B.3 The ZENworks Tree in an eDirectory Environment
If you have an eDirectory corporate tree, you can authenticate to a separate ZENworks Tree (with User objects synchronized with the corporate tree) whether you choose to use the Novell Client or the ZENworks Management Agent in combination with the ZENworks Middle Tier Server.
This section contains the following information:
B.3.1 Using the Novell Client
When users log in using the Novell Client, its login gathers user credentials and authenticates to the corporate tree and to the designated ZENworks tree.
The following illustration shows a simplified process of using the Novell Client to authenticate to a ZENworks tree while simultaneously authenticating to the corporate tree.
Figure B-2 Using the Novell Client to Authenticate to a ZENworks Tree
Table B-2 Steps in the Process of Using the Novell Client to Authenticate to a ZENworks Tree
|
Step |
Explanation |
|---|---|
|
|
The user authenticates to the corporate tree. |
|
|
The user authenticates to the ZENworks tree. |
B.3.2 Using the Desktop Management Agent
If only the ZENworks Desktop Management Agent is installed on workstations, depending on whether pass through is set up, the credentials supplied at the local login dialog box (or at the Agent login if pass through fails) are captured by the ZENworks login and are used to authenticate to both the corporate tree and to the ZENworks tree.
Authenticating to Primary and Secondary Domains
If you set up a ZENworks tree and you plan to use the Desktop Management Agent and the Middle Tier Server to authenticate, you can designate the ZENworks tree as the first authentication site or “primary authentication domain” and the corporate eDirectory tree as a subsequent authentication site, or “secondary authentication domain.” For more information about setting up authentication domains, see Authentication Domains (Xtier 2.6.2 installation).
If an eDirectory object exists in the primary domain and is successfully authenticated, the ZENworks Middle Tier Server looks for the presence of the same object in the secondary domain. If the object exists in the secondary domain there is a successful authentication to the secondary domain. If the object does not exist in the secondary domain, eDirectory fails the authentication to that domain only.
IMPORTANT:The context structure of the primary domain and the secondary domain must be identical (including leaf objects that might be authenticated, such as users or workstations) in order for the authentication to complete successfully.
The following illustration shows a simplified process of using the Desktop Management Agent to authenticate to a primary domain.
Figure B-3 Using the Desktop Management Agent to Authenticate to a Primary Domain
Table B-3 Steps in the Process of Using the Desktop Management Agent to Authenticate to a Primary Domain
|
Step |
Explanation |
|---|---|
|
|
The workstation attempts authentication. |
|
|
The ZENworks Middle Tier Server passes credentials to the primary domain (the ZENworks tree). |
|
|
The Middle Tier Server passes credentials to the secondary domain (the corporate tree). |
|
|
The workstation authenticates to the ZENworks tree through the Middle Tier Server. |
|
|
The workstation fails to authenticate through the Middle Tier Server. |
The primary/secondary domain setup is particularly useful if, for example, all of your ZENworks objects, including workstations, are in the ZENworks tree, while other critical eDirectory objects (GroupWise objects, for example) are in the corporate tree. In this scenario, the primary authentication would be to the ZENworks tree, where workstations exist, then to the corporate tree, where workstations do not exist. Many ZENworks applications and policies (Workstation Inventory policies, in particular) are associated to workstations only. If none of your policies or applications are associated with workstations, it is not necessary to designate the ZENworks tree as the primary authentication domain.