LDAP Authentication - Tips and Tricks - ScreenConnect Remote Support Software User Forum

Welcome Guest

Search | Active Topics | Log In | Register

ScreenConnect Remote Support Software User Forum » Default » Tips and Tricks » LDAP Authentication

Untag as favorite

LDAP Authentication

Options

Previous Topic Next Topic

Jake Morgan		#1 Posted : Monday, August 29, 2011 5:59:54 PM
Rank: Administration Joined: 4/9/2010 Posts: 871		We've implemented simple LDAP membership and role providers. They're read-only, so your users and their role membership are configured elsewhere. It works as kind of a hybrid between our Windows and Forms providers. Only roles can be edited like our Windows auth, but users login through a Form like our forms auth. Only works in 2.3.1885+ Here is how to configure it: Code: <membership defaultProvider="Default"> <providers> <clear /> <add name="Default" type="Elsinore.ScreenConnect.LdapMembershipProvider" server="ldap.elsitech.local:636" useSsl="true" serviceUser="CN=ServiceUser,OU=Users,DC=elsitech,DC=local" servicePassword="myPassword" userRootDN="OU=Users,DC=elsitech,DC=local" userNameAttribute="cn" roleRootDN="OU=Groups,DC=elsitech,DC=local" roleNameAttribute="cn" roleUserDNAttribute="member" /> <add name="OldDefault" type="Elsinore.ScreenConnect.XmlMembershipProvider" virtualFilePath="~/App_Data/User.xml" /> </providers> </membership> <roleManager enabled="true" defaultProvider="Forms"> <providers> <clear /> <add name="Forms" type="Elsinore.ScreenConnect.LdapRoleProvider" /> <add name="OldForms" type="Elsinore.ScreenConnect.XmlRoleProvider" /> <add name="Windows" type="Elsinore.ScreenConnect.WindowsRoleProvider" /> </providers> </roleManager> Attributes: Code: server: fully qualified server name optionally including port. 389 is default port. 636 is standard SSL port, but must be specified even if useSsl is set to true. useSsl: true or false depending on whether you want to use SSL. Authentication is basic, so it's passed in clear text unless you use SSL. serviceUser: DN of user account used to search the directory tree servicePassword: password of user account used to search the directory tree userRootDN: DN of root of where users are located. this can be used to narrow the search scope for users userNameAttribute: name of attribute that specifies the user name. "cn" is Common Name and is usually what they consider their "user name". sAMAccountName can be used for Active Directory if you want them to use what they use to login to windows. userRoleNameAttribute: (optional, mutually exclusive with roleUserDNAttribute) name of multi-valued attribute on user entry that specifies role names for the user. If these are DNs, your roles in ScreenConnect need to be full DNs also. roleRootDN: (optional, mutually exclusive with userRoleNameAttribute) DN of root of where roles/groups are located. this can be used to narrow the search scope for groups roleNameAttribute: (optional, mutually exclusive with userRoleNameAttribute) name of attribute that specifies the name of the role. Usually "cn". roleUserDNAttribute: (optional, mutually exclusive with userRoleNameAttribute) name of multi-valued attribute on role/group that lists membership in the form of user DNs. Typically "member". Validation process using above settings with username "billy" password "testpass": - We bind to ldap.elsitech.local:636 (server) with SSL with account "CN=ServiceUser,DC=elsitech,DC=local" (serviceUser) and password "myPassword" (servicePassword) - We search the tree at root "OU=Users,DC=elsitech,DC=local" (userRootDN) for user entry with "cn" (userNameAttribute) equal to "billy" - We find an entry at "cn=Billy,OU=Users,DC=elsitech,DC=local" - We create a new connection and try to bind as "cn=Billy,OU=Users.DC=elsitech,DC=local" with password "testpass" - We succeed or fail based on whether the bind was successful Role lookup process using above settings with username "billy": - We bind to ldap.elsitech.local:636 (server) with SSL with account "CN=ServiceUser,DC=elsitech,DC=local" (serviceUser) and password "myPassword" (servicePassword) - We search the tree at root "OU=Users,DC=elsitech,DC=local" (userRootDN) for user entry with attribute "cn" (userNameAttribute) equal to "billy" - We find an entry at "cn=Billy,OU=Users,DC=elsitech,DC=local" - We search the tree at root "OU=Roles,DC=elsitech,DC=local" (roleRootDN) for group entry with attribute "member" (roleUserDNAttribute) equal to "cn=Billy,OU=Users,DC=elsitech,DC=local" - We return the value of the "cn" (roleNameAttribute) attribute for each role we find You define your roles in ScreenConnect the same way you do now. I suppose you should probably define the roles first before you apply these changes, or you'll be locked out. Please reply on the forum with any issues you encounter. Our support department cannot support the usage of this authentication.
Back to top		Report? \| Edit by user

User Profile

Nimda_11		#2 Posted : Tuesday, May 15, 2012 11:46:27 PM
Rank: Newbie Joined: 5/15/2012 Posts: 2 Location: Napa		I am trialing SC and had a few questions regarding LDAP/Windows Auth. 1. Are Windows Auth and LDAP Auth 2 separate things in screen connect? 2. If using Windows Auth, can I assume that in order to work properly that the screenconnect server needs to be a domain member? 3. Can you post an example web.config file so that I can copy and past the LDAP portions of the config? I'm lazy and prone to typo's :) So far SC is great! Thanks, - Sam
Back to top		WWW Report?

User Profile

Jake Morgan		#3 Posted : Thursday, May 17, 2012 8:11:45 PM
Rank: Administration Joined: 4/9/2010 Posts: 871		Yes, they are two different things. Windows and Forms auth are the two main auth modes. LDAP is configured as a provider for forms auth. Yes, the SC server needs to be a domain member.
Back to top		Report?

User Profile

Nimda_11		#4 Posted : Saturday, May 19, 2012 11:06:48 AM
Rank: Newbie Joined: 5/15/2012 Posts: 2 Location: Napa		Ahhhh, as soon as I pulled my head out of my butt and realized your example was txt and not a screenshot (for whatever reason it looked like a screenshot to me), I was able to get it running no problemo. Using it against Active Directory (2008 R2 Schema), seems to be working great. A few comments/questions (based on my own testing). 1. To use LDAP, the machine does NOT have to be in a domain, or can even be a member of a different domain than it is querying. If using windows auth, then it needs to be a member of the domain. 2. Is there any risk leaving the user.xml file in place? can/should it be deleted/moved once LDAP is up and running? 3. If I wanted to use SSL, will screen connect deal with certificate errors? (name mismatch) In any case, thank you for the example, and the response. - Sam
Back to top		WWW Report?

User Profile

Users browsing this topic
Guest

Untag as favorite

ScreenConnect Remote Support Software User Forum » Default » Tips and Tricks » LDAP Authentication

Forum Jump

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Watch this topic
Email this topic
Print this topic
RSS Feed

Normal
Threaded