Layton ServiceDesk - Utilities - LDAP Import End User

From Layton Support
(Difference between revisions)
Jump to: navigation, search
m (Minor formatting changes)
(34 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<p align="right">[[File:btn_back_up.png|link=User Guide for Layton ServiceDesk™]] [[User Guide for Layton ServiceDesk™|<u>Back to Contents</u>]]</p>
+
<p align="right">[[File:btn_back_up.png|link=User Guide for Layton ServiceDesk]] [[User Guide for Layton ServiceDesk|<u>Back to Contents</u>]]</p>
 +
__FORCETOC__
 +
=Overview=
 +
The LDAP End User import function allows you to connect to an Active Directory server or multiple servers and pull back user information. The import may be processed manually and it can also be configured to allow Layton ServiceDesk to automatically create and update (but not remove) end users from information captured from Active Directory. Field mappings (''Map Fields'' button) may be specified to ensure that all required data is captured and filters (''Filter Users'' button) provide the ability to select which OUs or Users are imported.
 +
 
 +
The import process checks AD against the existing End Users. Any new ones are added. Existing ones are not reimported.
 +
 
 +
==Multiple Configurations==
 +
Note that it is possible to create multiple server connections. This is useful for targeting specific OUs. With a BaseDN specific to an OU, it reduces the number of items displayed in the Filter dialog. This also improves performance.
  
 
=Setting up the LDAP (Active Directory) Connection=
 
=Setting up the LDAP (Active Directory) Connection=
The LDAP End User import function allows you to connect to an Active Directory server or multiple servers and pull back user information. The import may be processed manually and it can also be configured to allow Layton ServiceDesk to automatically create and update (but not remove) end users from information captured from Active Directory. Field mappings (''Map Fields'' button) may be specified to ensure that all required data is captured and filters (''Filter Users'' button) provide the ability to select which OUs or Users are imported.
+
==LDAP List==
 
+
To set up an LDAP connection, go to '''Administration > Utilities > LDAP (AD) Import End User''' to load the End User LDAP List:
To set up an LDAP connection, go to Administration > Utilities > LDAP (AD) Import End User. Any existing LDAP connections will be displayed in the list:
+
  
  
Line 10: Line 17:
  
  
To create a new connection, click [[File:Addplus.png|20px]] and then a pop-up dialog will appear:
+
==Add LDAP Server==
 +
Any existing LDAP connections will be displayed in the table. To create a new connection, click the Add button [[File:Lsd btn plus.png|link=]] and a dialog will appear:
  
  
 
[[File:Ldap import end user add server.png|center]]
 
[[File:Ldap import end user add server.png|center]]
  
 +
==Setting Descriptions==
 +
===Server Name===
 +
This is simply a name used to identify this LDAP connection. It is not mandatory and any value can be entered.
  
 +
===LDAP Server Type===
 +
Selects the type of LDAP server, currently limited to Active Directory
  
{| class="wikitable" border="1" style="margin: 1em auto 1em auto;"
+
===Server===
! style="background:#efefef;" width="250" | Setting
+
Enter the LDAP Server address in the following format:  LDAP://servername (LDAP must be capitalized)
! style="background:#ffdead;" | Description
+
|-
+
| Server Name
+
| Enter the name of the connection. This will be used for identification purposes.
+
|-
+
| LDAP Server Type
+
| Selects the type of LDAP server, currently limited to Active Directory
+
|-
+
| Server
+
| Enter the LDAP Server address in the following format:  LDAP://servername (LDAP must be capitalized)
+
|-
+
| User
+
| Enter a user account with access to the LDAP server
+
|-
+
| Password
+
| Enter the password for the user account specified above
+
|-
+
| Filter End Users With Empty Email
+
| Turn this On to import only users with an email address in their LDAP account
+
|-
+
| Auto Import
+
| Periodically run the user import based on the selected interval
+
|-
+
| Imported AD End User Default Password
+
| Set the default password for the imported end users
+
|-
+
| Company
+
| Available only if '''[[Layton ServiceDesk™ - Settings - System Settings - Application Settings#Company Level|Company Level]]''' has been turned on, this sets the Company for the imported end users
+
|-
+
| BaseDN
+
| Enter a specific OU to load. The filter may be used to do the same thing.
+
|}
+
  
 +
===User===
 +
Enter a user account with access to the LDAP server.
  
Once the LDAP connection has been saved it will be displayed in the list of LDAP connections along with options to Map fields, Filter Users & Groups, view the log file and manually run the import.
+
===Password===
 +
Enter the password for the user account specified above.
  
=Setting up Active Directory Mappings & Filters=
+
===Filter End Users With Empty Email===
To complete the set up of the Active Directory connection the field mappings and filters need to be configured. Once the LDAP connection has been configured as outlined in the above section the Mappings and Filters can then be applied by clicking on Map Fields button or Filter button in the LDAP connection list.
+
Turn this On to import only users with an email address in their LDAP account.
  
==Active Directory Attribute Mapping==
+
===Auto Import===
Selecting the Map Fields button will allow you to select Active Directory attributes which will automatically import to End User field and map this to an Active Directory Attribute.  
+
Periodically run the user import based on the selected interval. Daily imports will start the next day. If you are only to run manual imports, you should specify ''Never''. The automatic import is run by the Layton ServiceDesk background process and does not require any Analyst intervention or an Analyst to be logged in the system.
  
 +
===Imported AD End User Default Password===
 +
This allows you to specify a default Layton ServiceDesk password for all End Users. This password is only used for access to Layton ServiceDesk when logging in manually and is not the same as the Active Directory password. This setting is useful for new End Users so that the same password can be given out and then changed by the End User, if allowed.
  
[[File:Ldap import end user map fields.png]]
+
===Company===
 +
Available only if '''[[Layton ServiceDesk™ - Settings - System Settings - Application Settings#Company Level|Company Level]]''' has been turned on, this sets the Company for the imported end users. You will need to have created the Companies first in '''[[Layton ServiceDesk™ - Settings - Company Structure - Manage Company|Administration > Users & Groups > Manage Company]]'''.
  
 +
===BaseDN===
 +
Enter a specific OU to load. The filter may be used to do the same thing. Syntax: ''ou=users,dc=server,dc=com''.
  
 +
Once the LDAP connection has been saved, it will be displayed in the list of LDAP connections along with options to Map fields, Filter Users & Groups, view the log file, and manually run the import.
  
If the sys_eusername field is not mapped it will be mapped by default to the login name of the directory user. The Active Directory attribute is a free type field as Versions of Active Directory are extensible and can have custom attributes attached to them. A list of standard Active Directory Attributes for 2000/2003 domains are shown below:
+
=Map Fields=
 +
Selecting the Map Fields button will allow you to enter Active Directory attributes and map them to fields in Layton ServiceDesk. There are four fields provided in the default configuration to import the username, email address, first name, and last name:
  
  
==Filter==
+
[[File:Ldap import end user map fields.png|center]]
The filter loads the entire OU into a tree structure allowing you to select the users and groups that will be included in the import. Navigate the directory structure and select the desired objects, then click save to include them in the import.
+
  
  
[[File:Ldap import end user filter.png]]
+
These values will be transferred from Active Directory into the mapped ServiceDesk field during the import. If the ''sys_eusername'' field is removed, it will be mapped by default to the login name of the directory user. The Active Directory attribute is a free type field as Versions of Active Directory are extensible and can have custom attributes attached to them. A list of standard Active Directory Attributes for 2000/2003 domains are shown below:
 
+
 
+
==View Log==
+
Every manual and automatic LDAP import action will record a
+
 
+
[[File:Ldap import end user logs.png]]
+
 
+
 
+
==Import==
+
 
+
 
+
[[File:Ldap import end user import.png|center]]
+
 
+
==Delete==
+
This option is used to remove LDAP connections that are no longer needed.
+
  
  
 
<center>
 
<center>
{| class="wikitable" border="0"
+
{| class="wikitable" border="1"
 
|-
 
|-
! style="background:#ffffff;" align="left" width="150" | 2000 Server Domain
+
! style="background:#009999; width: 150px; color: #FFFFFF"|2000 Server Domain
! style="background:#ffffff;" align="left" width="150" | 2003 Server Domain
+
! style="background:#009999; width: 150px; color: #FFFFFF"|2003 Server Domain
! style="background:#ffffff;" align="left" width="150" | Fields to Map
+
! style="background:#009999; width: 150px; color: #FFFFFF"|Fields to Map
 
|-
 
|-
 
| mail
 
| mail
Line 120: Line 95:
 
| DisplayName
 
| DisplayName
 
| DisplayName
 
| DisplayName
| Map to user defined field
+
| Map to user-defined field
 
|-
 
|-
 
|}
 
|}
 
</center>
 
</center>
<br\>
+
 
To obtain a complete list of LDAP attribute names, see ''Methods to retrieve Active Directory Attributes'' below.
+
To obtain a complete list of LDAP attribute names, see next section.
<p align="right">[[File:btn_back_up.png|link=User Guide for Layton ServiceDesk™]] [[User Guide for Layton ServiceDesk™|<u>Back to Contents</u>]]</p>
+
 
 +
==OU Name==
 +
While not part of a default set of field mappings, the End User table field ''sys_ouname'' must be mapped to the applicable field on the LDAP server in order to use it in '''[[Layton ServiceDesk - General Settings - Business Rules#OU Name|Business Rules]]'''.
  
 
==Retrieving Additional Active Directory Attributes==
 
==Retrieving Additional Active Directory Attributes==
Line 179: Line 156:
 
</blockquote>
 
</blockquote>
  
'''Note:''' Any fields to be imported from Active Directory that are not already identified in HelpBox (e.g. ''Address'', ''State'', ''Zip'', etc.), will need to be added to the ''user'' table via Settings > Data Design > End User Data. Once you have added your custom fields, go Form Design > End User to add the new user-defined fields. When the import runs, it will allow you to populate these fields.
+
'''Note:''' Any fields to be imported from Active Directory that are not already identified in Layton ServiceDesk (e.g. ''Address'', ''State'', ''Zip'', etc.), will need to be added to the ''user'' table in '''[[Layton ServiceDesk - Configuring the System - Data Design|Administration > Data Design > End User Data]]'''. Once you have added your custom fields, go Form Design > End User to add the new user-defined fields. When the import runs, it will allow you to populate these fields.
  
==Filtering Users & Organizational Units==
+
=Filter=
Selecting the Filter button in the LDAP connection list will allow you to select which OUs and/or users are to be imported. The Active Directory tree structure will be displayed with OUs indicated by a folder button and users represented by a user button. Select which OUs and/or users you wish to import. Click the save button to save the filter settings.
+
The filter loads the entire OU into a tree structure allowing you to select the users and groups to be included in the import. Navigate the directory structure and select the desired objects, then click save to include them in the import.
  
==Running the Import==
+
 
The LDAP Active Directory import will run automatically according to the setting specified in the “LDAP End User Import” section of the LDAP configuration settings. If this field was set to “Never” the import can be run manually by clicking the Import Users button . This runs the Import in three steps and outputs the results to a log file.  
+
[[File:Ldap import end user filter.png|center]]
 +
 
 +
 
 +
=View Log=
 +
Every manual and automatic LDAP import action will record a log file. The log files are listed in this table, where they may be downloaded, viewed, and deleted.
 +
 
 +
 
 +
[[File:Ldap import end user logs.png|center]]
 +
 
 +
 
 +
=Import=
 +
The LDAP Active Directory import will run automatically according to the setting specified in the ''Auto Import'' section of the LDAP Server settings. If this field was set to ''Never'', the import may be run manually by clicking the ''Import Users'' button [[File:Lsd ldap import btn 16px.png|link=]]. This runs the Import in three steps and outputs the results to a log file.  
  
 
#The import checks for all End Users in Layton ServiceDesk that are not in Active Directory. These users are written to the Log file. They can be dealt with by the Layton ServiceDesk Administrator at a later time.
 
#The import checks for all End Users in Layton ServiceDesk that are not in Active Directory. These users are written to the Log file. They can be dealt with by the Layton ServiceDesk Administrator at a later time.
#The import checks for all End Users in Layton ServiceDesk that are present in Active Directory. If they are included in the Filter then these users are updated with data from Active Directory and written to the Log file.
+
#The import checks for all End Users in Layton ServiceDesk that are present in Active Directory. If they are included in the Filter, then these users are updated with data from Active Directory and written to the Log file.
#The import checks for all users in Active Directory that are not listed as End Users in Layton ServiceDesk. If they are selected in the filter then Layton ServiceDesk will create these End Users from Active Directory. These users are also written to the Log file.
+
#The import checks for all users in Active Directory that are not listed as End Users in Layton ServiceDesk. If they are selected in the filter, then Layton ServiceDesk will create these End Users from Active Directory. These users are also written to the Log file.
 +
 
 +
For example, this is the result of importing 8 new end users:
 +
 
 +
[[File:Ldap import end user import.png|center]]
 +
 
 +
==Disabling End Users Automatically on Import==
 +
If an End User account is disabled in Active Directory, then either when the schedule runs or a manual import is run, the End User account in Layton ServiceDesk will be disabled.
 +
 
 +
=Delete=
 +
This option is used to remove LDAP connections that are no longer needed.
 +
 
 +
=Editing an LDAP Server Connection=
 +
You can edit a connection by clicking its Name or Server Path in the ''Manage End User Import LDAP (Active Directory) List''. Make any required changes, then click the Save button [[File:Lsd btn save.png|link=]].
  
The log files can be viewed by clicking the View Log button.<p align="right">[[File:btn_back_up.png|link=User Guide for Layton ServiceDesk™]] [[User Guide for Layton ServiceDesk™|<u>Back to Contents</u>]]</p>
+
'''Important:''' You must restart the ''LaytonServiceDesk'' Windows service in the Windows Services console or the old server details will still be in effect.
 +
<p align="right">[[File:btn_back_up.png|link=User Guide for Layton ServiceDesk]] [[User Guide for Layton ServiceDesk|<u>Back to Contents</u>]]</p>

Revision as of 03:58, 1 August 2018

Btn back up.png Back to Contents

Contents

Overview

The LDAP End User import function allows you to connect to an Active Directory server or multiple servers and pull back user information. The import may be processed manually and it can also be configured to allow Layton ServiceDesk to automatically create and update (but not remove) end users from information captured from Active Directory. Field mappings (Map Fields button) may be specified to ensure that all required data is captured and filters (Filter Users button) provide the ability to select which OUs or Users are imported.

The import process checks AD against the existing End Users. Any new ones are added. Existing ones are not reimported.

Multiple Configurations

Note that it is possible to create multiple server connections. This is useful for targeting specific OUs. With a BaseDN specific to an OU, it reduces the number of items displayed in the Filter dialog. This also improves performance.

Setting up the LDAP (Active Directory) Connection

LDAP List

To set up an LDAP connection, go to Administration > Utilities > LDAP (AD) Import End User to load the End User LDAP List:


Ldap import end user panel.png


Add LDAP Server

Any existing LDAP connections will be displayed in the table. To create a new connection, click the Add button Lsd btn plus.png and a dialog will appear:


Ldap import end user add server.png

Setting Descriptions

Server Name

This is simply a name used to identify this LDAP connection. It is not mandatory and any value can be entered.

LDAP Server Type

Selects the type of LDAP server, currently limited to Active Directory

Server

Enter the LDAP Server address in the following format: LDAP://servername (LDAP must be capitalized)

User

Enter a user account with access to the LDAP server.

Password

Enter the password for the user account specified above.

Filter End Users With Empty Email

Turn this On to import only users with an email address in their LDAP account.

Auto Import

Periodically run the user import based on the selected interval. Daily imports will start the next day. If you are only to run manual imports, you should specify Never. The automatic import is run by the Layton ServiceDesk background process and does not require any Analyst intervention or an Analyst to be logged in the system.

Imported AD End User Default Password

This allows you to specify a default Layton ServiceDesk password for all End Users. This password is only used for access to Layton ServiceDesk when logging in manually and is not the same as the Active Directory password. This setting is useful for new End Users so that the same password can be given out and then changed by the End User, if allowed.

Company

Available only if Company Level has been turned on, this sets the Company for the imported end users. You will need to have created the Companies first in Administration > Users & Groups > Manage Company.

BaseDN

Enter a specific OU to load. The filter may be used to do the same thing. Syntax: ou=users,dc=server,dc=com.

Once the LDAP connection has been saved, it will be displayed in the list of LDAP connections along with options to Map fields, Filter Users & Groups, view the log file, and manually run the import.

Map Fields

Selecting the Map Fields button will allow you to enter Active Directory attributes and map them to fields in Layton ServiceDesk. There are four fields provided in the default configuration to import the username, email address, first name, and last name:


Ldap import end user map fields.png


These values will be transferred from Active Directory into the mapped ServiceDesk field during the import. If the sys_eusername field is removed, it will be mapped by default to the login name of the directory user. The Active Directory attribute is a free type field as Versions of Active Directory are extensible and can have custom attributes attached to them. A list of standard Active Directory Attributes for 2000/2003 domains are shown below:


2000 Server Domain 2003 Server Domain Fields to Map
mail mail sys_email
name samaccountname sys_eusername
givenname givenname sys_forename
sn sn sys_surname
department department sys_eclient_id
DisplayName DisplayName Map to user-defined field

To obtain a complete list of LDAP attribute names, see next section.

OU Name

While not part of a default set of field mappings, the End User table field sys_ouname must be mapped to the applicable field on the LDAP server in order to use it in Business Rules.

Retrieving Additional Active Directory Attributes

Above are the most common settings for most domains, however these may not work in every environment. The most effective way to obtain the LDAP mappings for your domain is to run the LDP tool.

  1. Log into the LDAP server as a domain admin.
  2. Run LDP.exe.
  3. From the Connection menu, click Connect. In the Connect pop up, ensure the Domain controller's machine name appears, and leave the rest as default, then click OK. You should now see some information about the Active Directory schema.
  4. From the Connection menu, click Bind. A Bind window will pop up asking for your user name and password. Enter these credentials, then ensure the correct domain name appears in the Domain box, then click OK.
  5. Click the View menu and select Tree. A Tree view pop up will appear, asking for a BaseDN. Leave it blank and click OK.
  6. In the left-hand pane, you should now see a tree structure of the different OUs that have been created in Active Directory.
  7. Expand an OU. You should now see a list of users identified as an LDAP string. Double-click one of the user strings in the left-hand pane. In the right-hand pane, you should now see the user within the pane. All LDAP attribute names are now clearly identified showing something like this:
Expanding base 'CN=Glenn Parker,CN=Users,DC=domain,DC=local'...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=Glenn Parker,CN=Users,DC=domain,DC=local
1> memberOf: CN=users,CN=Builtin,DC=domain,DC=local;
1> accountExpires: 9223374567854775807;
1> adminCount: 0;
1> badPasswordTime: 14658789812203906250;
1> badPwdCount: 1;
1> codePage: 0;
1> cn: Glenn Parker;
1> countryCode: 0;
1> department: Accounting;
1> displayName: Glenn Parker;
1> mail: [email protected];
1> givenName: Glenn Parker;
1> instanceType: 4;
1> lastLogoff: 0;
1> lastLogon: 127590245253906250;
1> logonCount: 2;
1> distinguishedName: CN=Glenn Parker,CN=Users,DC=domain,DC=local;
1> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local;
4> objectClass: top; person; organizationalPerson; user;
1> objectGUID: 5a3456cb-9723-4r123-8172-06231223b048;
1> objectSid: S-15-B2768d30-1E9285F2-8Fc3EE1G-414;
1> primaryGroupID: 513;
1> pwdLastSet: 127590244556093750;
1> name: Glenn Parker;
1> sAMAccountName: Gparker;
1> sAMAccountType: 8023016168;
1> userAccountControl: 64546;
1> userPrincipalName: [email protected];
1> uSNChanged: 52347;
1> uSNCreated: 6719;
1> whenChanged: 4/26/2005 17:27:35 Eastern Standard Time `Eastern Standard Time;
1> whenCreated: 8/23/2004 8:52:4 Eastern Standard Time Eastern Standard Time;

Note: Any fields to be imported from Active Directory that are not already identified in Layton ServiceDesk (e.g. Address, State, Zip, etc.), will need to be added to the user table in Administration > Data Design > End User Data. Once you have added your custom fields, go Form Design > End User to add the new user-defined fields. When the import runs, it will allow you to populate these fields.

Filter

The filter loads the entire OU into a tree structure allowing you to select the users and groups to be included in the import. Navigate the directory structure and select the desired objects, then click save to include them in the import.


Ldap import end user filter.png


View Log

Every manual and automatic LDAP import action will record a log file. The log files are listed in this table, where they may be downloaded, viewed, and deleted.


Ldap import end user logs.png


Import

The LDAP Active Directory import will run automatically according to the setting specified in the Auto Import section of the LDAP Server settings. If this field was set to Never, the import may be run manually by clicking the Import Users button Lsd ldap import btn 16px.png. This runs the Import in three steps and outputs the results to a log file.

  1. The import checks for all End Users in Layton ServiceDesk that are not in Active Directory. These users are written to the Log file. They can be dealt with by the Layton ServiceDesk Administrator at a later time.
  2. The import checks for all End Users in Layton ServiceDesk that are present in Active Directory. If they are included in the Filter, then these users are updated with data from Active Directory and written to the Log file.
  3. The import checks for all users in Active Directory that are not listed as End Users in Layton ServiceDesk. If they are selected in the filter, then Layton ServiceDesk will create these End Users from Active Directory. These users are also written to the Log file.

For example, this is the result of importing 8 new end users:

Ldap import end user import.png

Disabling End Users Automatically on Import

If an End User account is disabled in Active Directory, then either when the schedule runs or a manual import is run, the End User account in Layton ServiceDesk will be disabled.

Delete

This option is used to remove LDAP connections that are no longer needed.

Editing an LDAP Server Connection

You can edit a connection by clicking its Name or Server Path in the Manage End User Import LDAP (Active Directory) List. Make any required changes, then click the Save button Lsd btn save.png.

Important: You must restart the LaytonServiceDesk Windows service in the Windows Services console or the old server details will still be in effect.

Btn back up.png Back to Contents

Personal tools
Namespaces

Variants
Actions
Main Page
Online User Guides
General Support
Release Notes
Toolbox