Advanced User Management and LDAP Integration

What is LDAP How to setup LDAP integration with IC Creating and linking new users to LDAP Connecting existing users to LDAP Advantages and Disadvantages to LDAP integration Managing Tasks with Task Scheduler in IC Using IC to create users in other systems How LDAP can save you time in other systems

Advanced User Management and LDAP Integration

LDAP = Lightweight Directory Access Protocol LDAP creates a standard language that can be read by other services or vendors LDAP can be used to manage users and computers information (names, usernames, passwords, groups, etc)

Advanced User Management and LDAP Integration

Directory Structure
MS Active Directory

Advanced User Management and LDAP Integration

Setting up LDAP in IC

Advanced User Management and LDAP Integration

Hosts you can use computer DNS name or ip address Bind User user only needs rights to browse directory

User might need to identify domain

domain\binduser

Search Base is the top location where users could be located

OU= folders, dc=domain component (AD)

Username sAMaccountName (AD)

Advanced User Management and LDAP Integration

Creating New Users

Create new user in Infinite Campus then click link with

LDAP

Advanced User Management and LDAP Integration

Creating New User from LDAP

Create new user from LDAP by using Create Person/User

from LDAP tool

Advanced User Management and LDAP Integration

Linking Existing Accounts Manually

IC username Must Match LDAP username Click button Link with LDAP If the text changes the link was successful

Advanced User Management and LDAP Integration

Allow users to link account with LDAP

Advanced User Management and LDAP Integration

Connecting current users to ldap using Active Directory

Download and install PowerShell and .Net Framework.

Go to Microsoft's site and choose the correct version to suit your operating system. Download, then install the QAD Snap-ins from this site: http://www.quest.com/activeroles-server/arms.aspx Register the snap-in. (Key point) add-PSSnapin quest.activeroles.admanagement

Then on a server that is a member of the domain logged in as an admin run the following script from the active roles management version of powershell.
Get-QADUser -SizeLimit 5000 -ip sAMAccountName,

distinguishedName | Select sAMAccountName, distinguishedName | export-csv c:\ADUsers.csv

Advanced User Management and LDAP Integration

This will create a file on the c:\ called adusers.csv You can then use excel to clean up the user accounts. Then have a person use sql to match username from AD (SamAccountName) to campus and update the field LDAPDN in the UserAccount table with the value from DistinguishedName filed in csv file. You might also want to update the users password to reflect that their password is no longer stored in IC.

Advanced User Management and LDAP Integration

Automate LDAP updates

What happens when you move a user in AD,

Novell etc
Server in Domain runs script > Campus User

account Update.bat IC server take the file via DTS and updates the table with any changes to LDAPDN field

Advanced User Management and LDAP Integration

Automate LDAP updates

IC server take the file via DTS and updates

the table with any changes to LDAPDN field

Advanced User Management and LDAP Integration

Advantages to LDAP Integration

Uses one set of usernames and passwords Disabling a user account in one place

disables it everywhere Allows for stricter password policies

Easier for users to remember a more complex password

because they use if for more things

Advanced User Management and LDAP Integration

Disadvantages to LDAP Integration

Requires extra admin setup If a password is discovered all systems

using LDAP will be vulnerable

Advanced User Management and LDAP Integration

LDAP Resources
Infinite University Campus LDAP Authentication http://www.computerperformance.co.uk/Logon/LD

AP_attributes_active_directory.htm http://docs.moodle.org/en/LDAP_authentication LDAP utilities

http://www.ldapbrowser.com 30 day free trial http://jxplorer.org/ - Java browser

Advanced User Management and LDAP Integration

Managing Tasks in Infinite Campus

Change LDAP Users campus passwords

Advanced User Management and LDAP Integration

Managing Tasks in Infinite Campus Re-enable Student accounts that are disabled

Advanced User Management and LDAP Integration

Managing Tasks in Infinite Campus

Automatically Create New Student Accounts

Advanced User Management and LDAP Integration

Systems we use LDAP on

Infinite Campus Moodle Safari Montage (Video Streaming) Copiers (Toshiba and Konica) Compliance Vault (Email Archiving) Barracuda Spam Filter Cymphonix Web Filter Macs

Advanced User Management and LDAP Integration

Using Infinite Campus to create Active Directory Users

Using SRS > NewStudentAccounts.rdl

Advanced User Management and LDAP Integration

Using Infinite Campus to create Active Directory Users

File is exported to c:\newstudentaccount.xls CreateUsers.vbs is run File is moved and renamed to users home directory All students in excel file are imported into AD You must go into each student and reapply their home directory for the setting to stick. It appears to deal with rights.

Advanced User Management and LDAP Integration

Questions?

By Scott Dyreson