1. Introduction

The NEXThink driver has the capability to retrieve the user security identifier (SID ) in the Windows Operating Systems ( see http://support.microsoft.com/kb/243330 ). If a user is a domain user account, it’s then possible to know the corresponding username by resolving the SID using a special query against the Directory server. The NEXThink Engine can communicate with any LDAPv3 compliant server. Since Active Directory is an LDAPv3-compliant directory server, it’s therefore possible for NEXThink Engine to perform queries on any Microsoft Active Directory servers.

In order to make a successful integration between NEXThink V4 and your Active Directory server(s), we recommend you to follow the 4 steps procedure :

1. create a dedicated user domain account on your AD

2. retrieve the Distinguished Name for that user

3. create a new Active Directory entry using the Engine web-console
4. change the preferences in the Finder to display the usernames

1.1. LDAPv3 and Active Directory

Reference document : “Active Directory LDAP Compliance” provided by Microsoft : http://www.microsoft.com/windowsserver2003/techinfo/overview/ldapcomp.mspx

• Windows 2000 Server

The Windows 2000 implementation of Active Directory is an LDAP-compliant directory supporting the core LDAPv3 RFCs available.

• Windows 2003 Server

Building on the foundation established in Windows 2000 Server, the Active Directory service in Windows Server 2003 is offering new LDAPv3 capabilities :

• Transport Layer Security (TLS) - Connections to Active Directory over LDAP can now be protected using the TLS security protocol.

• Digest Authentication Mechanism - Connections to Active Directory over LDAP can now be authenticated using the DIGEST-MD5 Simple Authentication and Security Layer (SASL) authentication mechanism. The Windows Digest Security Support Provider (SSP) provides an interface for using Digest Authentication as an SASL mechanism.

2. Setting Up Active Directory Authentication

LDAP servers require an authenticated connection before they will allow queries (searches). This authenticated connection is called a bind. Most LDAPs allow an anonymous bind─where no username or password is submitted; however, others restrict searches to its members and require an authenticated username and password. An Active Directory server requires authenticated access for read-only searches, and you need to have a bind DN and the corresponding bind password . The syntax for the bind DN depends on the LDAP server itself :

• <domain name>\<username>  (NetBIOS logon name, ex: nexthink\reflex)

• username@domain.name ( Active Directory User Principal Name, UPN )

• CN=username,OU=users, DC=domain, DC=name  (Distinguished Name )

IMPORTANT: NEXThink Engine only supports the authenticated method using the Distinguished Name.

2.1. Using the Engine web-console

1. Use a browser and connect to the Engine web-console (by default https://192.168.0.99:99)

2. On the left menu go to Engine > Active Directory
   
   
   
   

3. Click on on the right to add a new Active Directory server
   
   

4. Complete the LDAP Server Connection fields as follows:

   • LDAP server name : The generic name for your LDAP server.
     
     Example : if you write “nexthink.ch”, the usernames in the Finder will be shown as user@nexthink.ch
     
     

   • LDAP Server : enter here the IP address of your Active Directory server ( we currently do not support the DNS or Netbios name) and the TCP server port ( usually 389 )

   • LDAP Bind DN : The Distinguished Name
     
     Example : CN=reflexengine, CN=applications, OU=servers, DC=company, DC=local

   • LDAP Bind Password : enter the password corresponding to the LDAP Bind DN account.

   • LDAP Base DN : The Base DN to be used as a starting point for directory searches. Base DN is usually derived from the Bind DN by removing the user name and specifying the group where users are located.
     
     Example : if Distinguished Name = “CN=reflexengine, CN=applications, OU=servers, DC=company, DC=local” , you can choose the Base DN as “DC=company, DC=local”
     
     

   • LDAP Scope : The SCOPE setting is the starting point of an LDAP search and the depth from theBbase DN to which the search should occur. There are three options (values) that can be assigned to the LDAP SCOPE parameter : ( we strongly recommend the SUBTREE scope option )

     • BASE: This value is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!).
     • ONELEVEL: This value is used to indicate searching all entries one level under the base DN - but not including the base DN and not including any entries under that one level under the base DN.

     • SUBTREE: This value is used to indicate searching of all entries at all levels under and including the specified base DN.
       

5. Click on "Save".Note that the Engine will reboot (the Finder will be disconnected)
   

6. Using the Active Directory menu you can :

   • add new Active Directory server by clicking on

   • delete an Active Directory server by clicking on

   • edit the configuration of an Active Directory server by clicking on
     

2.2. Multiple Active Directory

• you can add as many Active Directory as you want.
  

3. How to Query Active Directory to obtain a User's Distinguished Name ?

We advise you to use a powerful tool from Microsoft called Active Directory Explorer (AD Explorer).
You can download it here : http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx

Here is an example on how you can retrieve a user's DN using this tool :

1. Connect to your AD using your windows username
   
   

2. Click on "search" > "class = User -- user" > "Attribute = sAMAccountname" > "relation = is" > "value = YOUR Windows username"

   • click on "Add"
     
     

3. click on "Search". You can now retrieve the corresponding user's DN
   
   

4. Displaying the Usernames with the Finder

5. Troubleshooting

• CategoryEngine CategoryConsole