Targeting LDAP users and groups from Novell eDirectory requires the following patch:
SWD-2356188.2-2
There are two folders in the extracted patch directory. The SWD-2356188.2-2 patch must be run on the core. The SWD-2356188.2-2-client folder is the client side patch. Running this will update the files on the client and will install the following registry key:
HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\DisableNDSLdapUsage = 1
The setting of "1" means that the functionality is disabled, and will not be used.
After the patch is installed on the core and any existing clients, the following registry keys must be set to a value of "0". This will enable the eDirectory location and group scanning functionality.
HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\DisableNDSLdapUsage = 0
HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\DisableLdapGroupEnumeration = 0
To make this configuration a permanent part of the default Agent configuration, do the following.
Browse to the LDLOGON share on the core server. Open the ntstacfg.in# file with notepad.exe. Search for ldap, which should take you to this section:
; LDAP groups can be enumerated on the client, this provides more information in the inventory ; database and faster targeting of LDAP groups. This also generates network traffic between the ; client and the LDAP server, the following registry value can be used to disable this option REG54=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\ManagementSuite\WinClient\DisableLdapGroupEnumeration, 0, , REG_DWORD
The default value for LDAP enumeration is 1 which is Disabled. Change this to 0, and save the file.
Add this line:
REG555=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\ManagementSuite\WinClient\DisableNDSLdapUsage, 0, , REG_DWORD
This will enable the eDirectory LDAP reporting.
On the LANDesk Core server, go to Configure | Services | Inventory and restart the Inventory Service. This will kick off stamper.exe, which builds the ntstacfg.ini file from the ntstacfg.in# file.
Next, in the LANDesk Console, go to Tools | Configuration | Agent Configuration and click the "Rebuild All" button. This will rebuild the Agent_Name.ini file from the ntstacfg.in# file.
After doing this all of the LANDesk Windows Agents will have Novell eDirectory LDAP enumeration enabled when the agent is installed.
These settings will tell ldapwhoami.exe to gather LDAP information from Novell eDirectory and to put that information into inventory.
See the following screenshot for an example of eDirectory information pulled by ldapwhoami.exe with the DisableNDSLdapUsage enabled (Set to 0 in registry) and the DisableLdapGroupEnumeration enabled (Set to 0 inregistry).
Image may be NSFW.
Clik here to view.
The following groups are listed under the User:
- LANDESK TEST GROUP in the masterOU container
- LANDesk Software Dist Group in the masterOU container
These groups and the Novell eDirectory user "admin" can now be targeted through a LANDesk Software Distribution job using Directory Manager.
When the DisableNDSLdapUsage registry is set to the default value of 1 (Disabled), the ldapwhoami.exe will show the following LDAP output from Active Directory.
Image may be NSFW.
Clik here to view.
The difference can be seen in the output. The machine is now configured to report the Active Directory LDAP information.
NOTE: There are some limitations to using this functionality.
1. Please note that only one LDAP source can be used for targeting machines. This means that you can target LDAP users and groups through Active Directory OR Novell eDirectory. You cannot pull information from both sources.
2. In a large environment, the traffic added by the machines getting LDAP information and sending it can be considerable. Please test this setup carefully and know your environment before making a system wide change to enable these settings.