LDAP/AD integracija

Ovo poglavlje pokriva postavljanje Veyon-a za njegovo povezivanje na servere kompatibilne sa LDAP-om. U nastavku će se koristiti generički izraz LDAP i odnosi se na sve LDAP-kompatibilne proizvode i tehnologije kao što su OpenLDAP, Samba ili Active Directory. LDAP integracija vam omogućava da koristite informacije o korisnicima, grupama korisnika, računarima i lokacijama koje već postoje u većini okruženja, umesto da ih ručno replicirate u Veyon konfiguraciji. Jednom konfigurirani Veyon Master može dohvatiti lokacije i računare koji će se prikazivati direktno iz usluge direktorija. Pored toga, LDAP korisnici i korisničke grupe mogu poslužiti kao osnova za Kontrola pristupa računaru.

Konfiguracija LDAP integracije se vrši na konfiguracijskoj stranici LDAP u Veyon Configurator-u. Stranica je podijeljena u nekoliko podstranica za Osnovna podešavanja, Postavke okruženja, Napredna podešavanja i Integracijski testovi.

Osnovna podešavanja

Osnovna podešavanja utiču na sve osnovne parametre za pristup LDAP serveru. Oni su obavezni za pravilno delovanje LDAP integracije.

Opšte

LDAP server i port: Ovde unesite adresu LDAP servera (ime domaćina ili IP adresa). Ako se koristi port koji nije podrazumevani LDAP port 389, parametar porta mora se prilagoditi na odgovarajući način.

Anonimno vezanje / korišćenje vezanog akreditiva: U zavisnosti od okruženja i konfiguracije LDAP servera, LDAP upiti mogu se izvoditi ili kao anonimni korisnik ili samo sa važećim korisničkim imenima i lozinkama. Ako za pristup serveru trebate korisničko ime i lozinku, mora biti odabrana opcija Use bind credentials i akreditivi moraju biti uneti u polja za unos ispod. U suprotnom se može koristiti podrazumevana opcija Anonymous bind.

Vezati DN: Vezani DN je korisničko ime koje se koristi za prijavu na serveru radi obavljanja LDAP operacija. Međutim, potrebni format u velikoj meri zavisi od LDAP servera i njegove konfiguracije. Mogući formati uključuju User, DOMAIN\User or cn=User,…,dc=example,dc=org.

Vezati lozinku: Pored vezajućeg DN-a, mora se unijeti i odgovarajuća lozinka.

Možete da koristite taster Test da proverite da li pristup poslužitelju radi sa priloženim parametrima.

Путоказ

Veyon only requires read access to the LDAP directory. As an additional security measure on the LDAP server a dedicated user with read-only access to the LDAP directory can be created, e.g. „Veyon-LDAP-RO”. Access to relevant attributes can be further restricted for this user.

Sigurnost veze

Veyon can establish encrypted connections to the LDAP server. For this purpose, settings are available in the section Connection security.

Protokol šifrovanja

You can choose between the encryption protocols None, TLS and SSL. The use of the modern TLS protocol is recommended.

Default: None

Potvrda TLS certifikata

This setting determines how the security certificate of the LDAP server is to be checked when the encrypted connection is established. With the default setting System defaults, depending on the operating system, an attempt is made to verify the certificate using the root certificates installed system-wide. The Windows certificate store is not taken into account here, so that a separate CA certificate file may have to be stored. With the Never setting, the server certificate is not verified at all. This however allows for case man-in-the-middle attacks and should therefore only be used in exceptional cases. The User-defined CA certificate file setting ensures that the certificate check is performed on the basis of a specified CA certificate file.

Default: System defaults

Prilagođena datoteka certifikata CA: If you use your own certification authority (CA), it may be necessary to store their certificate in a PEM file format so that Veyon can check the certificate of the LDAP server.

Osnovni DN

The base DN defines the address of the root object in the directory. All objects are stored below the base DN. Usually the base DN comes from the DNS or AD domain (see also RFC 2247).

In most cases a fixed base DN is used so the default option Fixed base DN has to be chosen. The base DN then has to be entered in the corresponding input field or selected from the server by using the Browse button. You can use the Test button to verify, whether the settings are correct and entries can be found.

If a generic Veyon configuration is to be used across multiple sites with different base DNs, Veyon can be configured so that the base DN is always queried dynamically using LDAP naming contexts. For this to work the Discover base DN by naming context has to be chosen and the naming context attribute must be adapted. You can use the Test button to verify, whether a Base DN could be determined.

After importing a generic Veyon configuration without a fixed base DN it is also possible to determine the base DN through the Interfejs komandne linije and write it to the local configuration.

Postavke okruženja

After the basic settings have been configured and tested, the environment-specific settings can now be made. These settings determine which trees contain objects of certain types as well as the names of certain object attributes. With these parameters Veyon can retrieve all required information from the LDAP directory.

Objektna stabla

Object trees are organizational or structural units in which certain types of objects (users, groups, computers) are stored. The respective CNs (Common Names) or OUs (Organizational Units) must be entered without the base DN part in the respective input field. Next to each input field there are buttons for opening browse dialogs and for testing the individual setting.

Korisnik prikaz stablo: The LDAP tree (without base DN) in which the user objects are located must be entered here, e.g. OU=Users or CN=Users.

Grupa prikaz stabla: The LDAP tree (without base DN) in which the group objects are located must be entered here, e.g. OU=Groups or CN=Groups.

Rašunar prikaz stablo: The LDAP tree (without base DN) in which the computer objects are located must be entered here, e.g. OU=Computers or CN=Computers.

Stablo računarskih grupa: If the computer groups are located in a different tree than the regular user groups or in a subtree, the corresponding LDAP tree can be specified here. Otherwise the group tree is used to query computer groups and to filter them with a specific object filter if necessary.

Izvođenje rekurzivnih pretraga u stablima objekata

This option can be used to control whether objects should be queried recursively. The search then takes place not only in the specified tree but also in any existing subtrees.

Default: disabled

Путоказ

If objects of one type are stored in different object trees (e.g. users in both CN=Teachers and in CN=Students), the parameter for the corresponding object tree can be left empty and the option Perform recursive search operations in object trees can be activated. A recursive search is then performed in the entire LDAP directory starting from the base DN. In this case, however it is strongly recommended to set the object filters for the respective object type.

Objekat atributi

For Veyon to be able to retrieve the required information from the queried objects, the names of some object attributes have to be configured, as these differ substantially depending on the environment and LDAP server. Next to each input field buttons for browsing the attribute of an existing object and testing the respective attribute name are available.

Atribut korisničkog imena za prijavu: This attribute must hold the login name of a user. The attribute is used to determine the LDAP user object associated with a particular username. In an OpenLDAP environment often the attribute name uid is used while the name sAMAccountName is common in Active Directories.

Atribut člana grupe: Members of a group are listed in group objects through this attribute. The attribute is used to determine the groups a particular user is a member of. Depending on the configuration the attribute also used map computers to locations. In an OpenLDAP environment often the attribute name member is used while the name memberUid is common in Active Directories.

Atribut prikaza računarskog imena

The content of this optional attribute is used to determine the name of a computer displayed in Veyon Master. If left blank the common name (cn) is used instead.

Default: cn

Svojstvo imena kompjuter hosta: This attribute must hold the DNS name of the computer. It is used to determine the LDAP computer object associated with a particular computer hostname. In an OpenLDAP environment often the attribute name name is used while the name dNSHostName is common in Active Directories.

Imena hosta sačuvana su kao potpuno kvalifikovana imena domena (FQDN, npr. Myhost.example.org)

This option specifies whether to use the fully qualified domain name (FQDN) for mapping computer names to LDAP computer objects. If the computer names are stored without the domain part in the LDAP directory, this option has to be left disabled, otherwise it must be enabled.

Default: disabled

Atribut računarske MAC adrese: In addition to the computer name the MAC addresses of computers are stored in the LDAP directory in some environments, for example if the DHCP server also accesses the LDAP directory. If the Veyon feature is to be used to switch on computers via Wake-on-LAN, the corresponding attribute name must be entered here, since the MAC address is required for this functionality. Typical attribute names are hwAddress or dhcpAddress.

Путоказ

In a standard Active Directory there is no attribute which stores MAC addresses. You must therefore populate MAC addresses manually in an existing unused attribute such as wwwHomepage or extend the AD schema. Additionally you can grant computers group write access to SELF and use a PowerShell script to make each computer automatically store the MAC address of its first physical LAN adapter when booting.

Atribut lokacije računara: If the LDAP schema for computer objects provides a special attribute for the mapping to a location, this attribute name can be entered here. The Test button can be used to verify whether the computers at a location can be queried correctly using the configured attribute. In the advanced settings, you can then specify in section Lokacije računara that the computer location attribute is used.

Atribut naziva lokacije: When identifying computer locations via computer groups or computer containers, the value of a certain attribute can be displayed as the location name instead of the Common Names of these groups or objects. If, for example, computer groups have an attribute called name or description, a meaningful location name can be stored in this attribute and the attribute name can be entered here.

Napredna podešavanja

With the advanced settings the LDAP integration and the use of the information from the LDAP directory can be customized to individual needs.

Opcionalni filteri objekata

With LDAP filters, the LDAP objects used by Veyon can be narrowed down if, for example, computer objects such as printers are not to be displayed in the Veyon Master. Next to each input field there is a button for checking the respective object filter.

As of Veyon 4.1 the optional filters follow the well-known scheme for LDAP filters (see for example RFC 2254 or Active Directory: LDAP Syntax Filters) such as (objectClass=XYZ).

Filter za korisnike: You can define an LDAP filter for users here, e.g. (objectClass=person) or (&(objectClass=person)(objectClass=veyonUser)).
Filter za korisničke grupe: You can define an LDAP filter for user groups here, e.g. (objectClass=group) or (|(cn=teachers)(cn=students)(cn=admins)).
Filter za računare: You can define an LDAP filter for computers here, e.g. (objectClass=computer) or (&(!(cn=printer*))(!(cn=scanner*))).

Filter za grupe računara: You can define an LDAP filter for computer groups here, e.g. (objectClass=room) or (cn=Room*). If computer groups are used as locations, you can filter the displayed locations this way.

Filter za kontejnere računara: You can define an LDAP filter for computer containers here, e.g. (objectClass=container) or (objectClass=organizationalUnit). If containers/OUs are used as locations, you can filter the displayed locations this way.

Query options

Query nested user groups (supported by AD only): If you have nested user groups (currently supported by Active Directory only), you can enable this option to make Veyon query all (even indirect) groups of a user. When enabled, you could for example create a group Veyon Users with the existing user groups Teachers and IT Staff as members. The Veyon Users group can then be used for Pristup kontroli purposes.

Identifikacija člana grupe

The content of the group membership attributes varies across different LDAP implementations. While in Active Directory the distinguished name (DN) of an object is stored in the member attribute, OpenLDAP usually stores the user login name (uid or similar) or the computer name. In order for Veyon to use the correct value for querying groups of a user or computer, the appropriate setting must be chosen here.

Istaknuto ime (Samba / AD): This option has to be chosen, if the distinguished name (DN) of an object is stored in a member attribute of the group. Usually Samba and AD server use this scheme.
Konfigurisani atribut za korisničko ime za prijavu ili domaćin računara (OpenLDAP): This option has to be chosen, if the login name of a user (username) or the hostname of a computer is stored in the member attributes of a group. Usually OpenLDAP server use this scheme.

Lokacije računara

Veyon offers several methods to represent computer locations in an LDAP directory. In the simple case there is one computer group for every location (e.g. room). All computers at a specific location are members of the corresponding group. If computers instead are organized in containers or organizational units (OUs), these parent objects can be used as locations. Both procedures do not require any adaptation of the LDAP schema. As a third possibility, the location name can also be stored as a special attribute in each computer object.

Računarske grupe

This option specifies that computer locations are identified through computer groups. All computer groups are then displayed as locations in the Veyon Master. For each location all computers that are members of the corresponding group are displayed. If not all LDAP groups are to be displayed as locations, either a dedicated computer group tree must be configured or the computer groups must be restricted using a computer group filter.

Default: enabled

Kontejneri za računare ili OU

This option specifies that the containers/OUs containing computer objects are used as computer locations. Containers are objects that are parents to computer objects in the LDAP tree. If not all containers are to be displayed as locations, a corresponding computer container filter can be set up.

Default: disabled

Atribut lokacije u računarskim objektima

If the LDAP schema for computer objects provides a special attribute for mapping computer objects to locations, this option can be enabled and the attribute name can be entered. The Test button can be used to check whether the members of a computer location can be queried correctly using the configured attribute.

Default: disabled

Integracijski testovi

The integration tests can be used to check the LDAP integration as a whole. The buttons allow various tests to be performed. All tests should be successful and provide valid results before the LDAP connection is used in production.

Upotreba LDAP backend-a

With the successful configuration and testing of the LDAP integration, the LDAP backends can now be activated. For this, the network object directory and the user groups backend for the computer access control must be adapted. Only after switching the network object directory to LDAP the location and computer information from the LDAP directory are used in the Veyon Master.

Пажња

After changing the backend for the computer access control, all previously configured access rules should under all circumstances be checked, since group and location information change and in most cases access rules will no longer be valid or not be processed correctly.

Interfejs komandne linije

The Interfejs komandne linije of Veyon allows some LDAP-specific operations. All operations are available using the ldap module. A list of all supported commands is displayed via veyon-cli ldap help, while command-specific help texts can be displayed via veyon-cli ldap help <command>.

autoconfigurebasedn

This command can be used to automatically determine the used base DN and permanently write it to the configuration. An LDAP server URL and optionally a naming context attribute have to be supplied as parameters:

veyon-cli ldap autoconfigurebasedn ldap://192.168.1.2/ namingContexts
veyon-cli ldap autoconfigurebasedn ldap://Administrator:MYPASSWORD@192.168.1.2:389/

Путоказ

Special characters such as @ or : – especially in the password - can be specified by using URL percent-encoding.

query

This command allows querying LDAP objects (locations, computers, groups, users) and is mainly used for testing. The function can also be used to develop scripts for system integration tasks.

veyon-cli ldap query users
veyon-cli ldap query computers