How to use LobbyGuard's Directory feature
The Directory tab in FrontDesk provides the interface for configuring your LobbyGuard employee directory service. The first step is to create a Directory group and the next step is to add employees to that group. You must then associate this group with a lobbyguard Station in order for this group to appear in the sign-in process.
This feature uses port 389 and the kiosk must be able to communicate bi-directionally with your Active Directory. The customer must place the LobbyGuard kiosk on the same network and behind the same firewall as their Active Directory server, as the software will no longer have the ability to communicate with customer's Active Directory servers that exist outside of the same network as the kiosks.
The first step is to create a new directory on the "Directory" tab in your FrontDesk account.
Upon creating a Directory group for employees, you need to Add employees/entries to this group. Choose the "Import from Microsoft Active Directory" option to perform an LDAP Active Directory importation. There are three options currently available:
- Add Manually
- Import from Excel Spreadsheet
- Import from Microsoft Active Directory
You will then be presented with a few fields that must be filled out, including:
- Server Path - the full LDAP path for the "OU" that you would like to import
- User Name - an administrative login username for your server
- Password - the password for that account
- Filter - an optional field by which you can filter per object class, etc.
Fill out all required fields and click on the "SAVE" button to begin the process.
Now you need to access the workflow section to ensure "Request the name of the person to be visited" is selected;
You will now need to access the KIOSKS page and select from your respective LobbyGuard product that you want this feature added on as shown below;
The Active Directory listing is not actually imported, but rather, the kiosk is now granted with a live stream to the server. If you encounter any kind of error or warning message, please verify that the server path is correct and complete, that your firewall port is open to receive this request, and that the username and password is correct. An entire active directory group cannot be imported if it contains a significantly large number of employees. Only that building's employees--or a specific OU of employees--should be used if a large number of employees exist as there are limitations to total employees allowed. Additional prerequisites and guidelines are below.
Important Notes:
- LDAP port 389 must be open on the firewall
- The server path must begin with a capital “LDAP” prefix. Using a lower case “ldap” is not allowed.
- The distinguished name path, after the server address, must begin with the lowest level OU. The path should start with the lowest OU on the tree, followed by the parent OU’s, and ending with the highest level DC’s.
- If a port other than 389 is preferred, it must be specified in the server path using a “:”, at the end of the server address.
- The server can either be specified by friendly name or by its IP Address
- The credentials (username/password) used must be administrator-level
- The username credential must have rights and privileges to the OU’s that are being called upon
- Active Directory “Users” can be imported but “Computers” and “Groups” are ignored
- An entire active directory group cannot be imported if it contains a significantly large number of employees. Only that buildings employees--or specific OU's of employees--should be used if a large number of employees exist.
- The “Active Directory Explorer” application should be used as a third party utility, by the client, if FrontDesk cannot communicate with the client's LDAP server.
- Popular "filters" includes:
- ((objectClass=group)(objectClass=person))
- objectClass=User
Example:
Server Path: LDAP://72.159.132.000:389/ou=staff,ou=hpes,ou=es1,ou=idv,dc=acsd5,dc=local
Username: ########
Password: ########
Filter: objectClass=User
AD Explorer screenshot: