Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
Advanced User Management and LDAP Integration
What is LDAP How to setup LDAP integration with IC Creating and linking new users to LDAP Connecting existing users to LDAP Advantages and Disadvantages to LDAP
integration Managing Tasks with Task Scheduler in IC Using IC to create users in other systems How LDAP can save you time in other systems
Advanced User Management and LDAP Integration LDAP = Lightweight Directory Access
Protocol LDAP creates a standard language that
can be read by other services or vendors
LDAP can be used to manage users and computers information (names, usernames, passwords, groups, etc)
Directory Structure MS Active Directory
Advanced User Management and LDAP Integration
Advanced User Management and LDAP Integration Setting up LDAP in IC
PresenterPresentation NotesUSE SANDBOX to test
Hosts – you can use computer DNS name or ip addressBind User – user only needs rights to browse directoryUser might need to identify domain domain\binduserSearch Base – is the top location where users could be locatedOU= folders, dc=domain component (AD)OU= folders, O=organization (NDS)Username – sAMaccountName (AD), CN (NDS)
Hosts – you can use computer DNS name or ip address
Bind User – user only needs rights to browse directory User might need to identify domain
domain\binduser Search Base – is the top location where
users could be located OU= folders, dc=domain component (AD)
Username – sAMaccountName (AD)
Advanced User Management and LDAP Integration
Creating New Users Create new user in Infinite Campus then click link with
LDAP
Advanced User Management and LDAP Integration
PresenterPresentation NotesThis is the same process for linking current users to ldap
Advanced User Management and LDAP Integration
Creating New User from LDAP Create new user from LDAP by using Create Person/User
from LDAP tool
PresenterPresentation NotesThis creates the person, creates the user account, binds it to ldap. There is no password necessary, passwords are no longer stored in IC.
Linking Existing Accounts Manually IC username Must Match LDAP username Click button Link with LDAP○ If the text changes the link was successful
Advanced User Management and LDAP Integration
Advanced User Management and LDAP Integration Allow users to link account with LDAP
PresenterPresentation NotesTo see convert to LDAP Account part you must have LDAP Enabled first. You can create an adhoc to check for users that did not do this, then do them manually. After linking to LDAP we removed users access to Account settings, they don’t need to change password in IC, it does not work.
Connecting current users to ldap using Active Directory Download and install PowerShell and .Net Framework.
Go to Microsoft's site and choose the correct version to suit your operating system.
Download, then install the QAD Snap-ins from this site:http://www.quest.com/activeroles-server/arms.aspx
Register the snap-in. (Key point)add-PSSnapin quest.activeroles.admanagement
Then on a server that is a member of the domain logged in as an admin run the following script from the active roles management version of powershell. Get-QADUser -SizeLimit 5000 -ip sAMAccountName,
distinguishedName | Select sAMAccountName, distinguishedName | export-csv c:\ADUsers.csv
Advanced User Management and LDAP Integration
PresenterPresentation NotesSize limit = this is the number of results that it will return max. If you set it too low you will not get all users.
http://support.microsoft.com/kb/968929�http://www.quest.com/activeroles-server/arms.aspx�
This will create a file on the c:\ called adusers.csv
You can then use excel to clean up the user accounts.
Then have a person use sql to match username from AD (SamAccountName) to campus and update the field LDAPDN in the UserAccount table with the value from DistinguishedName filed in csv file.
You might also want to update the users password to reflect that their password is no longer stored in IC.
Advanced User Management and LDAP Integration
PresenterPresentation Notes(I used access) we changed everyone password to say Unavailable.
Automate LDAP updates What happens when you move a user in AD,
Novell etc○ Server in Domain runs script > Campus User
account Update.bat○ IC server take the file via DTS and updates
the table with any changes to LDAPDN field
Advanced User Management and LDAP Integration
PresenterPresentation Notesnet use W: \\campusIPaddress\c$ adminpassword /user:administrator
del w:\report.txtcscript //nologo c:\ADUsers.vbs > w:\report.txt
Is run every 2 hours
Advanced User Management and LDAP Integration Automate LDAP updates
○ IC server take the file via DTS and updates the table with any changes to LDAPDN field
PresenterPresentation NotesDELETE FROM ADUsers
Insert New AD Users – adds records into ADUsers
Execut SQL TaskUpdate UserAccountSet UserAccount.LDAPDN=ADUsers.DNFrom UserAccount, ADUsersWhere UserAccount.username=ADUsers.Usernameand expiresDate is nulland homepage is null
This runs right after the file is created
Advantages to LDAP Integration Uses one set of usernames and passwords Disabling a user account in one place
disables it everywhere Allows for stricter password policies
○ Easier for users to remember a more complex password because they use if for more things
Advanced User Management and LDAP Integration
PresenterPresentation NotesYou can still disable the user account in IC only if you need to using expires date or the checkbox disabled.
Disadvantages to LDAP Integration Requires extra admin setup If a password is discovered all systems
using LDAP will be vulnerable
Advanced User Management and LDAP Integration
LDAP Resources Infinite University – Campus LDAP Authentication http://www.computerperformance.co.uk/Logon/LD
AP_attributes_active_directory.htm http://docs.moodle.org/en/LDAP_authentication LDAP utilities○ http://www.ldapbrowser.com – 30 day free trial○ http://jxplorer.org/ - Java browser
Advanced User Management and LDAP Integration
http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm�http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm�http://docs.moodle.org/en/LDAP_authentication�http://www.ldapbrowser.com/�http://jxplorer.org/�
Managing Tasks in Infinite Campus
Change LDAPUsers campus passwords
Advanced User Management and LDAP Integration
Managing Tasks in Infinite Campus
Re-enable Student accounts that are disabled
Advanced User Management and LDAP Integration
PresenterPresentation NotesThis might be different for you. Campus now sets Student’s passwords to the first letter of their first name, the first letter of the last name and then their 6 digit birth date.
Managing Tasks in Infinite Campus
Automatically Create New Student Accounts
Advanced User Management and LDAP Integration
PresenterPresentation NotesThis might be different for you. Campus now sets Student’s passwords to the first letter of their first name, the first letter of the last name and then their 6 digit birth date.
Insert into dbo.useraccount (personID,username,password,homepage,districtID,hideBanner)SELECT dbo.student.personID, dbo.student.studentNumber AS username, left(firstname,1)+left(lastname,1)+REPLACE(CONVERT(VARCHAR(10), dbo.student.birthdate, 1), '/', '') AS password, 'portal/main.xsl' AS homepage, 216 AS districtID, 1 AS hideBannerFROM dbo.student INNER JOIN dbo.SchoolYear ON dbo.student.startYear = dbo.SchoolYear.startYear INNER JOIN dbo.School ON dbo.student.schoolID = dbo.School.schoolIDWHERE (dbo.SchoolYear.active = 1) AND (dbo.student.schoolID = 1 OR dbo.student.schoolID = 5) AND (NOT (dbo.student.personID IN (SELECT personID FROM useraccount))) OR (dbo.SchoolYear.active = 1) AND (dbo.student.schoolID = 2 OR dbo.student.schoolID = 3 OR dbo.student.schoolID = 4 OR dbo.student.schoolID = 7 OR dbo.student.schoolID = 8) AND (dbo.student.grade = '04' OR dbo.student.grade = '05') AND (NOT (dbo.student.personID IN (SELECT personID FROM useraccount)))
Systems we use LDAP on Infinite Campus Moodle Safari Montage (Video Streaming) Copiers (Toshiba and Konica) Compliance Vault (Email Archiving) Barracuda Spam Filter Cymphonix Web Filter Mac’s
Advanced User Management and LDAP Integration
Using Infinite Campus to create Active Directory Users Using SRS > NewStudentAccounts.rdl
Advanced User Management and LDAP Integration
Using Infinite Campus to create Active Directory Users File is exported to c:\newstudentaccount.xls CreateUsers.vbs is run File is moved and renamed to users home directory
All students in excel file are imported into AD○ You must go into each student and reapply their
home directory for the setting to stick. It appears to deal with rights.
Advanced User Management and LDAP Integration
Questions?
By Scott Dyreson
Advanced User Management and LDAP Integration
Advanced User Management and LDAP IntegrationAdvanced User Management and LDAP Integration�Advanced User Management and LDAP IntegrationAdvanced User Management and LDAP IntegrationAdvanced User Management and LDAP IntegrationAdvanced User Management and LDAP IntegrationAdvanced User Management and LDAP IntegrationAdvanced User Management and LDAP IntegrationAdvanced User Management and LDAP IntegrationAdvanced User Management and LDAP IntegrationAdvanced User Management and LDAP IntegrationAdvanced User Management and LDAP IntegrationSlide Number 13Advanced User Management and LDAP IntegrationAdvanced User Management and LDAP IntegrationAdvanced User Management and LDAP IntegrationAdvanced User Management and LDAP IntegrationAdvanced User Management and LDAP IntegrationAdvanced User Management and LDAP IntegrationAdvanced User Management and LDAP IntegrationAdvanced User Management and LDAP IntegrationAdvanced User Management and LDAP IntegrationAdvanced User Management and LDAP IntegrationAdvanced User Management and LDAP Integration