LDAP/AD integracija
Ovo poglavlje pokriva postavljanje Veyon-a za njegovo povezivanje na servere kompatibilne sa LDAP-om. U nastavku će se koristiti generički izraz LDAP i odnosi se na sve LDAP-kompatibilne proizvode i tehnologije kao što su OpenLDAP, Samba ili Active Directory. LDAP integracija vam omogućava da koristite informacije o korisnicima, grupama korisnika, računarima i lokacijama koje već postoje u većini okruženja, umesto da ih ručno replicirate u Veyon konfiguraciji. Jednom konfigurirani Veyon Master može dohvatiti lokacije i računare koji će se prikazivati direktno iz usluge direktorija. Pored toga, LDAP korisnici i korisničke grupe mogu poslužiti kao osnova za Kontrola pristupa računaru.
Konfiguracija LDAP integracije se vrši na konfiguracijskoj stranici LDAP u Veyon Configurator-u. Stranica je podijeljena u nekoliko podstranica za Osnovna podešavanja, Postavke okruženja, Napredna podešavanja i Integracijski testovi.
Osnovna podešavanja
Osnovna podešavanja utiču na sve osnovne parametre za pristup LDAP serveru. Oni su obavezni za pravilno delovanje LDAP integracije.
Opšte
- LDAP server i port
Ovde unesite adresu LDAP servera (ime domaćina ili IP adresa). Ako se koristi port koji nije podrazumevani LDAP port 389, parametar porta mora se prilagoditi na odgovarajući način.
- Anonimno vezanje / korišćenje vezanog akreditiva
U zavisnosti od okruženja i konfiguracije LDAP servera, LDAP upiti mogu se izvoditi ili kao anonimni korisnik ili samo sa važećim korisničkim imenima i lozinkama. Ako za pristup serveru trebate korisničko ime i lozinku, mora biti odabrana opcija Use bind credentials i akreditivi moraju biti uneti u polja za unos ispod. U suprotnom se može koristiti podrazumevana opcija Anonymous bind.
- Vezati DN
Vezani DN je korisničko ime koje se koristi za prijavu na serveru radi obavljanja LDAP operacija. Međutim, potrebni format u velikoj meri zavisi od LDAP servera i njegove konfiguracije. Mogući formati uključuju
User
,DOMAIN\User
orcn=User,…,dc=example,dc=org
.
- Vezati lozinku
Pored vezajućeg DN-a, mora se unijeti i odgovarajuća lozinka.
Možete da koristite taster Test da proverite da li pristup poslužitelju radi sa priloženim parametrima.
Путоказ
Veyon only requires read access to the LDAP directory. As an additional security measure on the LDAP server a dedicated user with read-only access to the LDAP directory can be created, e.g. „Veyon-LDAP-RO”. Access to relevant attributes can be further restricted for this user.
Sigurnost veze
Veyon can establish encrypted connections to the LDAP server. For this purpose, settings are available in the section Connection security.
- Protokol šifrovanja
You can choose between the encryption protocols None, TLS and SSL. The use of the modern TLS protocol is recommended.
Default: None
- Potvrda TLS certifikata
This setting determines how the security certificate of the LDAP server is to be checked when the encrypted connection is established. With the default setting System defaults, depending on the operating system, an attempt is made to verify the certificate using the root certificates installed system-wide. The Windows certificate store is not taken into account here, so that a separate CA certificate file may have to be stored. With the Never setting, the server certificate is not verified at all. This however allows for case man-in-the-middle attacks and should therefore only be used in exceptional cases. The User-defined CA certificate file setting ensures that the certificate check is performed on the basis of a specified CA certificate file.
Default: System defaults
- Prilagođena datoteka certifikata CA
If you use your own certification authority (CA), it may be necessary to store their certificate in a PEM file format so that Veyon can check the certificate of the LDAP server.
Osnovni DN
The base DN defines the address of the root object in the directory. All objects are stored below the base DN. Usually the base DN comes from the DNS or AD domain (see also RFC 2247).
In most cases a fixed base DN is used so the default option Fixed base DN has to be chosen. The base DN then has to be entered in the corresponding input field or selected from the server by using the Browse button. You can use the Test button to verify, whether the settings are correct and entries can be found.
If a generic Veyon configuration is to be used across multiple sites with different base DNs, Veyon can be configured so that the base DN is always queried dynamically using LDAP naming contexts. For this to work the Discover base DN by naming context has to be chosen and the naming context attribute must be adapted. You can use the Test button to verify, whether a Base DN could be determined.
After importing a generic Veyon configuration without a fixed base DN it is also possible to determine the base DN through the Interfejs komandne linije and write it to the local configuration.
Postavke okruženja
After the basic settings have been configured and tested, the environment-specific settings can now be made. These settings determine which trees contain objects of certain types as well as the names of certain object attributes. With these parameters Veyon can retrieve all required information from the LDAP directory.
Objektna stabla
Object trees are organizational or structural units in which certain types of objects (users, groups, computers) are stored. The respective CNs (Common Names) or OUs (Organizational Units) must be entered without the base DN part in the respective input field. Next to each input field there are buttons for opening browse dialogs and for testing the individual setting.
- Korisnik prikaz stablo
The LDAP tree (without base DN) in which the user objects are located must be entered here, e.g.
OU=Users
orCN=Users
.
- Grupa prikaz stabla
The LDAP tree (without base DN) in which the group objects are located must be entered here, e.g.
OU=Groups
orCN=Groups
.
- Rašunar prikaz stablo
The LDAP tree (without base DN) in which the computer objects are located must be entered here, e.g.
OU=Computers
orCN=Computers
.
- Stablo računarskih grupa
If the computer groups are located in a different tree than the regular user groups or in a subtree, the corresponding LDAP tree can be specified here. Otherwise the group tree is used to query computer groups and to filter them with a specific object filter if necessary.
- Izvođenje rekurzivnih pretraga u stablima objekata
This option can be used to control whether objects should be queried recursively. The search then takes place not only in the specified tree but also in any existing subtrees.
Default: disabled
Путоказ
If objects of one type are stored in different object trees (e.g. users in both CN=Teachers
and in CN=Students
), the parameter for the corresponding object tree can be left empty and the option Perform recursive search operations in object trees can be activated. A recursive search is then performed in the entire LDAP directory starting from the base DN. In this case, however it is strongly recommended to set the object filters for the respective object type.
Objekat atributi
For Veyon to be able to retrieve the required information from the queried objects, the names of some object attributes have to be configured, as these differ substantially depending on the environment and LDAP server. Next to each input field buttons for browsing the attribute of an existing object and testing the respective attribute name are available.
- Atribut korisničkog imena za prijavu
This attribute must hold the login name of a user. The attribute is used to determine the LDAP user object associated with a particular username. In an OpenLDAP environment often the attribute name
uid
is used while the namesAMAccountName
is common in Active Directories.
- Atribut člana grupe
Members of a group are listed in group objects through this attribute. The attribute is used to determine the groups a particular user is a member of. Depending on the configuration the attribute also used map computers to locations. In an OpenLDAP environment often the attribute name
member
is used while the namememberUid
is common in Active Directories.
- Atribut prikaza računarskog imena
The content of this optional attribute is used to determine the name of a computer displayed in Veyon Master. If left blank the common name (
cn
) is used instead.Default: cn
- Svojstvo imena kompjuter hosta
This attribute must hold the DNS name of the computer. It is used to determine the LDAP computer object associated with a particular computer hostname. In an OpenLDAP environment often the attribute name
name
is used while the namedNSHostName
is common in Active Directories.
- Imena hosta sačuvana su kao potpuno kvalifikovana imena domena (FQDN, npr. Myhost.example.org)
This option specifies whether to use the fully qualified domain name (FQDN) for mapping computer names to LDAP computer objects. If the computer names are stored without the domain part in the LDAP directory, this option has to be left disabled, otherwise it must be enabled.
Default: disabled
- Atribut računarske MAC adrese
In addition to the computer name the MAC addresses of computers are stored in the LDAP directory in some environments, for example if the DHCP server also accesses the LDAP directory. If the Veyon feature is to be used to switch on computers via Wake-on-LAN, the corresponding attribute name must be entered here, since the MAC address is required for this functionality. Typical attribute names are
hwAddress
ordhcpAddress
.
Путоказ
In a standard Active Directory there is no attribute which stores MAC addresses. You must therefore populate MAC addresses manually in an existing unused attribute such as wwwHomepage
or extend the AD schema. Additionally you can grant computers group write access to SELF
and use a PowerShell script to make each computer automatically store the MAC address of its first physical LAN adapter when booting.
- Atribut lokacije računara
If the LDAP schema for computer objects provides a special attribute for the mapping to a location, this attribute name can be entered here. The Test button can be used to verify whether the computers at a location can be queried correctly using the configured attribute. In the advanced settings, you can then specify in section Lokacije računara that the computer location attribute is used.
- Atribut naziva lokacije
When identifying computer locations via computer groups or computer containers, the value of a certain attribute can be displayed as the location name instead of the Common Names of these groups or objects. If, for example, computer groups have an attribute called
name
ordescription
, a meaningful location name can be stored in this attribute and the attribute name can be entered here.
Napredna podešavanja
With the advanced settings the LDAP integration and the use of the information from the LDAP directory can be customized to individual needs.
Opcionalni filteri objekata
With LDAP filters, the LDAP objects used by Veyon can be narrowed down if, for example, computer objects such as printers are not to be displayed in the Veyon Master. Next to each input field there is a button for checking the respective object filter.
As of Veyon 4.1 the optional filters follow the well-known scheme for LDAP filters (see for example RFC 2254 or Active Directory: LDAP Syntax Filters) such as (objectClass=XYZ)
.
- Filter za korisnike
You can define an LDAP filter for users here, e.g.
(objectClass=person)
or(&(objectClass=person)(objectClass=veyonUser))
.- Filter za korisničke grupe
You can define an LDAP filter for user groups here, e.g.
(objectClass=group)
or(|(cn=teachers)(cn=students)(cn=admins))
.- Filter za računare
You can define an LDAP filter for computers here, e.g.
(objectClass=computer)
or(&(!(cn=printer*))(!(cn=scanner*)))
.
- Filter za grupe računara
You can define an LDAP filter for computer groups here, e.g.
(objectClass=room)
or(cn=Room*)
. If computer groups are used as locations, you can filter the displayed locations this way.
- Filter za kontejnere računara
You can define an LDAP filter for computer containers here, e.g.
(objectClass=container)
or(objectClass=organizationalUnit)
. If containers/OUs are used as locations, you can filter the displayed locations this way.
Query options
- Query nested user groups (supported by AD only)
If you have nested user groups (currently supported by Active Directory only), you can enable this option to make Veyon query all (even indirect) groups of a user. When enabled, you could for example create a group
Veyon Users
with the existing user groupsTeachers
andIT Staff
as members. TheVeyon Users
group can then be used for Pristup kontroli purposes.
Identifikacija člana grupe
The content of the group membership attributes varies across different LDAP implementations. While in Active Directory the distinguished name (DN) of an object is stored in the member attribute, OpenLDAP usually stores the user login name (uid
or similar) or the computer name. In order for Veyon to use the correct value for querying groups of a user or computer, the appropriate setting must be chosen here.
- Istaknuto ime (Samba / AD)
This option has to be chosen, if the distinguished name (DN) of an object is stored in a member attribute of the group. Usually Samba and AD server use this scheme.
- Konfigurisani atribut za korisničko ime za prijavu ili domaćin računara (OpenLDAP)
This option has to be chosen, if the login name of a user (username) or the hostname of a computer is stored in the member attributes of a group. Usually OpenLDAP server use this scheme.
Lokacije računara
Veyon offers several methods to represent computer locations in an LDAP directory. In the simple case there is one computer group for every location (e.g. room). All computers at a specific location are members of the corresponding group. If computers instead are organized in containers or organizational units (OUs), these parent objects can be used as locations. Both procedures do not require any adaptation of the LDAP schema. As a third possibility, the location name can also be stored as a special attribute in each computer object.
- Računarske grupe
This option specifies that computer locations are identified through computer groups. All computer groups are then displayed as locations in the Veyon Master. For each location all computers that are members of the corresponding group are displayed. If not all LDAP groups are to be displayed as locations, either a dedicated computer group tree must be configured or the computer groups must be restricted using a computer group filter.
Default: enabled
- Kontejneri za računare ili OU
This option specifies that the containers/OUs containing computer objects are used as computer locations. Containers are objects that are parents to computer objects in the LDAP tree. If not all containers are to be displayed as locations, a corresponding computer container filter can be set up.
Default: disabled
- Atribut lokacije u računarskim objektima
If the LDAP schema for computer objects provides a special attribute for mapping computer objects to locations, this option can be enabled and the attribute name can be entered. The Test button can be used to check whether the members of a computer location can be queried correctly using the configured attribute.
Default: disabled
Integracijski testovi
The integration tests can be used to check the LDAP integration as a whole. The buttons allow various tests to be performed. All tests should be successful and provide valid results before the LDAP connection is used in production.
Upotreba LDAP backend-a
With the successful configuration and testing of the LDAP integration, the LDAP backends can now be activated. For this, the network object directory and the user groups backend for the computer access control must be adapted. Only after switching the network object directory to LDAP the location and computer information from the LDAP directory are used in the Veyon Master.
Пажња
After changing the backend for the computer access control, all previously configured access rules should under all circumstances be checked, since group and location information change and in most cases access rules will no longer be valid or not be processed correctly.
Interfejs komandne linije
The Interfejs komandne linije of Veyon allows some LDAP-specific operations. All operations are available using the ldap
module. A list of all supported commands is displayed via veyon-cli ldap help
, while command-specific help texts can be displayed via veyon-cli ldap help <command>
.
- autoconfigurebasedn
This command can be used to automatically determine the used base DN and permanently write it to the configuration. An LDAP server URL and optionally a naming context attribute have to be supplied as parameters:
veyon-cli ldap autoconfigurebasedn ldap://192.168.1.2/ namingContexts veyon-cli ldap autoconfigurebasedn ldap://Administrator:MYPASSWORD@192.168.1.2:389/
Путоказ
Special characters such as @
or :
– especially in the password - can be specified by using URL percent-encoding.
- query
This command allows querying LDAP objects (
locations
,computers
,groups
,users
) and is mainly used for testing. The function can also be used to develop scripts for system integration tasks.veyon-cli ldap query users veyon-cli ldap query computers