Preferences

Integration

LDAP Integration

Introduction to SysAid LDAP integration

This page allows you to integrate SysAid with your LDAP (Lightweight Directory Access Protocol). Integration with your LDAP gives you several benefits:

• Import all users and user groups into SysAid automatically to save time and prevent mistakes that could occur from having to duplicate all of your data.
• When users log into SysAid, authenticatication is through your LDAP. This means that your users have the same password for SysAid as they do for their computers, and all login attempts are recorded centrally in your LDAP.
• When using Active Directory as your LDAP, enable Single sign on so that your users are automatically logged into SysAid the moment they log into their computers.
• When using Active Directory as your LDAP, enable the Password Services module to reset LDAP passwords and unlock LDAP accounts using SysAid.

There are two ways to configure your LDAP settings:

1. Using the LDAP configuration wizard (Active Directory only)
2. By inputting your individual LDAP settings manually

LDAP Configuration Wizard

Click the LDAP configuration wizard button to open the LDAP configuration wizard and then fill out the following fields:

Server type

This should be left as Active Directory, unless you're using an old Exchange 5.5 server for LDAP.

LDAP host name

This is the name of the computer that's hosting your LDAP.

LDAP port number

If you are using an unsecured connection, this is typically 389. If you are using an SSL connection, this is typically 636. Unless you've changed the ports for your LDAP, you shouldn't need to change this.

User Name

This is a user who has at least read privileges to your entire LDAP structure.

Password

The password for the LDAP user.

Domain

This is the domain you will be importing from LDAP. For non-simple Authentication Type, please enter the full domain.

Authentication Type

Leave this as Simple unless you specifically know that you need to use another authentication type.

LDAP over SSL

Check this to use SSL for the connection between your SysAid Server and your LDAP. Note that changing this will automatically update the port number.

Important: If you plan on using the Password Services module, you must a) enable an SSL connection to your LDAP and b) use an LDAP user with administrator privileges.

 Using the LDAP configuration wizard

Click Check Settings to verify that you've correctly entered your LDAP settings. If the LDAP connection is successful, you will receive a confirmation at the bottom of the wizard screen (see image above). If you are unsuccessful, please recheck your LDAP host name, user name, password, and domain, and then try again.

Click Save when you are done. Your LDAP structure should be automatically imported into SysAid, and you may then fine-tune your LDAP settings as you like. Below is an explanation of the various fields availabe for integrating with your LDAP. When you are done, see the section Completing LDAP Integration, below.

LDAP Configuration Settings

URL to LDAP server

Points SysAid to the LDAP server using standard LDAP URL. For example, ldap://10.0.0.10:389.

User Name

You may fill in any username that has read privileges in your LDAP. If you intend to use the Password Services module, you must enter a username that has administrator privileges.

Password

The password of the username you entered in the field above.

Domain

This applies primarily for Active Directory. In most other cases, you do not need to specify the domain, so enter "none".

Authentication Type

Choose your desired authentication type from the list. If you are not sure what type to choose, select Simple.

Login DN(s)

Fill in here the full DN that is used. You can use {0} to represent the domain name or {1} to represent the username. Note that you can set more than one login DN if needed.

Include sub-OUs

If this is checked, SysAid will import users and groups from nested OUs when integrating with LDAP.

User root(s)

Specify here which OU(s) and sub-OU(s) to import users from. You can add as many lines as you need.

Group root(s)

Specify which OU(s) and sub-OU(s) to import groups from. You can add as many lines as you need.

User class filter

Define a condition for the importing of users. It is generally recommended to set a condition that only suits user objects. For example, (objectClass=inetOrgPerson).

User filter

Set which attribute will be used as the username in SysAid. For example, (uid={0}).

Group class filter

Define a condition for the group import. It is generally recommended to set a condition that suits group objects only. For example, (objectClass=group).

Import groups

Check this box if you would like to import groups from LDAP.

CN attribute

Fill in the attribute for object CN. Example: cn.

DN attribute

Fill in the attribute for object DN. Example: distinguishedName.

Name attribute

Set which attribute will be used as the username in SysAid. For example, uid.

LDAP Attribute Mapping 

Define which SysAid fields get populated by which LDAP fields. SysAid can accept the following fields from LDAP: firstName, lastName, displayName, email, phone, cellphone, notes, sms, location, building, floor, cubic, carNumber, custText1, custText2, custNotes, custInt1, custInt2, department, company, userManagerName, enableLoginToEup, and secondaryEmail.

Schedule

You may schedule an LDAP refresh to automatically import changes in LDAP into SysAid (e.g. new users). Enter a start time, and choose how often the refresh will repeat. The refresh will always happen at the time of day listed in the start time, so make sure you choose a time where all applicable servers are available and where there is minimum traffic to your SysAid server.

After refresh, disable SysAid users who were not imported from LDAP

This is checked by default. However, there might be cases where you do not import all LDAP users every time you refresh from LDAP. In these cases, make sure to uncheck this option to avoid disabling users who might still be active.

Example: You have 50,000 users in your LDAP, and a full import takes several hours. Therefore, after the initial import, you update your SysAid LDAP settings to only import users that have changed since the last import. In a case like this, you would not want to disable users not imported from LDAP, otherwise most of your users would be disabled in SysAid each time you refresh from LDAP.

Viewing Your LDAP Structure for Manual LDAP Integration

To verify that your LDAP attributes fit the integration, you can connect to your LDAP directory with any LDAP browser. We recommend the LDAP browser, which is available at http://www.sysaid.com/down/ldapbrowser.zip.

1. Login to your LDAP with this tool by entering the LDAP hostname / IP and port.
2. Click Fetch Dns.
3. From the dropdown list, choose the appropriate Dns.
4. Uncheck the Anonymous Bind checkbox.
5. Enter your LDAP username and password. You may need to fill in the username in its distinguished name form.
6. Connect to the LDAP.
7. Verify that the OUs you are looking for are displayed.
8. If the OUs are not there, go back to the DN selection and choose a different DN from the list. Repeat this until you find the DN that shows the correct OUs.
9. After you have successfully logged into your LDAP, you will need to manually copy the LDAP structure into the LDAP integration form.

Completing LDAP Integration

Check the box "Enable LDAP integration" at the top of the page, and click Save.

After completing the LDAP integration settings, go to User Management --> End Users and click .

Once the LDAP import is completed, refresh the list to verify that the users were successfully imported.

By enabling Single Sign-On, users are automatically signed into SysAid when they sign into their computers. You can enable Single Sign-On after configuring LDAP integration if you are using Microsoft Active Directory. Please view our SSO Guide for instructions for configuring Single Sign-On.

Important changes once LDAP is enabled

• For users imported from LDAP, you will need to make any password changes directly in your LDAP.
• SysAid will authenticate all login attempts against your LDAP. All records of these attempts will be stored in your LDAP logs.
• Any time you want to make changes to user details, it's recommended to make the changes in LDAP and then refresh your users in SysAid from your LDAP. You can do this from User Management --> Administrators/End Users using the Refresh from LDAP button. Alternatively, you can schedule an LDAP refresh which will pull the information into SysAid automatically.
• Any users that you delete in SysAid but not in your LDAP will automatically be recreated when you refresh from LDAP. To avoid the recreation of users you no longer need, disable these users in SysAid rather than deleting them.

LDAP integration and licensing

SysAid will allow you to import all of your LDAP users into SysAid even if this puts you over your license limit for end users. However, if you go over the limit, SysAid will automatically disable as many users as necessary to put you under your limit. These users are disabled at random. For this reason, it's generally preferable to only import as many users as you have licenses.