2.2 Managing User Sources

2.2.1 Adding User Sources

  1. In ZENworks Control Center, click the Configuration tab.

    Configuration Page
  2. In the User Sources panel, click New to launch the Create New User Source Wizard.

  3. Follow the prompts to create the connection to the user source.

    For information about each of the wizard pages, click the Help button or refer to the following table:

    Wizard Page

    Details

    Connection Information page

    Specify the information required to create a connection to the LDAP directory:

    • Connection Name: Specify a descriptive name for the connection to the LDAP directory.

    • Address: Specify the IP address or DNS hostname of the server where the LDAP directory resides.

    • Use SSL: This option is applicable for a user source and is displayed only if you are creating a new user source. However, this option is not displayed if you are adding a new connection for an existing user source. By default, this option is enabled. Disable the option if the LDAP server is not using the SSL (Secure Socket Layer) protocol.

    • Port: This field defaults to the standard SSL port (636) or non-SSL port (389) depending on whether the Use SSL option is enabled or disabled. If your LDAP server is listening on a different port, select that port number.

    • Root LDAP Context: Displays the root context for the LDAP directory. This option is available only when you are creating a new user source. The root context establishes the point in the directory where you can begin to browse for user containers. Specifying a root context can enable you to browse less of the directory, but it is optional. If you don’t specify a root context, the directory’s root container becomes the entry point.

    Certificate Page

    (Conditional) If you selected Use SSL on the previous Wizard page (Connection Information), the Certificate page displays as the next. step in the Wizard. Ensure that the Certificate is correct.

    Credentials page

    Specify a username and password for accessing the directory:

    • Username: Specify the username for a user that has read-only access to the directory. The user can have more than read-only access, but read-only access is all that is required and recommended.

      For Novell eDirectory access, use standard LDAP notation. For example:

      cn=admin_read_only,ou=users,o=mycompany

      For Microsoft Active Directory, use standard domain notation. For example:

      AdminReadOnly@mycompany.com

      For DSfW, use standard LDAP notation. For example:

      cn=admin_read_only,ou=users,dc=mycompany, dc=com

    • Password: Specify the password for the user you specified in the Username field.

    Authentication Mechanisms page

    Select the mechanism used to authenticate users to the ZENworks Management Zone. The available mechanisms depend on whether you are configuring a Novell eDirectory or a Microsoft Active Directory user source.

    • Kerberos: Active Directory or Domain Services for Windows (DSfW). Enables Kerberos authentication in which the Active Directory server generates a Kerberos ticket that Novell Common Authentication Services Adapter (CASA) uses to authenticate the user, instead of using a username and password. Kerberos authentication is often used with smart cards.

    • Username/Password: eDirectory, Active Directory, or Domain Services for Windows (DSfW). Enables simple authentication using a username and password.

    • Shared Secret: eDirectory only. Enables a user to automatically log in to ZENworks when a smart card is used to log in to eDirectory. This option is enabled only if the schema of the eDirectory specified in the Connection Information page is extended using the novell-zenworks-configure tool.If Shared Secret is not selected as an authentication mechanism, a ZENworks login dialog box is displayed when the user on the managed device attempts to log in to eDirectory using a smart card. After the user specifies the eDirectory username and password, that password is stored in Novell SecretStore. The next time the user uses a smart card to log in to eDirectory, the password is retrieved from SecretStore and the user is logged in to the ZENworks without having to specify the password.

    If you select both available mechanisms (Kerberos and Username/Password for Active Directory or Username/Password and Shared Secret for eDirectory), ZENworks Configuration Management attempts to use the first mechanism for authentication. If authentication fails, the next mechanism is used. For example, if you select Kerberos and Username/Password for Active Directory, ZENworks Configuration Management first attempts to use Kerberos authentication. If Kerberos authentication fails, simple Username/Password authentication is used.

    User Containers page

    After you connect to an LDAP directory as a user source, you can define the containers within the directory that you want exposed. The number of user containers you define is determined by how much of the directory you want to expose. Consider the following example:

    Assume that you want to enable all users in the Accounting and Sales containers to receive ZENworks content. In addition, you want to be able to access the user groups located in the Accounting, Sales, and Groups containers in order to distribute content based on those groups. To gain access to the users and groups, you have two options:

    • You can add MyCompany/EMEA as a user container, so all containers located below EMEA are visible in ZENworks Control Center, including the Servers and Services containers. Only users and user groups located in the EMEA containers are visible (servers and services are not), but the structure is still exposed.

    • You can add MyCompany/EMEA/Accounting as one user container, MyCompany/EMEA/Sales as a second container, and MyCompany/EMEA/Groups as a third container. Only these containers become visible as folders beneath the MyCompany directory reference in ZENworks Control Center.

    To add the containers where users reside:

    1. Click Add to display the Add User Container dialog box.

    2. In the Context field, click Browse icon to browse for and select the desired container.

    3. In the Display Name field, specify the name you want used for the user container when it is displayed in ZENworks Control Center.

    4. Click OK to add the container to the list.

2.2.2 Deleting User Sources

When you delete a source, all assignments and messages for the source’s users are removed. You cannot undo a source deletion.

  1. In ZENworks Control Center, click the Configuration tab.

  2. In the User Sources panel, select the check box next to the user source, then click Delete.

  3. Click OK to confirm the deletion.

2.2.3 Editing User Sources

  1. In ZENworks Control Center, click the Configuration tab.

  2. In the User Sources panel, click the underlined link for a user source.

  3. You can edit the following settings:

    Username and Password: Click Edit, edit the fields, then click OK.

    The ZENworks system uses the username to access the LDAP directory. The username must provide read-only access to the directory. You can specify a username that provides more than read-only access, but read-only access is all that is required and recommended.

    For Novell eDirectory access, use standard LDAP notation when specifying the username. For example:

    cn=admin_read_only,ou=users,o=mycompany

    For Microsoft Active Directory, use standard domain notation. For example:

    AdminReadOnly@mycompany.com

    Authentication Mechanisms: Click Edit, select the desired mechanisms, then click OK.

    For more information, see Section 2.7.1, Authentication Mechanisms.

    Use SSL: By default, this option is enabled. Click No to disable the option if the LDAP server is not using the SSL (Secure Socket Layer) protocol.

    If you edit this option, you must do the following for every connection that is listed in the connections panel:

    NOTE:If you edit the user source either to enable or disable the Use SSL option, you must restart the ZENworks services on the server or the authentication to the user source fails.

    Root LDAP Context: Displays the root context for the LDAP directory. This option is available only when you are creating a new user source.The root context establishes the point in the directory where you can begin to browse for user containers. Specifying a root context can enable you to browse less of the directory, but it is completely optional. If you don’t specify a root context, the directory’s root container becomes the entry point. Click Edit to modify the root context.

    Description: Click Edit, to modify the optional information about the user source, then click OK.

    User Containers: For more information, see Section 2.2.4, Adding a Container from a User Source. You can also remove or rename a user container.

    Connections: For more information, see Section 2.3.2, Editing User Source Connections.

    Authentication Servers: For more information, see Section 2.5, Managing Authentication Server Connections for User Sources.

2.2.4 Adding a Container from a User Source

After you’ve defined a user source in your Management Zone, you can add containers from that source at any time.

  1. In ZENworks Control Center, click the Configuration tab.

  2. In the User Sources panel, click the user source.

  3. In the User Containers panel, click Add to display the Add User Container dialog box, then fill in the following fields:

    Context: Click Browse icon to browse for and select the container you want to add.

    Display Name: Specify the name you want used for the user container when it is displayed in ZENworks Control Center. The name cannot be the same as the name of any other user containers.

  4. Click OK to add the user container.

    The container, and its users and user groups, is now available on the Users page.