Active Directory Device Discovery

ldap or active directory devices can be integrated with kron pam some properties must be added from the system configuration manager for the discovery configuration navigate to administration > system configuration manager click the +add button and then add new system parameter enter the related configuration parameter and its value as shown below save continue on the above steps for each parameter separately the n values at the end of the parameters must continue with integers starting from 0 parameter name description value sc device integration ldap url mandatory the ldap or ad server url can be an ip address or a dns multiple urls can be separated by # this helps ensure high availability ldap\ //10 20 30 40 389#ldap\ //10 20 30 41 389 sc device integration ldap basedn n mandatory base distinguished name (dn) from where ldap discovery starts all devices and groups will be nested under this base use ` for multiple base dns ou=myorganizationalunit,dc=krontech new,dc=internal sc integration ldap eid n mandatory the ldap/ad username used to bind and perform searches this account must have read access to ldap/ad svc discovery user sc device integration ldap password n mandatory password for the ldap/ad bind user defined in eid n secure this field as it contains sensitive information yoursecurepassword123! sc device integration ldap source name n mandatory a user defined label representing this discovery source in kron pam helpful when managing multiple discovery integrations corpaddiscovery sc device integration ldap root device group n mandatory optional root device group name in kron pam all discovered devices/groups will be placed under this helps organize and segment devices ad discovered devices sc device integration ldap user membership n optional enables group discovery strategy based on memberof attribute use true for memberof based recursion; false to use distinguishedname path logic if this parameter is configured, "sc device integration ldap root device group n" parameter should also be defined true/false sc device integration ldap device group search phrase n mandatory ldap search filter for device groups required if user membership is enabled (|(objectclass=group)(objectclass=organizationalunit)) sc device integration ldap device search phrase n mandatory ldap search filter for discovering devices should match device object types like computer or device (objectclass=computer) sc device integration ldap device ip attribute n mandatory the attribute name in ldap holds device ip information must be set for devices to be accessed via kron pam dnshostname sc device integration ldap device hostname attribute n optional ldap attribute for device hostname used in kron pam ui for display purposes cn sc device integration ldap device access protocol attribute n optional attribute storing which access protocol (e g , ssh, rdp) each device uses helps auto assign access methods accessprotocol sc device integration ldap device default access protocol n mandatory default protocol to use if the access protocol attribute isn’t provided or returns empty rdp sc device integration ldap device element type id attribute n optional ldap attribute indicating the element type (e g , os or device type) used for detailed classification ostype sc device integration ldap device default element type id n mandatory the default element type is used if the ldap attribute is missing or not resolvable windows sc device integration ldap device port attribute n optional ldap attribute containing device access port used if specific devices use non default ports portnumber sc device integration ldap device default port n optional the default port value to use when no ldap attribute is defined or returned falls back to standard protocol defaults (e g , 22 for ssh) 3389 sc device integration ldap allow\ device in multiple groups n optional it is used to add devices to multiple device groups according to their membership relations in the ldap server true/false sc device integration ldap device group collect tree n optional this parameter enables the import of device groups in a tree (hierarchical) structure using the memberof attribute from ldap when set to true, kron pam builds the parent child relationships between device groups based on the memberof attribute and organizes them accordingly if set to false, the groups are imported in a flat structure without hierarchy the default value is true, and it's typically recommended for ad environments where group relationships are defined via memberof true/false sc device integration ldap import ou as group n optional this parameter defines how devices are assigned to device groups during ldap discovery when set to true, kron pam will use the organizational unit (ou) path in the device’s distinguishedname (dn) to determine the group structure instead of relying on the memberof attribute each ou in the dn (excluding the base dn) is treated as a device group and structured hierarchically when set to false (default), device group assignment is handled based on memberof relationships, assuming user membership is enabled the default value is false true/false sc device integration ldap url mandatory the ldap or ad server url can be an ip address or a dns multiple urls can be separated by # this helps ensure high availability ldap\ //10 20 30 40 389#ldap\ //10 20 30 41 389 after defining the above parameters, apply the steps outlined in the docid\ rru takher0shfdlgrgls or docid 6nbyzducqlzisaqwup8nh sections to make ldap/ad device integration if the device tree structure has both devices and device groups under a parent device group, then the device group is duplicated, and an underscore “ ” is added at the end of the device group name example devicelist 01 device group has devices and device groups therefore, devicelist 01 groups are duplicated multiple ldap device integrations can be performed by duplicating the xxx n type parameters it must have sequential numbers, starting from “0” (zero) for each ldap, like sc device integration ldap basedn 0, sc device integration ldap basedn 1, sc device integration ldap basedn 2 sc device integration ldap user membership n in active directory, device group hierarchy can be built using two different approaches the memberof attribute or the organizational unit (ou) structure defined in the device’s distinguished name (dn) the memberof attribute is an explicit reference within an object (e g , a device or group) that points to one or more groups it belongs to when using this method, group relationships are discovered by following these memberof links recursively, allowing kron pam to construct a hierarchical tree of nested groups based on actual group memberships the ou structure , on the other hand, is based on the directory path in which an object is located this path is represented in the object's distinguished name (dn) and reflects the administrative or organizational placement within active directory when this method is used, kron pam parses the dn and converts each ou in the path into a device group, building a hierarchy that mirrors the ad structure, regardless of memberof relationships choosing between memberof and ou based discovery depends on how group relationships are managed in your ad environment this parameter defines how kron pam discovers and organizes device groups from ldap when set to true , kron pam uses the memberof attribute to build the device group hierarchy recursively it follows each device's or group's memberof references to determine parent child relationships, allowing a nested (tree like) structure to be imported from ldap when set to false , kron pam does not rely on memberof instead, it analyzes the device's distinguishedname (dn) and converts each organizational unit (ou) in the dn path into a corresponding device group this creates a group hierarchy based on the ou structure in active directory if this parameter is set (either true or false), you must also define the parameter sc device integration ldap root device group n to specify the root group under which all discovered groups and devices will be placed