3.0 Discovering Devices in LDAP Directories

You can search an LDAP directory for devices to add to your ZENworks database. The directory can be one that is already defined as a user source in your Management Zone, or it can be a new directory.

You can recursively search for device in all the directories from the root context. Or, you can limit the search by specifying one or more contexts to search. Device objects that are found are queried for well-known attributes (dnsHostName, OperatingSystem, wmNameDNS, wmNameOS, and so forth) to attempt to determine the OS version and DNS name of the device.

Before performing an LDAP discovery, make sure the following prerequisites are satisfied:

  • An LDAP search requires the ZENworks Server to provide credentials that give read access to the contexts being searched. When accessing Novell eDirectory, the account also requires read rights to the WM:NAME DNS attributes on the workstation and server objects.

  • An LDAP search of Active Directory requires the ZENworks Server to use a DNS server to resolve the device’s DNS name (as recorded on the object’s DNS name attribute in Active Directory) to its IP address. Otherwise, the device is not added as a discovered device.

You use the Create New Discovery Task Wizard to create and schedule an LDAP discovery task:

  1. In ZENworks Control Center, click the Deployment tab.

    Deployment page
  2. In the Discovery Task panel, click New to launch the New Discovery Task Wizard.

  3. Complete the wizard by using information from the following table to fill in the fields.

    Wizard Page

    Details

    Select Discovery Type page

    Select LDAP Discovery Task.

    Specify a name for the task. The name cannot include any of the following invalid characters: / \ * ? : " ' < > | ` % ~

    Enter LDAP Settings page > Search pre-configured LDAP source field

    The Enter LDAP Settings page lets you identify the LDAP directory and contexts where you want to perform the discovery task.

    A preconfigured LDAP source is one that has already been defined as a user source in your Management Zone. If you want to select a new source, see Enter LDAP Settings page > Specify an LDAP Source field.

    To use a preconfigured source:

    1. Select Search pre-configured LDAP source, then select the desired source.

    2. If you don’t want to search the entire LDAP directory, you can identify specific search contexts/groups. To do so:

      1. In the LDAP Search Contexts/Groups panel, click Add to display the Enter Context or Group Information dialog box.

      2. Fill in the following fields:

        Context/Group DN: Click Browse to locate and select the context/group you want to search.

        Recursive Search: Select this option to search all subcontexts/subgroups.

      3. Click OK to save the search context/group.

    3. If necessary, modify the LDAP search filter.

      By default, the filter searches for the computer objectClass or server objectClass. When modifying the filter, you can use the standard filter syntax for your LDAP directory.

    Enter LDAP Settings page > Specify an LDAP Source field

    You can create a new connection to a LDAP directory in order to discover devices in the directory. If you want to use an existing connection, see Enter LDAP Settings page > Search pre-configured LDAP source field above.

    To create a new connection to an LDAP directory:

    1. Select Specify an LDAP source, then fill in the following fields:

      LDAP Server: Specify the IP address or DNS hostname of the server where the LDAP directory resides.

      LDAP Port/Use SSL: The default is standard SSL port (636) or non-SSL port (389), depending on whether the Use SSL option is enabled or disabled. If your LDAP server is listening on a different port, select that port number.

      Root Context: Establishes the entry point in the directory; nothing located above the entry point is available for searching. Specifying a root context is optional. If you don’t specify a root context, the directory’s root container becomes the entry point.

      Save Credentials to Datastore: Unless you save the credentials (defined in the Credentials list), they are stored only in memory. Saved credentials are encrypted in the database for increased security. Credentials are cleared from memory when the ZENworks Server is restarted. If you want to permanently retain the credentials, you should save them.

      Credentials: Click Add to specify a username and password that provides read-only access to the directory. The user can have more than read-only access, but read-only access is all that is required and recommended. When accessing Novell eDirectory, the user account also requires read rights to the WM:NAME DNS attributes on the workstation and server objects.

      For Novell eDirectory access, use standard LDAP notation. For example, cn=admin_read_only,ou=users,o=mycompany

      For Microsoft Active Directory, use standard domain notation. For example, AdminReadOnly@mycompany.com

    2. If you don’t want to search the entire LDAP directory, you can identify specific search contexts/groups. To do so:

      1. In the LDAP Search Contexts/Groups panel, click Add to display the Enter Context or Group Information dialog box.

      2. Fill in the following fields:

        Context/Group DN: Click Browse to locate and select the context/group you want to search.

        Recursive Search: Select this option to search all subcontexts/subgroups.

      3. Click OK to save the search context/group.

    3. If necessary, modify the LDAP search filter. By default, the filter searches for the computer objectClass or server objectClass.

    Discovery Settings page

    LDAP discovery retrieves the hostname, operating system type and version, and IP address of a discovered device from the LDAP source. Based on the selected discovery technologies, you can obtain the following additional information on a device:

    • ZENworks Management Status

    • Operating System Suites

    • MAC Address

    • Network Adapters

    • CPU

    • Memory and Disk Space

    To obtain additional information on a device:

    1. Select the Use the IP discovery technologies to gather more information option.

    2. Select Override Zone Discovery Settings, then select the discovery technologies.

    3. In the Credentials panel, add the credential information.

      For more information on how to add the credential information, click the Help button.

    Set the Discovery Schedule page

    Choose whether you want the task to run as soon as it is created (the Now option) or if you want to schedule the task to run at a future date and time. If you select Scheduled, choose one of the following schedules:

    No Schedule: Indicates that no schedule has been set. The task does not run until a schedule is set or it is manually launched. This is useful if you want to create the task and come back to it later to establish the schedule or run it manually.

    Date Specific: Specifies one or more dates on which to run the task.

    Recurring: Identifies specific days each week, month, or a fixed interval on which to run the task.

    For more information about the schedules, click the Help button.

    Select Primary Server page

    Select the ZENworks Server that you want to perform the deployment task.

    Select or Edit a Proxy Device page

    The Select or Edit a Proxy Device page lets you choose whether you want to use a proxy device to perform the discovery task.

    Select or Edit a Proxy Device page > Windows Proxy

    If you want to use a Windows Proxy instead of the Primary Server to perform the discovery tasks on Windows devices, click the Windows Proxy option and configure the settings in the Select Windows Proxy dialog box.

    A Windows Proxy is used to perform the following actions:

    • Enable Linux Primary Servers to perform discovery tasks that use Windows-specific discovery technologies (such as WMI, WinAPI, and SNMP).

    • Discover Windows devices that are in a different subnet than the Primary Server.

    • Discover Windows devices in a network enabled for NAT.

    Discovery through WMI, WinAPI and SNMP requires certain ports to be reachable on the target devices, so the Primary Server can send Remote Registry, WMI, or SNMP requests to the target devices. Ports are opened by adding them as an exception in the Windows Firewall configuration settings. By default, the scope of the exception applies only to the local subnet. If the target device is in a different subnet than the Primary Server from which the discovery is run, you need to add the IP address of the Primary Server as an exception. However, if you use a Windows Proxy in the same subnet as a target device, you do not need to change the scope of the Windows Firewall exception.

    The connection between the ZENworks Server and Windows Proxy is secured through SSL.

    Override Zone Window Proxy Settings: Select this option if you want to override the Windows Proxy settings configured at the Management Zone and configure new settings for the task.

    Windows Proxy: Select a Windows managed device (server or workstation) to be used as a Windows Proxy for performing the discovery tasks instead of a ZENworks Server. The Windows Proxy must reside in the same network as the target devices.

    Windows Proxy Timeout: Specify the number of seconds you want the ZENworks Server to wait for a response from the Windows Proxy.

    Select or Edit a Proxy Device page > Linux Proxy

    If you want to use a Linux Proxy instead of the Primary Server to perform the discovery tasks on Linux devices, click the Linux Proxy option and configure the settings in the Select Linux Proxy dialog box.

    A Linux Proxy is used to perform the following actions:

    • Enable Primary Servers that cannot perform discovery tasks that use Linux-specific discovery technologies like SSH.

    • Discover Linux devices in a different subnet than the Primary Server.

    • Discover Linux devices in a network enabled for NAT.

    The SSH discovery requires port 22 to be reachable in order to enable the Primary Server to connect to the target device. If the SSH port is blocked in the Network Firewall, you use a Linux managed device in the same subnet as the target device.

    The connection between the ZENworks Server and Linux Proxy is secured through SSL.

    For more information on how to open port 22, see Prerequisites for Deploying to Linux Devices.

    Override Zone Linux Proxy Settings: Select this option if you want to override the Linux Proxy settings configured at the Management Zone and configure new settings for the task.

    Linux Proxy: Select a Linux managed device (server or workstation) to be used as a Linux Proxy for performing the discovery tasks instead of a ZENworks Server. The Linux Proxy must reside in the same network as the target devices.

    Linux Proxy Timeout: Specify the number of seconds you want the ZENworks Server to wait for a response from the Linux Proxy.

    When you finish the wizard, the discovery task is added to the list in the Discovery Tasks panel. You can use the panel to monitor the status of the task. As devices are discovered, they are listed in the Deployable Devices panel.