The Engine provides an out the box integration with Active Directory to retrieve the following information via the Lightweight Directory Access Protocol (LDAP):
User: Distinguished Name, Full name, Department, Job title.
Device: Distinguished Name.
The Engine retrieves as well the following information through DNS resolution (DNS namespaces mirrors the AD domains used by an organization):
Printer: Host name.
This article discusses data integration from Active Directory and should not be confused with Active Directory Authentication.
LDAPv3 and Active Directory
Reference document: Active Directory LDAP Conformance provided by Microsoft.
Windows Server 2000
The Windows 2000 implementation of Active Directory is an LDAP-compliant directory supporting the core LDAPv3 RFCs available.
Windows Server 2003
Building on the foundation established in Windows 2000 Server, the Active Directory service in Windows Server 2003 is offering new LDAPv3 capabilities:
Transport Layer Security (TLS) - Connections to Active Directory over LDAP can now be protected using the TLS security protocol.
Digest Authentication Mechanism - Connections to Active Directory over LDAP can now be authenticated using the DIGEST-MD5 Simple Authentication and Security Layer (SASL) authentication mechanism. The Windows Digest Security Support Provider (SSP) provides an interface for using Digest Authentication as an SASL mechanism.
Windows Server 2008 and 2012
Both Windows Server 2008 and Windows Server 2012 support LDAPv3.
Although Nexthink officially supports Active Directory based on Windows Servers only, other LDAPv3 compliant implementations (such as OpenLDAP) should work as long as the schema in use is the same as in Active Directory.
Setting Up Active Directory Authentication
LDAP servers require an authenticated connection before they will allow queries (searches). This authenticated connection is called a bind. Most LDAPs allow an anonymous bind─where no username or password is submitted; however, others restrict searches to its members and require an authenticated username and password. An Active Directory server requires authenticated access for read-only searches, and you need to have a bind DN and the corresponding bind password. The syntax for the bind DN depends on the LDAP server itself:
NetBIOS logon name<domain name>\<username>Active Directory User Principal Name (UPN)email@example.comDistinguished NameCN=username, OU=users, DC=domain, DC=name
The Engine supports the authenticated method using the Distinguished Name syntax only.
Configuring the Engine through the Web Console
Log in to the Web Console that is hosting the Engine from your web browser:
Click the Engine tab at the top of the window.
Select Active Directories from the left-hand side menu.
Click the button ADD ACTIVE DIRECTORY to add a new AD server.
Fill out the form Add Active Directory as follows:
Server address: Enter here the IP address of your Active Directory server (we currently do not support the DNS or Netbios name) and the TCP server port (usually 389).
Bind DN: The Distinguished Name. Example: CN=reflexengine, CN=applications, OU=servers, DC=company, DC=local.
Bind Password: Enter the password corresponding to the Bind DN account.
Base DN: The Base DN to be used as a starting point for directory searches. Base DN is usually the Organizational Unit where users are located. Example: “OU=Users, DC=company, DC=local”.
Scope: The SCOPE setting is the starting point of an LDAP search and the depth from the base DN to which the search should occur. There are three options (values) that can be assigned to the scope parameter (we strongly recommend the subtree scope option):
base: This value is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!).
onelevel: This value is used to indicate searching all entries one level under the base DN - but not including the base DN and not including any entries under that one level under the base DN.
subtree: This value is used to indicate searching of all entries at all levels under and including the specified base DN.
Optional: Click TEST LDAP PARAMETERS to check the connection with the AD server.
Click on OK to add the server. The Engine restarts.
Due to the technology used to query Active Directory, the Engine retrieves information from those objects belonging to the domain specified in the configuration only (see LDAP Base DN above). It does not follow referrals nor retrieve any information from objects in other domains, even when these other domains share a trust relationship with the configured domain.
Add as many Active Directory servers to the configuration as needed to retrieve objects from several domains.
Querying Active Directory to obtain a User's Distinguished Name
For testing purposes, we advise you to use a powerful tool from Microsoft called Active Directory Explorer. Download it from here.
Here is an example on how you can retrieve a user's DN using this tool :
Connect to your AD using your windows username.
Click on Search > "class = User -- user" > "Attribute = sAMAccountname" > "relation = is" > "value = YOUR Windows username", then click on Add.
Click on Search to retrieve the corresponding user's DN.
Active Directory data retrieval
The Engine queries its configured LDAP servers each time that it discovers a new user or a new device.
Engines do not automatically refresh LDAP information once they have retrieved it for a particular user or device. It is however possible to force a manual update via the Finder:
Log in to the Finder as a user with system configuration permissions.
Click the sprocket icon in the top right corner of the Finder window.
Select the option Synchronize with Active Directory....
The Finder schedules a synchronization with Active Directory data.
The operations described in this article should only be performed by a Nexthink Engineer or a Nexthink Certified Partner.
If you need help or assistance, please contact your Nexthink Certified Partner.