Settings

Integration

LDAP

 

Introduction to SysAid LDAP integration

 

This page allows you to integrate SysAid with your LDAP (Lightweight Directory Access Protocol). Integration with your LDAP gives you several benefits:

 

Note: To setup LDAP integration, your LDAP server (e.g. Domain Controller) needs to be accessible to SysAid through the relevant port (e.g. 389 or 636).

 

Note: If you are using SysAid version 17.2.50 or higher, please see the LDAP Integration list or form pages for updated interface information.

 

 

 

There are two ways to configure your LDAP settings:

  1. Using the LDAP configuration wizard (Active Directory only)
  2. By inputting your individual LDAP settings manually

 

LDAP Configuration wizard

 

Click the LDAP configuration wizard button to open the LDAP configuration wizard and then fill out the following fields:

 

RDS Name
This is the RDS that you will use to communicate with the LDAP server. This can be the SysAid Server.
Server type
This should be left as Active Directory, unless you're using an old Exchange 5.5 server for LDAP.
LDAP host name
This is the name of the computer that's hosting your LDAP.
LDAP port number
If you are using an unsecured connection, this is typically 389. If you are using an SSL connection, this is typically 636. Unless you've changed the ports for your LDAP, you shouldn't need to change this.
User Name
This is a user who has at least read privileges to your entire LDAP structure. If you intend to use the Password Services module, you must enter a username that has domain administrator privileges.
Password
The password for the LDAP user.
Domain
This is the domain you will be importing from LDAP. For non-simple Authentication Type, please enter the full domain.
Authentication Type
Leave this as Simple unless you specifically know that you need to use another authentication type.
LDAP over SSL
Check this to use SSL for the connection between your SysAid Server and your LDAP. Note that changing this will automatically update the port number.

Important: If you plan on using the Password Services module, you must a) enable an SSL connection to your LDAP and b) use an LDAP user with administrator privileges.

Allow password caching to accelerate authentication
If this is checked, SysAid will store the LDAP user passwords in the SysAid database (encrypted) to accelerate authentication.

 Using the LDAP configuration wizard

 

Click Check Settings to verify that you've correctly entered your LDAP settings. If the LDAP connection is successful, you will receive a confirmation at the bottom of the wizard screen (see image above). If you are unsuccessful, please recheck your LDAP host name, user name, password, and domain, and then try again.

 

Click Save when you are done. Your LDAP structure should be automatically imported into SysAid, and you may then fine-tune your LDAP settings as you like. Below is an explanation of the various fields available for integrating with your LDAP. When you are done, see the section Completing LDAP Integration, below.

 

LDAP configuration settings

 

RDS Name

This is the RDS that you will use to communicate with the LDAP server. This can be the SysAid Server.

 

Allow password caching to accelerate authentication

If this is checked, SysAid will store the LDAP user passwords in the SysAid database (encrypted) to accelerate authentication.

 

Note: Depending on certain Active Directory policy settings, old passwords can still be used to log in to SysAid after a password change has occurred. By default, both the old and the new passwords continue to work for approximately one hour after the password change. After one hour, the old password stops working. Please refer to Microsoft® KB article 906305 for information on what occurs and for instructions on disabling the behavior if necessary. http://support.microsoft.com/?id=906305

 

URL to LDAP server

Points SysAid to the LDAP server using standard LDAP URL. For example, ldap://10.0.0.10:389.

 

User Name

You may fill in any username that has read privileges in your LDAP. If you intend to use the Password Services module, you must enter a username that has domain administrator privileges.

 

Password

The password of the username you entered in the field above.

 

Domain

This applies primarily for Active Directory. In most other cases, you do not need to specify the domain, so enter "none".

 

Authentication Type

Choose your desired authentication type from the list. If you are not sure what type to choose, select Simple.

 

Login DN(s)

Fill in here the full DN that is used. You can use {0} to represent the domain name or {1} to represent the username. Note that you can set more than one login DN if needed.

 

Include sub-OUs

If this is checked, SysAid will import users and groups from nested OUs when integrating with LDAP.

 

User root(s)

Specify here which OU(s) and sub-OU(s) to import users from. You can add as many lines as you need.

 

Group root(s)

Specify which OU(s) and sub-OU(s) to import groups from. You can add as many lines as you need.

 

User class filter

Define a condition for the importing of users. It is generally recommended to set a condition that only suits user objects. For example, (objectClass=inetOrgPerson).

 

User filter

Set which attribute will be used as the username in SysAid. For example, (uid={0}).

 

Group class filter

Define a condition for the group import. It is generally recommended to set a condition that suits group objects only. For example, (objectClass=group).

 

Import groups

Check this box if you would like to import groups from LDAP.

 

CN attribute

Fill in the attribute for object CN. Example: cn.

 

DN attribute

Fill in the attribute for object DN. Example: distinguishedName.

 

Name attribute

Set which attribute will be used as the username in SysAid. For example, uid.

 

LDAP Attribute Mapping 

Define which SysAid fields get populated by which LDAP fields. SysAid can accept the following fields from LDAP: firstName, lastName, displayName, email, phone, cellphone, notes, sms, location, building, floor, cubic, carNumber, custText1, custText2, custNotes, custInt1, custInt2, department, company, userManagerName, enableLoginToEup, and secondaryEmail.

 

Perform full scan of the active directory

When LDAP integration pulls data from the active directory into SysAid it generally only pulls in data from users that have been modified since the previous LDAP sync.

 

To perform a full scan of the active directory the next time the data is synced and pull in all of the user data, whether it has been modified or not, select this check box.

 

After the full sync is complete, SysAid automatically clears the check box again.

 

Schedule

You may schedule an LDAP refresh to automatically import changes in LDAP into SysAid (e.g. new users). Enter a start time, and choose how often the refresh will repeat. The refresh will always happen at the time of day listed in the start time, so make sure you choose a time where all applicable servers are available and where there is minimum traffic to your SysAid server.

 

Disable SysAid users who were not imported from LDAP

This is checked by default. However, there might be cases where you do not import all LDAP users every time you refresh from LDAP. In these cases, make sure to uncheck this option to avoid disabling users who might still be active.

 

Whenever a user is disabled an entry is added to the Event log.

 

Example: You have 50,000 users in your LDAP, and a full import takes several hours. Therefore, after the initial import, you update your SysAid LDAP settings to only import users that have changed since the last import. In a case like this, you would not want to disable users not imported from LDAP, otherwise most of your users would be disabled in SysAid each time you refresh from LDAP.

 

Disable SysAid admins who were not imported from LDAP

This is unchecked by default. If you want to automatically disable admins who are no longer available in the LDAP, select this check box.

 

Whenever an admin is disabled an entry is added to the Event log.

 

View your LDAP structure for manual LDAP integration

 

To verify that your LDAP attributes fit the integration, you can connect to your LDAP directory with any LDAP browser. We recommend the LDAP browser, which is available at http://www.sysaid.com/down/ldapbrowser.zip.

 

  1. Login to your LDAP with this tool by entering the LDAP hostname / IP and port.
  2. Click Fetch Dns.
  3. From the drop down list, choose the appropriate Dns.
  4. Uncheck the Anonymous Bind check box.
  5. Enter your LDAP username and password. You may need to fill in the username in its distinguished name form.
  6. Connect to the LDAP.
  7. Verify that the OUs you are looking for are displayed.
  8. If the OUs are not there, go back to the DN selection and choose a different DN from the list. Repeat this until you find the DN that shows the correct OUs.
  9. After you have successfully logged into your LDAP, you will need to manually copy the LDAP structure into the LDAP integration form.

 

Complete LDAP integration

 

Check the box Enable LDAP integration at the top of the page, and click Save.

 

After completing the LDAP integration settings, go to Tools > User Management > End Users and click Refresh from LDAP.

Once the LDAP import is completed, refresh the list to verify that the users were successfully imported.

 

Single Sign-On

 

By enabling Single Sign-On, users are automatically signed into SysAid when they sign into their computers. You can enable Single Sign-On after configuring LDAP integration if you are using Microsoft Active Directory. Please view our SSO Guide for instructions for configuring Single Sign-On.

 

Important changes once LDAP is enabled

 

 

LDAP integration and licensing

 

SysAid will allow you to import all of your LDAP users into SysAid even if this puts you over your license limit for end users. However, if you go over the limit, SysAid will automatically disable as many users as necessary to put you under your limit. These users are disabled at random. For this reason, it's generally preferable to only import as many users as you have licenses.