The LDAP interface of SupportDesk will extract data from one or more directory service providers (e.g. Active Directory) using the LDAP application protocol. It uses the data to create SupportDesk Customers, Contacts, and if required, WebGuest logins. It is only available from the Windows UI at present.
The maintenance screen for the LDAP interface can be reached from the Explorer menu on the left hand side where the option is termed “Scripts”.On selecting this, the summary panel shows one line for each LDAP script that has been created. “New” allows creation of a new script. In both cases, the user is presented with a screen as shown below.To make a connection and extract data from an AD system various options have to be populated in the above screen. Clicking on the button “Query LDAP Server” will initiate the extract but will not load the data into SupportDesk and can be used whilst testing. To load the data into SupportDesk the button “Load above data into SupportDesk” has to be clicked.
Once a connection has been made to the AD database, it is the other settings on the screen that control what data is extracted and how it is loaded into SupportDesk.
The settings to connect with the AD system are listed below:
This must be the AD server (name or IP Address).
A username that can connect to that Server and has rights to query AD.
A valid password for the given user.
Should be the Domain of the AD.
The point from where SupportDesk will start searching for users in your AD structure. It is your full domain with each component of the domain name preceded with “DC=” (For example, the Base DN for myCompany.com would be DC=myCompany,DC=com). The Base DN field can be extended to provide some filtering of data from AD. For example, you may wish to only load users from an OU called Users. In this case, your Base DN might be: “OU=Users,DC=MyCompany,DC=com”
There are three options for the Scope. The most common option is Whole Tree. Unless advised otherwise by one of the House-on-the-Hill consultants, choose this setting.Filter
Allows filtering of the data extracted from AD. There are built in options available from the Filter drop-down and, unless advised otherwise, use the one highlighted here. This filter will exclude all users marked as Disabled in AD.As can be seen in the filter, use can be made of wildcards (cn=*) to return all users. This can be modified for testing purposes or if your AD contains more than 1000 users – when it can also be used to split the number of extracted users between multiple scripts. There is a limit on the number of results AD will return from an ldap query (default is around 1000). If you need to load more than 1000 users from AD, the example filters below would be applied to identical scripts and would have the effect of extracting the data selectively based on the first letter of the user name. So filter 1 would pull out users beginning with “a”. Filter 2 would include those beginning with “b” through to “h”, and filter 3 – “i” through to “o” more filters can be added to cover all users.
(&objectClass=User)(objectCategory=User)(|(cn=b*)(cn=c*)(cn=d*)(cn=e*)(cn=f*)(cn=g*)(cn=h*)) (!userAccountControl:1.2.840.113522.214.171.1243:=2) )
(&(objectClass=User)(objectCategory=User)(|(cn=i*)(cn=j*)(cn=k*)(cn=l*)(cn=m*)(cn=n*)(cn=o*)) (!userAccountControl:1.2.840.1135126.96.36.1993:=2) )
LDAP Authentication is not normally ticked. When you have LDAP Authentication switched on, SupportDesk passes the login and password combination to the LDAP server for authentication. Careful consideration should be taken before ticking this option as you may find yourself locked out of the software if the LDAP setup is incorrect. The final settings at the bottom of the screen control how and where the data is loaded into SupportDesk.Loading Mode
Determines how the data will be loaded into SupportDesk. The most common loading mode is “Users as SupportDesk Customers & Computers as Inventory”. Unless advised otherwise by a House-on-the-Hill consultant, choose this setting. Changing the Loading Mode can make big changes to your setup and it should not be changed without careful consideration.
- Load OUs as Ticket Folders – Not usually set. If set, the load will create multiple Ticket folders in line with the names of your OUs.
- Load OUs from Highest Level – Not usually set. This controls where SupportDesk will read the OUs from per user before writing the information to SupportDesk.
When SupportDesk imports your Customers from Active Directory, if a customer is in an Organisational Unit, SupportDesk will record the OU in the Customer OU field – just underneath the Title field in the Customer screen. However, you can have OUs within OUs in Active Directory. SupportDesk can record up to two levels of OUs on the Customerscreen. The first OU goes into the OU field mentioned above, and the next level goes into the Department field (Unless a Department has been set in AD, in which case that value is added.)
- Add Customers as WebGuests – If the option is ticked SupportDesk will create a WebServer Account for each user as well as a Customer record as part of the load process. A Customer Lock-In will be applied to all WebGuest Accounts. This will lock them into seeing ONLY their own Tickets when they log into the WebServer – these rights can be modified using the Login maintenance screen.
- Sync – This option works in conjunction with the Workflow Engine, also known as the Escalator. If the Sync option is ticked and the equivalent option “Sync LDAP” is ticked on the Escalator configuration screen then the script will be run automatically once a day by the Escalator. By default, the LDAP Sync will be run at the first scan of the escalator after midnight unless specific offsets have been set in the database.