2.1 Adding User Sources

After you define a user source, the ZENworks Agent automatically prompts device users to log in to the ZENworks Management Zone. If you do not want users to receive this prompt, you can uninstall or disable the User Management module at the ZENworks Agent level. For more information, see Configuring ZENworks Agent Settings after Deployment in the ZENworks Agent Reference.

  1. In ZENworks Control Center, click the Configuration tab.

    Configuration Page
  2. In the User Sources panel, click New to launch the Create New User Source Wizard.

    Create New User Source page_11 SP2
  3. Follow the prompts to create the connection to the user source.

    For information about each of the wizard pages, click the Help button or refer to the following table:

    Wizard Page


    Connection Information page

    Specify the information required to create a connection to the LDAP directory:

    • Connection Name: Specify a descriptive name for the connection to the LDAP directory.

    • Address: Specify the IP address or DNS hostname of the server where the LDAP directory resides.

    • Use SSL: This option is applicable for a user source and is displayed only if you are creating a new user source. However, this option is not displayed if you are adding a new connection for an existing user source. By default, this option is enabled. Disable the option if the LDAP server is not using the SSL (Secure Socket Layer) protocol.

      NOTE:If the Active Directory servers have the LDAP channel bind fixes from Microsoft, then ZENworks user authentication will break for all the LDAP Servers for which SSL is not enabled. For more information, see Troubleshooting User Authentication

    • Port: This field defaults to the standard SSL port (636) or non-SSL port (389) depending on whether the Use SSL option is enabled or disabled. If your LDAP server is listening on a different port, select that port number.

    • Root LDAP Context: Displays the root context for the LDAP directory. This option is available only when you are creating a new user source. The root context establishes the point in the directory where you can begin to browse for user containers. Specifying a root context can enable you to browse less of the directory, but it is optional. If you don’t specify a root context, the directory’s root container becomes the entry point.

    • Ignore Dynamic Groups in eDirectory: This option allows you to select whether or not to display the dynamic groups in a Users page. If you choose to select Ignore Dynamic Groups in eDirectory, then users cannot assign a policy or a bundle to a dynamic user group and the dynamic group membership will not be computed while calculating the effective assignments for any user.

    Certificate Page

    (Conditional) If you selected Use SSL on the previous Wizard page (Connection Information), the Certificate page displays as the next. step in the Wizard. Ensure that the Certificate is correct.

    Credentials page

    Specify a username and password for accessing the directory:

    • Username: Specify the username for a user that has read-only access to the directory. The user can have more than read-only access, but read-only access is all that is required and recommended.

      For Novell eDirectory access, use standard LDAP notation. For example:


      For Microsoft Active Directory, use standard domain notation. For example:


      For DSfW, use standard LDAP notation. For example:

      cn=admin_read_only,ou=users,dc=mycompany, dc=com

    • Password: Specify the password for the user you specified in the Username field.

    NOTE:Ensure that the password does not contain the special characters ~ and \.

    Authentication Mechanisms page

    Select the mechanism used to authenticate users to the ZENworks Management Zone. The available mechanisms depend on whether you are configuring a Novell eDirectory or a Microsoft Active Directory user source.

    • Kerberos: Active Directory or Domain Services for Windows (DSfW). Enables Kerberos authentication in which the Active Directory server generates a Kerberos ticket that Novell Common Authentication Services Adapter (CASA) uses to authenticate the user, instead of using a username and password. Kerberos authentication is often used with smart cards.

    • Username/Password: eDirectory, Active Directory, or Domain Services for Windows (DSfW). Enables simple authentication using a username and password.

    • Shared Secret: eDirectory only. Enables a user to automatically log in to ZENworks when a smart card is used to log in to eDirectory. This option is enabled only if the schema of the eDirectory specified in the Connection Information page is extended using the microfocus-zenworks-configure tool.If Shared Secret is not selected as an authentication mechanism, a ZENworks login dialog box is displayed when the user on the managed device attempts to log in to eDirectory using a smart card. After the user specifies the eDirectory username and password, that password is stored in Novell SecretStore. The next time the user uses a smart card to log in to eDirectory, the password is retrieved from SecretStore and the user is logged in to the ZENworks without having to specify the password.

    If you select both available mechanisms (Kerberos and Username/Password for Active Directory or Username/Password and Shared Secret for eDirectory), ZENworks Configuration Management attempts to use the first mechanism for authentication. If authentication fails, the next mechanism is used. For example, if you select Kerberos and Username/Password for Active Directory, ZENworks Configuration Management first attempts to use Kerberos authentication. If Kerberos authentication fails, simple Username/Password authentication is used.

    User Containers page

    After you connect to an LDAP directory as a user source, you can define the containers within the directory that you want exposed. The number of user containers you define is determined by how much of the directory you want to expose. Consider the following example:

    Assume that you want to enable all users in the Accounting and Sales containers to receive ZENworks content. In addition, you want to be able to access the user groups located in the Accounting, Sales, and Groups containers in order to distribute content based on those groups. To gain access to the users and groups, you have two options:

    • You can add MyCompany/EMEA as a user container, so all containers located below EMEA are visible in ZENworks Control Center, including the Servers and Services containers. Only users and user groups located in the EMEA containers are visible (servers and services are not), but the structure is still exposed.

    • You can add MyCompany/EMEA/Accounting as one user container, MyCompany/EMEA/Sales as a second container, and MyCompany/EMEA/Groups as a third container. Only these containers become visible as folders beneath the MyCompany directory reference in ZENworks Control Center.

    To add the containers where users reside:

    1. Click Add to display the Add User Container dialog box.

    2. In the Context field, click Browse icon to browse for and select the desired container.

    3. In the Display Name field, specify the name you want used for the user container when it is displayed in ZENworks Control Center.

    4. Click OK to add the container to the list.