You can configure CA Service Desk Manager to create a contact automatically from a corresponding LDAP user record whenever a new user logs in to Service Desk. To enable this feature, the ldap_enable_auto option must be installed in addition to the required LDAP options.
With the feature in effect, when the contact is created in Service Desk automatically for the new user, the access type is also assigned automatically. However, in some situations the access type is not assigned.
The access type is not assigned when the LDAP user does not join the Domain Users group.
For example, you would like the Service Desk to create new contacts with the Analyst access type that is created from Domain Admins group with the LDAP user (See Figure 1):
If the LDAP user joins the Domain Admins group only, the contact of the Service Desk is automatically created but the access type is set NULL on the contact detail (see Figure 2):
To resolve the problem, the LDAP user must join not only the Domain Admins group but also the Domain Users group.
Also consider that if the contact belongs to multiple groups in LDAP, and those groups are mapped to Access Types in Service Desk, Service Desk is unable to determine which access type to attach to the contact.
A contact in LDAP can belong to multiple groups ("memberOf" attribute in LDAP). The r11.2, r12.1, and r12.5 releases of Service Desk do not provide support for multiple group mappings. If there are Access Types in Service Desk mapped to groups in LDAP, and a user belongs to more than one of those same LDAP groups, Service Desk is unable to determine which one to use. It chooses the first LDAP group it finds for the Access Type or it does not populate the contact's Access Type at all.
In the case of the Access Type not being populated on the contact, the user receives the access and permissions of the Access Type in Service Desk marked as the "Default".