This document provides a sample setup of using CA Directory to integrate CA Service Desk with multiple Active Directory Domains.
Multiple Active Directories in Service Desk
Problem: Trying to load contacts into Service Desk from multiple Active Directories.
Reasons: Companies often find that they have multiple Active Directories. The reasons can include:
- Acquisition of new companies.
- Geographical diverse organizations.
- Regions that were self sufficient.
There is a large amount of effort involved in getting different directories back into one directory.
Solution: Modify EIAM to link multiple Active Directories.
See Figure 1:
Description of Solution
The Service Desk is configured to run the LDAP extraction/merge from the EIAM directory.
A new service needs to be created within EIAM to link to the multiple Active Directories. Do not worry about the existing EIAM service.
For the technically minded, we need to set up a new dxserver which contains links to the Active Directories. For the rest of people, we need to add five files to the EIAM folders on the Service Desk server and make a few changes to these files.
Copy the file HT.dxi (from server.zip attached) in the directory "...\eTrust Directory\dxserver\config\servers"
This file should not be modified. The entry on line 19 is the only entry that has been added to the standard file. There is no special meaning attached to the names of the files; we configured the set-up for Department of Health Technology and hence "HT" in all the file names.
Copy the four files( from server.zip attached)
in the directory "...\eTrust Directory\dxserver\config\knowledge"
Do not modify HTAD.dxg. This file contains a list of the other three files.
The file HT.dxc contains the name of the Service Desk/EIAM server and the port number that Service Desk will use to connect. In the sample, the server name is CAUSD01 and the port is 30389. Change the server name in line 12 to suit your environment.
The file HTAD1.dxc contains a number of entries relating to the first Active Directory server. There are number of lines that will need to be modified as described below.
Line 10 contains the start of the directory tree that contains the user details in the Active Directory. In this sample, the Domain Name is CAHTAD01.ca.com. If the new Domain Name is Acme1.com, then change the fields
From: "<com><dc CA><dc CAHTAD01>"
To: "<dc com><dc Acme1>"
Line 11 contains the start of the directory tree If the new Domain Name is Acme1.com then change this line as follows:
From: <dc com><dc CA><dc CAHTAD01>
To: <dc com><dc Acme1>
Line 13 contains the name of the user who has read access to all the user names in this Active Directory. If the new Domain is Acme1 and the new user is called "ReadOnlyUser", change the fields
From: <dc com><dc CA><dc CAHTAD01><cn Users><cn Administrator>
To: <dc com><dc Acme1><cn Users><cn ReadOnlyUser>.
Line 14 contains the password for the above user (ReadOnlyUser). (this password is in cleartext! However, this user need only have very limited access)
Line 15 contains the name of the Active Directory server. Change the field CAAD1 to whatever the name of the active directory server. The port 389 is the normal port used by Active Directory.
The file HTAD2.dxc contains similar entries to HTAD1.dxc. Change the lines to suit the name etc for the second Active Directory server.
From a DOS command, run "dxserver status". The following should display.
iTechPoz-CAUSD01 started Then run the command "dxserver start HT".
There is no need to stop or start any other services.
Check under the "Control Panel/Administrative Tools/Services" to ensure that HT is set for automatic start. It will be called eTrust Directory - HT
Then you should be able configure Service Desk to extract the LDAP contacts in the "normal" manner.
The entries should be similar as below.
LDAP Logon Distinguish Name or "Ldap_dn". This is the name of a user in one of the Active Directories. The entry for this option should look like this for a "ReadOnlyUser": cn=ReadOnlyUser,o=AD1,c=au.
This is the same user as described in line 13 of the file HTAD1.dxc. The fields o=AD1,c=au replaces the <dc com><dc Acme1><cn Users>
LDAP Logon Distinguish Name logon password or "Ldap_pwd". This is the same as in line 14 of the file HTAD1.dxc
LDAP Server Host Name or "ldap_host". This would be the name of the EIAM server/Service Desk server
LDAP Server Port number or "ldap_port". This would be 30389 unless the entry in HT.dxc was changed.
LDAP Server Search Base or "ldap_search_base". This should be set to c=au. This is where the users from both Active Directories have been listed.
Please do not change this unless you understand how eTrust Directory works as it has to do with line 9 of HTAD1.dxc and HTAD2.dxc.
LDAP Service Type or "ldap_service_type" This should be set to eTrust.
LDAP Server User Object Class or "ldap_user_object_class". This should be set to "person" as in normal Active Directories.
Additional Active Directories
If there are more than two Active Directories, then it is a simple exercise of adding additional entries.
- Copy HTAD1.dxc and rename as HTAD3.dxc. This should be stored in the directory: "...\eTrust Directory\dxserver\config\knowledge"
- Modify entries as described in step 5 above.
- Add an entry of source "HTAD3.dxc" to the HTAD.dxg file.
- From a DOS command, run "dxserver status". If the HT is "started", then run "dxserver stop HT", followed by "dxserver start HT".