LDAP Form - General Tab

 
Author
Message
SysAid Technical Writer
1112
 

Settings

Integration

LDAP

LDAP Form - General Tab

This page describes the fields and options displayed in the General tab in the LDAP Integration form.

 

To access information about other tabs, select one of the following links:

 

There are two ways to configure your LDAP settings:

  1. Using the LDAP configuration wizard (Active Directory only)
  2. By inputting your individual LDAP settings manually

 

 

LDAP Configuration wizard

 

Click LDAP Configuration Wizard to open the LDAP configuration wizard and then fill out the following fields:

Note: Running the LDAP configuration wizard overwrites the existing LDAP Integration settings and reverts them to the default settings.

 

RDS name
This is the RDS that you use to communicate with the LDAP server. This can be the SysAid server.
Server type
This should be left as Active Directory unless you're using an old Exchange 5.5 server for LDAP.
LDAP host name
This is the name of the computer that's hosting your LDAP.
LDAP port number
If you are using an unsecured connection, this is typically 389. If you are using an SSL connection, this is typically 636. Unless you've changed the ports for your LDAP, you shouldn't need to change this.
Credentials
Select the credentials set you want to use to access LDAP integration.
 
Domain
This is the domain you import from LDAP. For non-simple Authentication Type, please enter the full domain.
Domain display name
This is the domain name you want to display in the LDAP Integration list and any domain drop-down.
 
Authentication Type
Leave this as Simple unless you specifically know that you need to use another authentication type.
LDAP over SSL
Check this to use SSL for the connection between your SysAid server and your LDAP. Note that changing this automatically updates the port number.

Important: If you plan on using the Password Services module, you must a) enable an SSL connection to your LDAP and b) use an LDAP user with permission to manage domain passwords in your LDAP.

 

Allow password caching to accelerate authentication
If this is checked, SysAid stores the LDAP user passwords in the SysAid database (encrypted) to accelerate authentication.

 Using the LDAP configuration wizard

 

Click Check Settings to verify that you've correctly entered your LDAP settings. If the LDAP connection is successful, a confirmation is displayed at the bottom of the Wizard screen. If you are unsuccessful, please recheck your LDAP host name, user name, password, and domain, and then try again.

 

Click Save when you are done. Your LDAP structure should be automatically imported into SysAid, and you may then fine-tune your LDAP settings as you like. Below is an explanation of the various fields available for integrating with your LDAP. When you are done, see the section Completing LDAP Integration, below.

 

LDAP configuration settings

 

RDS Name

This is the RDS that you use to communicate with the LDAP server. This can be the SysAid server.

 

Note: Depending on certain Active Directory policy settings, old passwords can still be used to log in to SysAid after a password change has occurred. By default, both the old and the new passwords continue to work for approximately one hour after the password change. After one hour, the old password stops working. Please refer to Microsoft® KB article 906305 for information on what occurs and for instructions on disabling the behavior if necessary. http://support.microsoft.com/?id=906305

 

LDAP server URL

Points SysAid to the LDAP server using standard LDAP URL. For example, ldap://10.0.0.10:389.

You can configure your LDAP integration to use a secure connection by updating the URL to contain the parameter "ldaps" in the beginning and changing the port to "636" so the url reads like this: ldaps://10.0.0.10:636

Make sure to configure your LDAP server configured to use a secure connection


Important: If you plan on using the Password Services module, you must a) enable an SSL connection to your LDAP and b) use an LDAP user with permission to manage domain passwords in your LDAP.

 

Credentials

Select the credentials set you want to use to access LDAP integration.

 

Domain

This applies primarily for Active Directory. In most other cases, you do not need to specify the domain, so enter "none".

 

Authentication Type

Choose your desired authentication type from the list. If you are not sure what type to choose, select Simple.

 

Allow password caching to accelerate authentication

If this is checked, SysAid stores the LDAP user passwords in the SysAid database (encrypted) to accelerate authentication.

 

Import groups

Check this box if you would like to import groups from LDAP.

 

Include sub-OUs

If this is checked, SysAid imports users and groups from nested OUs when integrating with LDAP.

 

Perform full scan of the active directory

When LDAP integration pulls data from the active directory into SysAid it generally only pulls in data from users that have been modified since the previous LDAP sync.

 

To perform a full scan of the active directory the next time the data is synced and pull in all of the user data, whether it has been modified or not, select this check box.

 

After the full sync is complete, SysAid automatically clears the check box again.

 

Disable SysAid users who were not imported from LDAP

This is checked by default. However, there might be cases where you do not import all LDAP users every time you refresh from LDAP. In these cases, make sure to uncheck this option to avoid disabling users who might still be active.

 

Whenever a user is disabled an entry is added to the Event log.

 

Example: You have 50,000 users in your LDAP, and a full import takes several hours. Therefore, after the initial import, you update your SysAid LDAP settings to only import users that have changed since the last import. In a case like this, you would not want to disable users not imported from LDAP, otherwise most of your users would be disabled in SysAid each time you refresh from LDAP.

 

Disable SysAid admins who were not imported from LDAP

This is unchecked by default. If you want to automatically disable admins who are no longer available in the LDAP, select this check box.

 

Whenever an admin is disabled an entry is added to the Event log.

 

Revoke SysAid group memberships for users not present in connected LDAP groups

If you want to automatically remove users from groups if they have been removed from those groups in the active directory, select this check box.

 

Delete SysAid groups which were synced from LDAP, if they no longer exist in LDAP

If you want to automatically delete LDAP-synced groups from SysAid when they have been removed from the active directory, select this check box.

Schedule

You may schedule an LDAP refresh to automatically import changes in LDAP into SysAid (e.g. new users). Enter a start time, and choose how often the refresh will repeat. The refresh runs at the time of day listed in the start time, so make sure you choose a time where all applicable servers are available and where there is minimum traffic to your SysAid server.

 

Schedules apply to each individual LDAP integration.

 

Complete LDAP integration

SelectEnable LDAP integration and click Save.

 

After completing the LDAP integration settings, go to Tools > User Management > End Users and click Refresh from LDAP.

Once the LDAP import is completed, refresh the list to verify that the users were successfully imported.

SysAider
3
 
How can I check (or change) which user account is set in the 'credentials' field after the initial configuration?

This message was edited 2 times. Last update was at Jan. 17, 2018 09:50 AM

SysAid Product Manager Community Manager
5260
 
Hi APIC,

You go to Settings > Network Discovery > Credentials, and check in the relevant Credentials item.

Cheers,
Danny
SysAider
3
 
thanks!
SysAider
1
 
Guys,

Just wanted to mention few things I struggled with during LDAP set up. And I think you should mention it in config guide.

If you use: "Include sub-OUs" (have it check marked) it overrules "user root" assignments and will dig in sub- OU's regardless of "user root". It may be it sounds intuitive but it is not.

Another design misconception I see her that needs to be corrected or addressed and added as a feature. I need a way to sync users according to my "User Root" assignments. Once user was synced to SysAid from ldap it stays in SysAid but what if I move user from OU that is out of scope of "User Root"? The user stays in SysAid and the only way for me to get rid of it is to manually remove it. I would like to have that done automatically on the next time LDAP sync.

Here is simple case user was moved from OU's Active employee to Terminated. Or Office to Manufacturing ( I do not want to see Manufacturing employees in SysAid)

V
SysAid Technical Writer
1112
 
Hi V,

Thanks for commenting. I'm trying to better understand your comment. Regarding the issue of overruling the "user root" assignments, could this be solved by clearing the "Include sub-OUs" check box? If not, why do you want it checked?

Regarding the second issue, SysAid's policy is not to delete users who are removed from the LDAP Import. Instead you can select to have such users disabled automatically in SysAid by selecting the "Disable SysAid users who were not imported from LDAP" and "Disable SysAid admins who were not imported from LDAP" check boxes. Would this address your needs?

Thanks and have a great day,
Avi