ldap

Advanced User Management and LDAP Integration

What is LDAP How to setup LDAP integration with IC Creating and linking new users to LDAP Connecting existing users to LDAP Advantages and Disadvantages to LDAP

integration Managing Tasks with Task Scheduler in IC Using IC to create users in other systems How LDAP can save you time in other systems

Advanced User Management and LDAP Integration LDAP = Lightweight Directory Access

Protocol LDAP creates a standard language that

can be read by other services or vendors

LDAP can be used to manage users and computers information (names, usernames, passwords, groups, etc)

Directory Structure MS Active Directory


Advanced User Management and LDAP Integration Setting up LDAP in IC

Presenter

Presentation Notes

USE SANDBOX to test Hosts – you can use computer DNS name or ip address Bind User – user only needs rights to browse directory User might need to identify domain domain\binduser Search Base – is the top location where users could be located OU= folders, dc=domain component (AD) OU= folders, O=organization (NDS) Username – sAMaccountName (AD), CN (NDS)

Hosts – you can use computer DNS name or ip address

Bind User – user only needs rights to browse directory User might need to identify domain

domain\binduser Search Base – is the top location where

users could be located OU= folders, dc=domain component (AD)

Username – sAMaccountName (AD)


Creating New Users Create new user in Infinite Campus then click link with

LDAP


Presenter

Presentation Notes

This is the same process for linking current users to ldap


Creating New User from LDAP Create new user from LDAP by using Create Person/User

from LDAP tool

Presenter

Presentation Notes

This creates the person, creates the user account, binds it to ldap. There is no password necessary, passwords are no longer stored in IC.

Linking Existing Accounts Manually IC username Must Match LDAP username Click button Link with LDAP○ If the text changes the link was successful


Advanced User Management and LDAP Integration Allow users to link account with LDAP

Presenter

Presentation Notes

To see convert to LDAP Account part you must have LDAP Enabled first. You can create an adhoc to check for users that did not do this, then do them manually. After linking to LDAP we removed users access to Account settings, they don’t need to change password in IC, it does not work.

Connecting current users to ldap using Active Directory Download and install PowerShell and .Net Framework.

Go to Microsoft's site and choose the correct version to suit your operating system.

Download, then install the QAD Snap-ins from this site:http://www.quest.com/activeroles-server/arms.aspx

Register the snap-in. (Key point)add-PSSnapin quest.activeroles.admanagement

Then on a server that is a member of the domain logged in as an admin run the following script from the active roles management version of powershell. Get-QADUser -SizeLimit 5000 -ip sAMAccountName,

distinguishedName | Select sAMAccountName, distinguishedName | export-csv c:\ADUsers.csv


Presenter

Presentation Notes

Size limit = this is the number of results that it will return max. If you set it too low you will not get all users.

http://support.microsoft.com/kb/968929�

http://www.quest.com/activeroles-server/arms.aspx�

This will create a file on the c:\ called adusers.csv

You can then use excel to clean up the user accounts.

Then have a person use sql to match username from AD (SamAccountName) to campus and update the field LDAPDN in the UserAccount table with the value from DistinguishedName filed in csv file.

You might also want to update the users password to reflect that their password is no longer stored in IC.


Presenter

Presentation Notes

(I used access) we changed everyone password to say Unavailable.

Automate LDAP updates What happens when you move a user in AD,

Novell etc○ Server in Domain runs script > Campus User

account Update.bat○ IC server take the file via DTS and updates

the table with any changes to LDAPDN field


Presenter

Presentation Notes

net use W: \\campusIPaddress\c$ adminpassword /user:administrator del w:\report.txt cscript //nologo c:\ADUsers.vbs > w:\report.txt Is run every 2 hours

Advanced User Management and LDAP Integration Automate LDAP updates

○ IC server take the file via DTS and updates the table with any changes to LDAPDN field

Presenter

Presentation Notes

DELETE FROM ADUsers Insert New AD Users – adds records into ADUsers Execut SQL Task Update UserAccount Set UserAccount.LDAPDN=ADUsers.DN From UserAccount, ADUsers Where UserAccount.username=ADUsers.Username and expiresDate is null and homepage is null This runs right after the file is created

Advantages to LDAP Integration Uses one set of usernames and passwords Disabling a user account in one place

disables it everywhere Allows for stricter password policies

○ Easier for users to remember a more complex password because they use if for more things


Presenter

Presentation Notes

You can still disable the user account in IC only if you need to using expires date or the checkbox disabled.

Disadvantages to LDAP Integration Requires extra admin setup If a password is discovered all systems

using LDAP will be vulnerable


LDAP Resources Infinite University – Campus LDAP Authentication http://www.computerperformance.co.uk/Logon/LD

AP_attributes_active_directory.htm http://docs.moodle.org/en/LDAP_authentication LDAP utilities○ http://www.ldapbrowser.com – 30 day free trial○ http://jxplorer.org/ - Java browser


http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm�

http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm�

http://docs.moodle.org/en/LDAP_authentication�

http://www.ldapbrowser.com/�

http://jxplorer.org/�

Managing Tasks in Infinite Campus

Change LDAPUsers campus passwords



Re-enable Student accounts that are disabled


Presenter

Presentation Notes

This might be different for you. Campus now sets Student’s passwords to the first letter of their first name, the first letter of the last name and then their 6 digit birth date.


Automatically Create New Student Accounts


Presenter

Presentation Notes

This might be different for you. Campus now sets Student’s passwords to the first letter of their first name, the first letter of the last name and then their 6 digit birth date. Insert into dbo.useraccount (personID,username,password,homepage,districtID,hideBanner) SELECT dbo.student.personID, dbo.student.studentNumber AS username, left(firstname,1)+left(lastname,1)+REPLACE(CONVERT(VARCHAR(10), dbo.student.birthdate, 1), '/', '') AS password, 'portal/main.xsl' AS homepage, 216 AS districtID, 1 AS hideBanner FROM dbo.student INNER JOIN dbo.SchoolYear ON dbo.student.startYear = dbo.SchoolYear.startYear INNER JOIN dbo.School ON dbo.student.schoolID = dbo.School.schoolID WHERE (dbo.SchoolYear.active = 1) AND (dbo.student.schoolID = 1 OR dbo.student.schoolID = 5) AND (NOT (dbo.student.personID IN (SELECT personID FROM useraccount))) OR (dbo.SchoolYear.active = 1) AND (dbo.student.schoolID = 2 OR dbo.student.schoolID = 3 OR dbo.student.schoolID = 4 OR dbo.student.schoolID = 7 OR dbo.student.schoolID = 8) AND (dbo.student.grade = '04' OR dbo.student.grade = '05') AND (NOT (dbo.student.personID IN (SELECT personID FROM useraccount)))

Systems we use LDAP on Infinite Campus Moodle Safari Montage (Video Streaming) Copiers (Toshiba and Konica) Compliance Vault (Email Archiving) Barracuda Spam Filter Cymphonix Web Filter Mac’s


Using Infinite Campus to create Active Directory Users Using SRS > NewStudentAccounts.rdl


Using Infinite Campus to create Active Directory Users File is exported to c:\newstudentaccount.xls CreateUsers.vbs is run File is moved and renamed to users home directory

All students in excel file are imported into AD○ You must go into each student and reapply their

home directory for the setting to stick. It appears to deal with rights.


Questions?

By Scott Dyreson


ldap

Documents

ldap advanced user management

ldap username

ldap advantages

ldap integration systems

ldap integrationldap

ldap integrationhosts

ldap integrationwhat

vendors ldap