cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Inventory beacon collecting active directory data without any LDAP integration

Hi Team, We have recently deployed FNMS and integrated the same with SCCM and Vcenter.Now when we are trying to create accounts for different users in FNMS and searching user id in the create account page, we are seeing all the active directory users are available for selection and we can login to FNMS using AD credential.We didn't integrate any domain controller with beacon server, still how active directory data is coming in FNMS?

Also we can see by default some active directory schedule import is running in beacon server where domain controller is showing as current domain with no user id/passoword. The account which we have used for beacon configuration shouldn't have access in domain controller.

 

Thanks

Suman

(1) Solution

Hi Suman,

The AD queries that the beacon makes don't require privileged credentials to execute.  Any domain user can normally run the same queries to "read" the same level of info the beacon collects.   So, by default a standard install of the beacon will be primed to collect AD data from the domain it is connected to.  If you don't want the beacon to collect AD data it would be best to remove the task, or make sure there is no active schedule for it.

-Murray

View solution in original post

(5) Replies

Hi Suman,

The AD queries that the beacon makes don't require privileged credentials to execute.  Any domain user can normally run the same queries to "read" the same level of info the beacon collects.   So, by default a standard install of the beacon will be primed to collect AD data from the domain it is connected to.  If you don't want the beacon to collect AD data it would be best to remove the task, or make sure there is no active schedule for it.

-Murray

Hi Murray, Thanks for your quick response.As you mentioned that domain user can make normal queries in AD without any specific credential, along with that port 389 was already open from beacon to AD server and thats why beacon started collecting data.In other products we had to explicitly configure these details to fetch AD info.Thats why i was wondering how active directory data is getting synced automatically.

Thanks

Suman

Hi Suman,

After installation, there is a default Active Directory connection configured in the Beacon UI. However,  there is a number of prerequisites for any Beacon for collecting data from Active Directory:

  • The default AD connection on the Beacon is configured for "Current domain", which is an invalid Windows domain name. It needs to be updated manually for a valid domain name.
  • There is no user account configured for the default AD connection. This means the Beacon will use the Windows user account that the "Beacon Engine" Windows services is running under. In case you did not change this account manually, the Beacon service will be running using the local Windows SYSTEM user account. This account has no access to any Windows domain by default.
  • The default AD connection is not running on a schedule. You have to trigger it manually by selecting it and using the "Execute Now" button, or manually reconfigure it to run on a schedule.


Since you apparently did import data from SCCM sucessfully, could it potentially be that users have been imported from SCCM?

Hi Elindeman,

Thanks for your response.

We have not configured any valid domain name and its running with "Current domain".Even the connection is running in a schedule and importing active directory data.Please refer attached screenshot.

Regarding SCCM import, i believe only asset users can be imported through this integration.Here i am able to login to FNMS using these AD credential which is not possible if its not connected to AD.

 

Thanks

Suman

A couple of clarifications to @statler's comments:

  • The "Current domain" details do not need to be updated explicitly if the domain the beacon is a member of is the domain you want to import data from. You only need to update these details if you want to configure the connection to import data from a different domain (including if the beacon is not a member of a domain).
  • The Windows SYSTEM (computer) account will normally have read access to publicly visible Active Directory objects, as long as the beacon is a member of a domain. Credentials are only likely to need to be explicitly configured if you are configuring a connection to import data from a domain that is not trusted by the beacon's domain, or access rights in the domain are locked down in an unusual fashion.
(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)