cancel
Showing results for 
Search instead for 
Did you mean: 

[Afaria 7] User group, LDAP

Former Member
0 Kudos

Hello!

I have problems with understanding of when afaria is able to ask for domain user credentials. I've found that it's possible to prompt for them during enrollment (it's happening when you enable "windows authentication" during enrollment service installation). But these login and password aren't saved anywhere and my device doesn't become a member of a user group that is defined on the server.

I want to know how I can add my device to a specified user group (not static or dynamic, but exactly user group).

Also I'd like to know how LDAP from configuration policy is used. You can enter any login and password, but it is never checked.

We configured LDAP during installation of Afaria server (I'm adding this to avoid possible future questions).

Thanks in advance!

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Olga,

can you solved the problem?

regards,

Patricio

Former Member
0 Kudos

Users provided credentials and were added to the user groups, but these relations (between users and user groups) couldn't be seen through Afaria Administrator - so they existed and worked, but we weren't able to see and check them.

LDAP (AD) credentials are saved and seen in information about user after upgrading to Afaria SP1, but not in the fields "user" or "client" like in Android - but in the field "Assignments user name". If iOS user is prompted for the username with enrollment policy, he can enter anything there and administrator won't be able to change it later, so we just don't ask the client for it - only for AD credentials.

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Olga,

I may be misunderstanding your question as it seems to hold several key elements. I will attempt to digest it with the limited understanding I have:

1.) LDAP Authentication using the credentials on your directory server. If it is using windows it is likely to be MS AD and in this case I have found that you need to configure IIS a little further to get things going. What we did in our proof of concept (POC) environment was to enable digest authentication. This uses the native windows authentication and will prompt you for the logon credentials as per those maintained in your domain.

Additionally you may need to adjust the authentication stack (by default forms authentication is used if I remember correctly) in both the IIS and Afaria app server for the hosted app depending on if your deployment was distrubuted or not as the self service portal and the admin portal as an example can be installed on different hosts.

2.) As for group assignments and in this case I am assuming you are referrring to the LDAP groups I suspect. Once your user ID has been assigned to an LDAP group it needs to have a logical bind to the Afaria compnent you are using. To do this one needs to configure a tennant, then assign an ldap group to that tennat - this will propogate users to the tennant. Groups however are defined differently to LDAP groups as far as I can determine. The LDAP group is a logical grouping of organisational entities whereas in Afaria it is a logical grouping of users and/or devices. Policies are related to applications and security and are thus bound to groups - you will see this when you have created a policy and then click on groups and adjust the settings. The group will then present to you the policies available you can bind to. You then push the group policy to the group of devices or users you have defined.

I hope this helps.

Douglas Volkwyn.