Allow Administrators to login to NoTouch Center using LDAP in Active Directory and Azure AD
Contents
- 1 General information
- 2 Parameters
- 3 Rolefilter Idea/Infos
- 4 Tool for testing your LDAP string
- 5 Azure AD \ LDAP support
- 6 Special eDirectory settings
- 7 Troubleshooting
General information
NoTouch Center is a tool for system administrators to manage their endpoints. It not only maintains a list of local user accounts, but it also supports user authentication via the Lightweight Directory Access Protocol (LDAP) using either Microsoft's Active Directory or Novell's eDirectory. So, if you want to allow several sysadmins to access NoTouch Center without having to create accounts for them in NoTouch Center, this is what you need.
- As of NoTouch Center 4.5.+ you can also add MFA (Multifactor Authentication)
Note: This feature is intended for enterprise usage. If you have just a few persons working with NoTouch Center, you are probably better off using local accounts as LDAP creates another dependency, to the LDAP server.
Even when using LDAP authentication, local accounts such as the "admin" user will still work so you can still log in to NoTouch Center in case the LDAP server fails. However it means that you should choose a good password for local accounts, especially the admin user. Do not use something like "admin", "test", "notouch" or so that is easy to guess.
Parameters
** When making changes to LDAP configuration, it is important that you restart the NoTouch Center Service. Any changes to the LDAP configuration will NOT apply without restarting the service. The Service can easily be restarted from the Virtual Appliance Administration page**
You will find the LDAP configuration parameters in NoTouch Center under "Configuration" (the yellow icon top-right corner) and "Authentication": NoTouch Center Settings
This is the Global Settings Icon. Once you clic on this, in the window presented, you will see the "Module" selection that you can set to "LDAP".
| Server: | Enter your LDAP server (note: for secure LDAP, add the prefix ldaps://) |
| Base: | Base for searching users (e.g. dc=myCompany,dc=com) |
| Username: | Your valid username for the LDAP server (if no username is defined, your NoTouch Center logon is used instead). This refers to an account that has the privileges to query the LDAP server. Please use UPN format (username@domain). |
| Password: | Your valid password for the user specified above (if no password is defined, your NoTouch Center logon password is used instead) |
| Adminfilter: | LDAP filter for NoTouch Center admin users.
All AD accounts that this filter contains will be logged in as 'admins'. e.g.: (&(memberOf=CN=ADMINGROUP,OU=user,DC=myCompany,DC=com)(userPrincipalname=%user%)) Depending on LDAP configuration you may need to use a filter similar to this, Note without the (Brackets) CN=ADMINGROUP,OU=user,DC=myCompany,DC=com |
| Helpdeskfilter: | LDAP filter for NoTouch Center helpdesk user.
All AD accounts that this filter contains will be logged in as 'helpdesk'. e.g. (&(memberOf=CN=HELPDESKGROUP,OU=test,OU=user,DC=myCompany,DC=com)(userPrincipalname=%user%)) |
| Rolefilter: |
All AD accounts that this filter contains will be logged in with the corresponding rights of the defined role. LDAP filter for a NoTouch Center user role. A user role is part of the Permissions management feature |
Note: If you use 'userPrincipalname' in your filter, the users must use the full domain username to log on (for example 'testuser@mycompany.com'). If you want to use the username only (in this case: 'testuser'), please use 'sAMAccountName' instead!
Role filter Idea/Infos
You add a group (e.g. OmahaAdmin) in your active directory and assign users to that group. Create an identical role in your NoTouch Center and define your rights for this role as next step. Each user of your active directory group (e.g. OmahaAdmin) can now logon with the right's assigned to your identical NoTouch Center role Note: After saving / changing your LDAP configuration with the "save" button, you have to restart your NoTouch Center!
Tool for testing your LDAP string
Tools for your LDAP filters may be found here Also, Here are some additional tools that may assist
Azure AD \ LDAP support
To integrate NoTouch Center with Azure AD you will need to utilize Azure AD Domain Services
Special eDirectory settings
If you are using Novell eDirectory, the root certificate of the directory server has to be imported into the local certstore on the NoTouch Center server like this: keytool -import -trustcacerts -alias t1 -file ca.crt -keystore /etc/truststore -storepass liscon –noprompt The rest of the configuration is the same as the ActiveDirectory configuration above.
Troubleshooting
If you would like to test your query strings please use the above-mentioned LDAP tool. If your queries work in the query tool but not in NoTouch Center, try giving the NoTouch Center LDAP user local administrator rights on the NoTouch Center machine.