Unsolved
This post is more than 5 years old
3 Posts
0
17883
January 11th, 2012 10:00
LDAP and AD integration with the VDI Assessment tool
We have currently installed the VDI assessment tool for a customer. I have a few queries and a current issue with regards to integrating with AD.
(1) Is it best to use AD or LDAP for the integration?
(2) What are the benefits of AD and LDAP integration? For example, do all users and groups get imported and how would VDI know what computer and user to assign to each group?
(3) I notice that when you create the directory, it appears as a directory option when logging onto the VDI assessment tool via Internet Explorer. When user and groups have been imported from AD, would you need to use that as the directory when logging on or do you logon using the local directory (default) of the VDI tool?
(4) This is the issue we have and is the key reason for this post. We have tried using the AD and LDAP options and ensuring the username is set appropriately each time. I have changed entries to make it anonymous. Also, the LDAP paths were obtained from ADSI edit for the AD objects.
We create the directory as follows.
Directory Type: LDAPFully Qualified Name: DC= Client,DC=Domain,DC=localUse Default port
We don't use secure connection but have tried with this ticked and unticked
Administrator name: Have tried: LDAP: cn=JSmith, OU=Admin, O=Client.Domain.local and just cn=JSmith, OU=Admin, O=Client.Domain.local and even tried the AD logon name. Put the administrator password in and has been verified as logging on
Base DN: This is the LDAP path to the OU that contains the Groups and users, which are also contained in sub-OUs. OU=OU that contains the users and groups,DC= Client,DC=Domain,DC=local
No default advanced paremeters have been changed. Do they need to be?
The error received when trying to import from the directory is as follows.
Error. Import for domain (name of the directory import job created) failed: Import failed for all domain controllers.; nested exception is org.springframework.dao.DataAccessResourceFailureException: Error searching LDAP server; nested exception is javax.naming.CommunicationException: DC=Client,DC=Domain,DC=local:389 [Root exception is java.net.UnknownHostException: DC=Client,Domain,DC=local
mlevine1
14 Posts
0
January 20th, 2012 13:00
Hi James,
I'm sorry it's taken so long to reply. Hopefully I can answer your questions and sort out your issue.
(1) As you use AD, chose the AD type.
(2) The main benifit is SSO. Your users can log into the Hub using their Windows credentials.
The users and groups imported depends on how you configure the Directory. You can use the "Advanced Parameters" to change the "User Search Base" and "Group Search Base". If you leave the default ALL users and groups are imported.
User Groups are useful for policy and report filters. They are manually created in the Local Directory or imported (from your AD). If you import the Users and Groups (from your AD), the assignment is also imported. Therefore if you want to change a user's group it must be done in your AD then re-imported.
Machine groups are ONLY manually created and have nothing to do with User Groups. They are also used as filters.
(3) The dropdown is asking you from which directory you would like to authenticate the entered credentials. Therefore if you enter your AD (windows) credentials you must select the correct directory in the dropdown. The local directory is selected for any (ootb) credentials, such as ssadmin, or credentials you've added manually to the local directory.
(4) As I said above use AD as the type. In fact the "Fully Qualified Name" should be your AD server fqdn, for example, myADServerName.mycompany.com. Basically if it's pingable you should be OK. The default port is 389. So leave default if your AD uses this port. The administrator name should be a domain admin logon, for example, myadmin@mycompany.com. The "Base DN" should go to the root of your tree, for example, DC=mycompany, DC=com. This default configuration will import all users and groups in the directory. If you want to import a specific "ou" then it must be added to the advanced parameters user/group search base. For example mycompany.com has the following structure:
ou=London
----ou=Sales
-------CN=Sales1
-------CN=Sales2
-------CN=Sales3
-------CN=Sales Group
ou=New York
----ou=IT
-------CN=IT1
-------CN=IT2
-------CN=IT3
-------CN=IT Group
If you only want the IT users and their group to be imported change the base search for both users and group to ou=New York, ou=IT
The final config for the example is as follows:
Name:My Company
Fully Qualified Name:myADServerName.mycompany.com
Port: Use Default
Administrator:myadmin@mycompany.com
Base DN:DC=mycompany, DC=com
User Search Base:ou=New York, ou=IT
Group Search Base:ou=New York, ou=IT
Regards,
Mark.
Virtual11
3 Posts
0
January 20th, 2012 13:00
Thanks very much. Just about to hit the road so will give a proper review later.
Regards
James
--- original message ---
From: "Mark Levine"
Subject: - Re: LDAP and AD integration with the VDI Assessment tool
Date: 20th January 2012
Time: 3:48:31 pm
Quest Communities
Thread: Re: LDAP and AD integration with the VDI Assessment tool
created by Mark Levine in Quest VDI Assessment at 8:51 AM on Jan 20, 2012 - View the full discussion
Virtual11
3 Posts
0
January 25th, 2012 11:00
Thanks for the response.
So once the AD groups and users have been imported, they can be used as filters?
(1) What would the policy that you can set against the user and group? Is it permissions for the VDI tool? I take it that if you assign a group the policy, all of its members in AD will get that policy? If the users are members of more than one policy, do they get all of the settings defined in the policies?
(2) With regards to report filters, is that a way that we can filter by group and user for reports? I.e. Does the VDI assessment tool import devices and state the users logging on to the machine as well to help in the report creation?
(3) If they reach the device limit for the tool, can I provision a second and user the same license key as the first?
mlevine1
14 Posts
0
January 27th, 2012 13:00
Hi James,
Yes, filters are used in real time dashboards and generated reports.
(1) Only users and groups are imported. Any Authorization defined in AD is NOT. AD users are only imported for Authentication (and filters), AD groups can be used as filters - once a user is imported you can change his/her VDI assessment role using the VDI Assessment Administrator product, e.g. to Admininistrator.
(2) Yes, you can filter reports by users and groups imported from AD. The VDI Assessment agent analyses the activity of the machine (desktop) on which it is installed. The VDI Assessment Hub (server) will map applications and resource usage of the desktop to users it knows about.
(3) Yes, but you will have two VDI Assessment Hubs, hence two databases. The information can not be merged to get a holistic view.
Regards,
Mark.