LDAP Authentication (NTC)

Contents

General information

NoTouch Center is a tool for system administrators to manage their endpoints. It not only maintains a list of local user accounts, but it also supports user authentication via LDAP using either Microsoft Active Directory or Novell eDirectory. So, if you want to allow several sysadmins to access NoTouch Center without having to create accounts for them in NoTouch Center, this is what you need.

Note: This feature is intended for enterprise usage. If you have just a few persons working with NoTouch Center, you are probably better off using local accounts as LDAP creates another dependency, to the LDAP server.

Even when using LDAP authentication, local accounts such as the "admin" user will still work so you can still log in to NoTouch Center in case the LDAP server fails. However it means that you should choose a good password for local accounts, especially the admin user. Do not use something like "admin", "test", "notouch" or so that is easy to guess.

Parameters

You find the LDAP configuration parameters in NoTouch Center under "Configuration" (the yellow icon top-right corner) and "Authentication": NoTouch Center Settings

Server: Enter your LDAP server
Base: Base for searching users (e.g. dc=myCompany,dc=com)
Username: Your valid username for the LDAP server (if no username is defined, your NoTouch Center logon is used instead). This refers to an account that has the privileges to query the LDAP server. Please use UPN format (username@domain).
Password: Your valid password for the user specified above (if no password is defined, your NoTouch Center logon password is used instead)
Adminfilter: LDAP filter for NoTouch Center admin users.

All AD accounts that this filter contains will be logged in as 'admins'. e.g.: (&(memberOf=CN=ADMINGROUP,OU=user,DC=myCompany,DC=com)(userPrincipalname=%user%))

Helpdeskfilter: LDAP filter for NoTouch Center helpdesk user.

All AD accounts that this filter contains will be logged in as 'helpdesk'. e.g. (&(memberOf=CN=HELPDESKGROUP,OU=test,OU=user,DC=myCompany,DC=com)(userPrincipalname=%user%))

Rolefilter:

All AD accounts that this filter contains will be logged in with the corresponding rights of the defined role. LDAP filter for a NoTouch Center user role. A user role is part of the Permissions management feature

Note: If you use 'userPrincipalname' in your filter, the users must use the full domain username to log on (for example 'testuser@mycompany.com'). If you want to use the username only (in this case: 'testuser'), please use 'sAMAccountName' instead!

Rolefilter Idea/Infos

You add a group (e.g. OmahaAdmin) in your active directory and assign users to that group. Create an identical role in your NoTouch Center and define your rights for this role as next step. Each user of your active directory group (e.g. OmahaAdmin) can now logon with the right's assigned to your identical NoTouch Center role Note: After saving / changing your LDAP configuration with the "save" button, you have to restart your NoTouch Center!

Tool for testing your LDAP string

A handy tool for testing your LDAP filters may be found here: http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm Also, there is a great article on Microsoft's technet which describes how to build and test LDAP queries: http://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx

Special eDirectory settings

If you are using Novell eDirectory, the root certificate of the directory server has to be imported into the local certstore on the NoTouch Center server like this: keytool -import -trustcacerts -alias t1 -file ca.crt -keystore /etc/truststore -storepass liscon –noprompt The rest of the configuration is the same as the ActiveDirectory configuration above.

Troubleshooting

If you would like to test your query strings please use the above-mentioned LDAP tool. If your queries work in the query tool but not in NoTouch Center, try giving the NoTouch Center LDAP user local administrator rights on the NoTouch Center machine.