How do we integrate Service Desk with an Active Directory LDAP directory?

Document ID : KB000053476
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The article below describes the procedure to integrate Service Desk with an Active Directory LDAP directory.

Solution:

  1. Navigate to Service Desk web interface and login to it.

  2. Click on Administration -> Options Manager-> LDAP (see Figure 1).

    Figure 1:
    Figure 1

  3. On the right side pane you would notice 12 options.

    Following options are mandatory to install while others can be installed depending on requirement.

    Mandatory options:

    ldap_dn
    ldap_enable
    ldap_host
    ldap_port
    ldap_pwd
    ldap_search_base
    ldap_service_type

ldap_dn is the distinguished name of any user in LDAP directory who has at least read access to the LDAP server.
A query on ldap server would give you the distinguish name of a user. The query example is mentioned in the screenshot below (see Figure 2):

Figure 2:
Figure 2

Another procedure to get the ldap_dn is by using adsiedit.msc. This would be available if we have Microsoft support tools installed on the machine. Launch adsiedit.msc from command prompt and navigate to the user that we want to use as ldap_dn (see Figure 3).

Figure 3:
Figure 3

ldap_enable is installed to invoke the integration part of service desk with LDAP directory.

ldap_host is the hostname of the Domain Controller. In case we have multiple domain controllers then we may use the hostname of any domain controller in the domain.

ldap_port : By default the port value is 389 as LDAP uses port 389 for all its transactions.
A global catalog port may be used here as the global catalog server has attributes of all the objects in the domain. The global catalogue port number is 3268.

ldap_pwd is the password of the user used in ldap_dn.

ldap_search_base is the search base or an OU where all the service desk users are place in. If the service desk users are placed in different OU's then we may use the search base as the distinguished name of the domain. For example DC=microsoft,dc=com.

ldap_service_type is the kind of LDAP server in use. In case it is windows, then the service type would be Active Directory and in other cases it is Unix.

Other options in options manager available are:

ldap_enable_auto
ldap_enable_groups
ldap_group_object_class
ldap_sync_on_null
ldap_user_object_class

ldap_enable_auto is a feature in service desk available to generate contacts upon a user login to service desk.
If a user does not exist in service desk database but exists on LDAP server, the contact can be automatically created by having the user login to service desk.

ldap_enable_groups is a feature available in service desk to get the access type based on group membership of a user.
Once this option is installed you should be able to see " LDAP Access Group" link under web authentication for an access type.

ldap_sync_on_null is used if we need the contacts to get synched even if there are null attributes in the fields on LDAP server.

The above 5 options have defaults values in them and may be left the way they are.

Once we have determined all the values for LDAP options and when all the options are installed, a USD service recycle is a MUST.

To check if the integrations is successful, navigate to command prompt and run ldap_test.

The input of this program are the values in LDAP options manager and output is displayed on the command prompt as shown below (see Figure 4).

Figure 4:
Figure 4

Running ldap_test doesn't mean that this program would fetch the contacts from LDAP server to USD database.
This is a read-only output and confirms LDAP integration to be successful if the output looks like the above screenshot.

The users are authenticated from Operating system if the web authentication is set to " Use Operating System Authentication " and LDAP integration does the authorization part.