnn bo nnvIgnfod.
Group Attribute Selection
ofwork Sonfry noods fho objocf cInss nnmo. Tho cInss nnmo Is sforod In fho objocf-
CInss nffrIbufos, fhIs Is fho cInss hIornrchy. ThIs oxnmIo hns n hIornrchy of fo, or-
son, orgnnIznfIonnIIorson nnd usor. Any IovoI of fho hIornrchy cnn dofIno fhoIr own
nffrIbufos I.o. cn mnybo dofInod by fho orson cInss.
ThIs Is whoro fho ofwork Sonfry AdmInIsfrnfor wIII soIocf fho nffrIbufos nnmos. If
nn nffrIbufo Is nof mnod If wIII bo Ignorod. OnIy nffrIbufos wIfh vnIuos wIII bo
Imorfod whon n usor Is cronfod. Soo Attribute Mappings on page 14 for InformnfIon on
confIgurIng fho ofwork Sonfry Irocfory IugIn.
Active Directory
1. !sIng fho !AI browsor, nnvIgnfo fo fho brnnch whoro fho usors nro Iocnfod;
fhIs Is fho Sonrch Inso.
Example: cn=Users, dc=Bradford Networks, dc=com
2. IInd fho Objocf CInss for fho usors.
Example: User Is common for A.
3. Add n rond onIy cm nccounf fo fho dIrocfory, snvo fho nnmo nnd nssword.
Example: cn=cm, cn=Users, dc=Bradford Networks, dc=com
To vIow nII fho nffrIbufos for n usor:
1. CIIck fho client In fho Ioff nno fo soIocf If.
2. !Ighf-cIIck nnd soIocf View Entry.
Figure 18: LDAP Browser - View Entry
AD Prompt To Attribute Mappings
Tho AcfIvo Irocfory !sor CronfIon WIznrd nsks n sorIos of quosfIons. Tho foIIowIng
fnbIo IIsfs fho AffrIbufo fhnf Is socIfIc fo onch A Iromf.
AD Prompt Attribute
Street: streetAddress
Notes: info
First Name: Init. Last name: cn (this combines 3 fields)
Company: company
IQ c
Department: department
description: description
First name: Init. Last name: displayName (this combines 3 fields)
E MaiI mail
Fax: facsimileTelephoneNumber
First name: givenName
Init: initials
City: l
Fax: Others otherFacsimileTelephoneNumber
Home: homePhone
Home: Others otherHomePhone
IP phone: ipPhone
IP Phone: Others otherpPhone
MobiIe: mobile
MobiIe: Others otherMobile
Phone Number: Additions otherTelephone
Pager: pager
Pager: Other otherPager
Office: physicalDeliveryOfficeName
P.O. Box: postOfficeBox
Zip:PostaI Code: postalCode
First name: Init. Last name: name (this combines 3 fields)
AD Prompt Attribute
State/province: st
Last name: sn
TeIephone number: telephoneNumber
Country: co
TitIe: title
user Iogonname userPrincipalName
Web page: wWWHomePage
Web page Additions:
url
codePage
countryCode
User_Iogon_name
sAMAccountName
sAMAccountType
primaryGroupD
distinguishedName
objectCategory
objectClass
top
person
organizationalPerson
user
objectGUD
objectSid
Novell E-Directory Setup
1. WIfhIn fho !AI browsor, Iocnfo fho brnnchos whoro nII fho usors nro; fhIs Is
fho Sonrch Inso.
Example: ou=Users, dc=Bradford Networks, dc=com
2. IInd fho Objocf CInss for fho usors nnd soIocf fho nffrIbufos.
Example: person Is common for ovoII
3. !ocnfo fho brnnchos whoro nII fho grous nro; fhIs Is fho Sonrch Inso.
Example: ou=Students, dc=Bradford Networks, dc=com
4. IInd fho Objocf CInss for fho usors.
Example: Group Is common for ovoII
5. Add n rond onIy FP nccounf fo fho dIrocfory, snvo fho nnmo nnd nssword.
Example: cn=cm, ou=!sors, dc=Irndford ofworks, dc=com
6. !sIng ovoII's TooIs sof fho usors "!ogIn ScrIf" In nII usors fo uso fho
logon.bat fIIo.
7. Soo fho IocnI A AdmInIsfrnfor for socIfIc nffrIbufo nnmos.

DirectoryConfig 5 1

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

DirectoryConfig 5 1

Hochgeladen von

Copyright:

Verfügbare Formate

0|reclory Corl|gural|or

Das könnte Ihnen auch gefallen