How Do You Make the Organization Setting Work to Apply Scopes Through the Management Gateway

Version 6

    IMPORTANT NOTE: This is a non-tested unsupported configuration. It has not been tested with the 4.3 appliance.

     

    Description: The Management Gateway has an "Organization" setting that will allow scopes to be applied on the Management Gateway. This setting applies to remote control sessions and will only allow users with the default "*" or a specified Organization see certain clients.

     

    Issue: This setting was made read-only on the 4.2 version of the Management Gateway Appliance. The reason for this was a change to the authentication method used for users on the Gateway that now includes encrypted pairs.

     

    IMPORTANT NOTE: This procedure and the Organization setting are not supported on the 4.2 appliance however this work around should make the option available. Also the 4.0 build of the appliance will not need steps 1 through 3 below. All versions of the Management Gateway will need to follow steps 4 and 5 to set up organization settings.

     

    Note: Applying patches to the Management Gateway may reverse the settings below.

     

     

    Resolution:

     

    1- Make a backup copy of the /usr/LANDesk/broker/webroot/gsb/users.php file.

    2- Edit the users.php file and search for ORGANIZATION form fields. They will be defined as "readonly" and there should be several of them. The fields should be changed to "text" and the READONLY attribute removed from the tags. As an example it should look something like this:

     

    <td><input type=readonly READONLY name=ORGANIZATION...etc.

     

    after change

     

    <td><input type=text name=ORANIZATION...etc.

     

    3- Manually create the organization unit names you need using the gateway database tool "dbtool":

     

    sudo /subin/dbtool -o "organization"

     

    Notes: Substitute whatever organization name you will be using in the statement above. Also, this command must not be run as an elevated user. In other words...if you used "SUDO SH" to elevate rights then you'll need to EXIT before running this command. Perform this command for each organization you intend to use.

     

    4- Create users in the administrators console, be sure to choose the appropriate organization name for each user. A user can only be part of one organization. Users with an "*" as their organization will still be able to see devices in any organization.

     

    5- Configure each client for the desired organization. Create a broker.conf.xml file by running brokerconfig.exe, selecting the second tab, change settings (change them right back if you wish) and click the "Update" button. This should create a standard broker.conf.xml file in the C:\Program Files\LANDesk\Shared Files\cbaroot\broker folder. Edit the file and add an <organization>testorg</organization> tag. Example file is below:

     

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?><broker><proxyCredentials>Og==</proxyCredentials><organization>testorg</organization><ipaddress>66.60.98.146</ipaddress><proxy/><order>0</order></broker>

     

    After restarting the remote control service on the client it should now be visible to all users with * as an organization and to users with the specified organization.