-
Advanced User Management and LDAP Integration
What is LDAP How to setup LDAP integration with IC Creating and
linking new users to LDAP Connecting existing users to LDAP
Advantages and Disadvantages to LDAP
integration Managing Tasks with Task Scheduler in IC Using IC to
create users in other systems How LDAP can save you time in other
systems
-
Advanced User Management and LDAP Integration LDAP = Lightweight
Directory Access
Protocol LDAP creates a standard language that
can be read by other services or vendors
LDAP can be used to manage users and computers information
(names, usernames, passwords, groups, etc)
-
Directory Structure MS Active Directory
Advanced User Management and LDAP Integration
-
Advanced User Management and LDAP Integration Setting up LDAP in
IC
PresenterPresentation NotesUSE SANDBOX to test
Hosts – you can use computer DNS name or ip addressBind User –
user only needs rights to browse directoryUser might need to
identify domain domain\binduserSearch Base – is the top location
where users could be locatedOU= folders, dc=domain component
(AD)OU= folders, O=organization (NDS)Username – sAMaccountName
(AD), CN (NDS)
-
Hosts – you can use computer DNS name or ip address
Bind User – user only needs rights to browse directory User
might need to identify domain
domain\binduser Search Base – is the top location where
users could be located OU= folders, dc=domain component (AD)
Username – sAMaccountName (AD)
Advanced User Management and LDAP Integration
-
Creating New Users Create new user in Infinite Campus then click
link with
LDAP
Advanced User Management and LDAP Integration
PresenterPresentation NotesThis is the same process for linking
current users to ldap
-
Advanced User Management and LDAP Integration
Creating New User from LDAP Create new user from LDAP by using
Create Person/User
from LDAP tool
PresenterPresentation NotesThis creates the person, creates the
user account, binds it to ldap. There is no password necessary,
passwords are no longer stored in IC.
-
Linking Existing Accounts Manually IC username Must Match LDAP
username Click button Link with LDAP○ If the text changes the link
was successful
Advanced User Management and LDAP Integration
-
Advanced User Management and LDAP Integration Allow users to
link account with LDAP
PresenterPresentation NotesTo see convert to LDAP Account part
you must have LDAP Enabled first. You can create an adhoc to check
for users that did not do this, then do them manually. After
linking to LDAP we removed users access to Account settings, they
don’t need to change password in IC, it does not work.
-
Connecting current users to ldap using Active Directory Download
and install PowerShell and .Net Framework.
Go to Microsoft's site and choose the correct version to suit
your operating system.
Download, then install the QAD Snap-ins from this
site:http://www.quest.com/activeroles-server/arms.aspx
Register the snap-in. (Key point)add-PSSnapin
quest.activeroles.admanagement
Then on a server that is a member of the domain logged in as an
admin run the following script from the active roles management
version of powershell. Get-QADUser -SizeLimit 5000 -ip
sAMAccountName,
distinguishedName | Select sAMAccountName, distinguishedName |
export-csv c:\ADUsers.csv
Advanced User Management and LDAP Integration
PresenterPresentation NotesSize limit = this is the number of
results that it will return max. If you set it too low you will not
get all users.
http://support.microsoft.com/kb/968929�http://www.quest.com/activeroles-server/arms.aspx�
-
This will create a file on the c:\ called adusers.csv
You can then use excel to clean up the user accounts.
Then have a person use sql to match username from AD
(SamAccountName) to campus and update the field LDAPDN in the
UserAccount table with the value from DistinguishedName filed in
csv file.
You might also want to update the users password to reflect that
their password is no longer stored in IC.
Advanced User Management and LDAP Integration
PresenterPresentation Notes(I used access) we changed everyone
password to say Unavailable.
-
Automate LDAP updates What happens when you move a user in
AD,
Novell etc○ Server in Domain runs script > Campus User
account Update.bat○ IC server take the file via DTS and
updates
the table with any changes to LDAPDN field
Advanced User Management and LDAP Integration
PresenterPresentation Notesnet use W: \\campusIPaddress\c$
adminpassword /user:administrator
del w:\report.txtcscript //nologo c:\ADUsers.vbs >
w:\report.txt
Is run every 2 hours
-
Advanced User Management and LDAP Integration Automate LDAP
updates
○ IC server take the file via DTS and updates the table with any
changes to LDAPDN field
PresenterPresentation NotesDELETE FROM ADUsers
Insert New AD Users – adds records into ADUsers
Execut SQL TaskUpdate UserAccountSet
UserAccount.LDAPDN=ADUsers.DNFrom UserAccount, ADUsersWhere
UserAccount.username=ADUsers.Usernameand expiresDate is nulland
homepage is null
This runs right after the file is created
-
Advantages to LDAP Integration Uses one set of usernames and
passwords Disabling a user account in one place
disables it everywhere Allows for stricter password policies
○ Easier for users to remember a more complex password because
they use if for more things
Advanced User Management and LDAP Integration
PresenterPresentation NotesYou can still disable the user
account in IC only if you need to using expires date or the
checkbox disabled.
-
Disadvantages to LDAP Integration Requires extra admin setup If
a password is discovered all systems
using LDAP will be vulnerable
Advanced User Management and LDAP Integration
-
LDAP Resources Infinite University – Campus LDAP Authentication
http://www.computerperformance.co.uk/Logon/LD
AP_attributes_active_directory.htm
http://docs.moodle.org/en/LDAP_authentication LDAP utilities○
http://www.ldapbrowser.com – 30 day free trial○
http://jxplorer.org/ - Java browser
Advanced User Management and LDAP Integration
http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm�http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm�http://docs.moodle.org/en/LDAP_authentication�http://www.ldapbrowser.com/�http://jxplorer.org/�
-
Managing Tasks in Infinite Campus
Change LDAPUsers campus passwords
Advanced User Management and LDAP Integration
-
Managing Tasks in Infinite Campus
Re-enable Student accounts that are disabled
Advanced User Management and LDAP Integration
PresenterPresentation NotesThis might be different for you.
Campus now sets Student’s passwords to the first letter of their
first name, the first letter of the last name and then their 6
digit birth date.
-
Managing Tasks in Infinite Campus
Automatically Create New Student Accounts
Advanced User Management and LDAP Integration
PresenterPresentation NotesThis might be different for you.
Campus now sets Student’s passwords to the first letter of their
first name, the first letter of the last name and then their 6
digit birth date.
Insert into dbo.useraccount
(personID,username,password,homepage,districtID,hideBanner)SELECT
dbo.student.personID, dbo.student.studentNumber AS username,
left(firstname,1)+left(lastname,1)+REPLACE(CONVERT(VARCHAR(10),
dbo.student.birthdate, 1), '/', '') AS password, 'portal/main.xsl'
AS homepage, 216 AS districtID, 1 AS hideBannerFROM dbo.student
INNER JOIN dbo.SchoolYear ON dbo.student.startYear =
dbo.SchoolYear.startYear INNER JOIN dbo.School ON
dbo.student.schoolID = dbo.School.schoolIDWHERE
(dbo.SchoolYear.active = 1) AND (dbo.student.schoolID = 1 OR
dbo.student.schoolID = 5) AND (NOT (dbo.student.personID IN (SELECT
personID FROM useraccount))) OR (dbo.SchoolYear.active = 1) AND
(dbo.student.schoolID = 2 OR dbo.student.schoolID = 3 OR
dbo.student.schoolID = 4 OR dbo.student.schoolID = 7 OR
dbo.student.schoolID = 8) AND (dbo.student.grade = '04' OR
dbo.student.grade = '05') AND (NOT (dbo.student.personID IN (SELECT
personID FROM useraccount)))
-
Systems we use LDAP on Infinite Campus Moodle Safari Montage
(Video Streaming) Copiers (Toshiba and Konica) Compliance Vault
(Email Archiving) Barracuda Spam Filter Cymphonix Web Filter
Mac’s
Advanced User Management and LDAP Integration
-
Using Infinite Campus to create Active Directory Users Using SRS
> NewStudentAccounts.rdl
Advanced User Management and LDAP Integration
-
Using Infinite Campus to create Active Directory Users File is
exported to c:\newstudentaccount.xls CreateUsers.vbs is run File is
moved and renamed to users home directory
All students in excel file are imported into AD○ You must go
into each student and reapply their
home directory for the setting to stick. It appears to deal with
rights.
Advanced User Management and LDAP Integration
-
Questions?
By Scott Dyreson
Advanced User Management and LDAP Integration
Advanced User Management and LDAP IntegrationAdvanced User
Management and LDAP Integration�Advanced User Management and LDAP
IntegrationAdvanced User Management and LDAP IntegrationAdvanced
User Management and LDAP IntegrationAdvanced User Management and
LDAP IntegrationAdvanced User Management and LDAP
IntegrationAdvanced User Management and LDAP IntegrationAdvanced
User Management and LDAP IntegrationAdvanced User Management and
LDAP IntegrationAdvanced User Management and LDAP
IntegrationAdvanced User Management and LDAP IntegrationSlide
Number 13Advanced User Management and LDAP IntegrationAdvanced User
Management and LDAP IntegrationAdvanced User Management and LDAP
IntegrationAdvanced User Management and LDAP IntegrationAdvanced
User Management and LDAP IntegrationAdvanced User Management and
LDAP IntegrationAdvanced User Management and LDAP
IntegrationAdvanced User Management and LDAP IntegrationAdvanced
User Management and LDAP IntegrationAdvanced User Management and
LDAP IntegrationAdvanced User Management and LDAP Integration
