How to discover directory services with vScope

You are here:---How to discover directory services with vScope

By adding your directory services to vScope’s discovery scope you will be allowed to build reports about user accounts, domains, groups or other information related to your directory service.

The short story – Adding directory service to Discovery Manager

Adding your directory service to the discovery scope is easy.

  1. Open the Discovery Manager
  2. Click on the Credentials tab
  3. Click “+ Credential”
  4. Select Directory Services
  5. Enter Username, password Base DN (optional)
  6. Add Target=hostname/IP of you domain controller
  7. Click Create Credential
  8. Finished!

If you stumbled on something related to “invalid credential” or are looking for more advanced information related to to discovery services, please see below:

More information – Directory Services Credential

The directory services credential is used by vScope to discover your LDAP and Active Directory Domain Controllers. We will refer to these as DS (Directory Service).

Basic Setup

From the Discovery Manager -> Credentials -> +CREDENTIAL -> Directory Services

Username

Required. The username used to log into your DS.

Valid formats

  • Active Directory: DOMAIN\Administrator
    OpenLDAP: Often a Dn specifying the admin user. Example: cn=admin,dc=isl,dc=local

Password

Required. The password used in conjunction with your username to log into your DS. Should not be left empty.

Service Type

Required. The type of the DS. Currently one of two options:

  • AD – Active Directory
  • LDAP – Generic LDAP (OpenLDAP)

vScope will attempt to identify the server type when connecting and might override the setting if it detects a better match.

Connection Type

Required: The type of protocol used when connecting to the DS.

  • Plain – Plain unencrypted connection. Default port 389.
  • LDAPS (recommended) – Encrypted connection. Default port 636.
  • StartTLS – Encrypted connection but starts out as an encrypted connection where encryption is negotiated. Default port is 389 and will switch over to encrypted port (default 636) when negotiation is completed.

Base Dn

Optional. The root when binding to the DS. This specifies the starting point for all searches in the DS. It is recommended that this is always set to the root of the domain.

Limiting the scope of the searches can be done by using the advanced option Search Base Dn.

The Base Dn should always be entered as a Dn (Distinguished Name).
Example. Your domain is company.com. The base Dn should be entered as:
dc=company,dc=com

The Base Dn field can be left empty. vScope will attempt to find the base dn automatically. However, if there are multiple root Dns then vScope will not be able to determine which one to use. It is recommended that you always enter the base Dn.

Advanced Setup

Expanding the Advanced-section allows you to specify even more information.

Custom Port

Optional. If specified, vScope will use this port when connecting to the DS regardless of the Connection Type (Plain, LDAPS, StartTLS) being used.

If not specified, vScope will automatically use the default port for the Connection Type being used. It is recommended that this field is left empty to use default settings.

Search Base Dn

Optional. The Search Base Dns are used to limit the scope of the searches performed by vScope.

One example: You have a root domain named company.com. Within that domain you have three countries:

ou=sweden,dc=company,dc=com
ou=finland,dc=company,dc=com
ou=norway,dc=company,dc=com

Just configuring Base Dn to company.com and not using Search Base Dn will make vScope search the entire DS tree from company.com. This includes all three countries.

If you are only interested in data contained in ou=sweden you can specify the following as Search Base Dn:
ou=sweden,dc=company,dc=com

If you are interested in both ou=sweden and ou=norway you specify the following setting:
ou=sweden,dc=company,dc=com;ou=norway,dc=company,dc=com

Multiple entries are separated by a semicolon (;). If a semicolon exists within a Dn then it must be escaped, otherwise vScope will treat it as a separator between entries. Example:
ou=malmo\; sweden,dc=company,dc=com;ou=norway,dc=company,dc=com

Is parsed by vScope to:
ou=malmo\; sweden,dc=company,dc=com
ou=norway,dc=company,dc=com

NOTICE Be careful using the Search Base Dn setting. If configured incorrectly, you might miss user group memberships.

Consider the following scenario:
User swedishuser exists in the ou=users,ou=sweden,dc=company,dc=com OU.
It is member of the group cn=nordicgroup,ou=nordic,dc=company,dc=com.

The credential settings used are:
Base Dn: dc=company,dc=com
Search Base Dn: ou=sweden,dc=company,dc=com

When vScope performs searches it will search for all objects existing within ou=sweden,dc=company,dc=com.

However, the group nordicgroup exists in ou=nordic,dc=company,dc=com which is not included in the Search Base Dns. This group is never found in the searches performed by vScope. The group membership is not found by vScope.

Ignore Clients

Optional. If enabled, vScope will not report found client computers as potential new targets to scan. If disabled, client computers a reported as new targets and are scanned by credentials that match those targets.

An example: vScope finds the client computer ClientA during a scan of the DS. It is reported back as a new target and vScope resolves the IP of ClientA to 192.168.100.1.

In credential manager there is a WMI credential which is attached to the target range 192.168.100.0/24. This credential matches the IP of ClientA and ClientA is scanned using WMI.

Ignore Servers

Optional. If enabled, vScope will not report found server computers as potential new targets to scan. If disabled, server computers a reported as new targets and are scanned by credentials that match those targets.

Ignore Disabled Users

Optional. If enabled, vScope will not scan disabled user accounts. This means that these accounts will not be visible anywhere in the data presented by vScope.

Ignore Disabled Computers

Options. If enabled, vScope will not scan disabled computers. Data from the DS about disabled computers will not be visible in the data presented by vScope.

2018-10-02T12:46:03+00:00