Documentation forWeb Help Desk
Thinking of upgrading to the cloud? Learn more about migrating from Web Help Desk to Service Desk.

Import Active Directory/LDAP directory connections

Use the Active Directory/Lightweight Directory Access Protocol (AD/LDAP) Connections settings to discover and import client AD/LDAP information from the client’s Microsoft Exchange or LDAP server.

AD/LDAP Connections can perform bulk data imports of AD and LDAP directories that speeds up the client setup process and greatly reduces manual input errors. You can use the AD/LDAP Connections to synchronize Web Help Desk user information with the latest information on your Microsoft Exchange or LDAP server.

See the following sections:

About LDAP

LDAP is a protocol that creates a central user database for single sign-on (SSO), allowing you to access resources and services in a network. LDAP implementations use self-signed certificates by default. To use a trusted certificate issued by a Certificate Authority (CA), you can import the certificate into your Java key store.

Validate LDAP certificates

You can establish a secure connection from Web Help Desk to an LDAP server by selecting the SSL check box. To accept certificates issued by a CA, select the Accept only trusted Certificates check box. When selected, Web Help Desk verifies the host LDAP certificate against the certificates in your Java key store. If Web Help Desk detects a certificate that is not signed by a trusted CA or uploaded to your Java key store, Web Help Desk generates a warning in the user interface and does not store the LDAP connection.

The WHDGlobalConfig.properties file contains the name, password, and location of your Java key store. This file is located in the following directory: 

c:\\<WebHelpDesk>\conf

To update these parameters, edit the file with your new settings, save the file, and then restart Web Help Desk. See Keystore Settings (for SSL Connections) for more information.

Determine whether to import all records or individual records

Web Help Desk periodically performs a one-way synchronization with the AD or LDAP server. You can choose to synchronize individual records as needed (individual synchronization) or to synchronize all records at once (bulk synchronization).

Individual synchronization

Individual synchronization creates and updates client account information as needed, reducing the processing time. Web Help Desk creates each client account the first time a user logs in to the website or submits a ticket through email. The client account is updated whenever the client logs in again or submits another ticket.

Individual synchronization is used unless you choose to enable bulk synchronization.

Bulk synchronization

Bulk synchronization creates a client account for every user record in the AD or LDAP directory. Each time bulk synchronization runs,Web Help Desk examines each user record to determine if a corresponding client account needs to be added or updated. If your organization includes several users, bulk synchronization can affect Web Help Desk performance.

If enabled, bulk synchronization runs at regular intervals based on the schedule that you specify in the connection definition. You can also run it manually by clicking Sync Now in the LDAP connection list.

Even if you use bulk synchronization, Web Help Desk still performs an individual synchronization each time a client logs in or sends an email. This keeps active client accounts up-to-date, even if bulk synchronization is not performed frequently.

Most organizations do not need to perform bulk synchronization. However, bulk synchronization can be useful if you need to create all client accounts so that you can make configuration changes before clients log in.

If most of the users in your AD or LDAP directory are not using Web Help Desk, SolarWinds does not recommend using bulk synchronization.

Synchronize Web Help Desk user information

When you import your AD/LDAP connections, use the following conventions:

  • Ensure the person configuring and using this import is experienced with AD and LDAP administration.

  • Work with a client representative familiar with AD/LDAP and the existing structure. The client representative must have administrative access to the customer AD/LDAP server.

  • If your AD/LDAP directory contains mostly users not using Web Help Desk, SolarWinds does not recommend performing a bulk AD/LDAP import.

To connect to a client LDAP server and import or synchronize users:

  1. Click Setup > Clients > AD/LDAP Connections.

  2. To create a new connection, click New.

    To update an existing connection, click the connection name to open it, and then click to edit.

  3. Click the Connection Basics tab.

  4. Select the Enabled checkbox to enable the LDAP connection.

  5. Enter the configuration information about the host or domain controller.

    1. Enter the host parameter for the LDAP connection.

    2. Select the SSL checkbox if LDAP through SSL is used when connecting to the LDAP server. If checked, the SSL protocol will be used when connecting to the LDAP server. This selection automatically uses secure port 636. The default selection is non-secure port 389.

      Click Detect Settings to enter the default connection settings.

    3. Choose whether to accept only trusted certificates.

  6. From the Directory Type menu, select Active Directory if the LDAP host is a Microsoft Active Directory server. Otherwise, select LDAP directory.

    If you select Active Directory you must provide a connection account name and connection password in the proceeding steps. This is because Active Directory requires authentication to browse data.

  7. In the Connection Account box, enter the security principal of the LDAP account to use when synchronizing with the LDAP server. See the tooltip for additional information.

    If you selected Active Directory in step 6 as your directory type, enter the security principal, and then go to step 10.

  8. If you selected LDAP Directory in step 6 as your directory type, in the Connection Password field, enter the security principal and the password for the LDAP account to use when synchronizing with the LDAP server.

  9. (Optional) In the Connection Name field, enter an alternate name for the LDAP connection.

  10. Maximize the Advanced window and review or update the advanced settings.

    1. In the Connection Timeout box, enter the number of seconds to wait before aborting attempts to connect to the LDAP server. The default value is 20 seconds.

    2. In the Users DN box, enter the distinguished name of the search base for retrieving users. Select the Include subtrees if you want records in subcontainers to also be included.

      The LDAP connection attempts to retrieve all records under this node of the LDAP directory.

    3. In the Search Filter box, enter a search filter to apply to the LDAP records. Click the tooltip for details.

    4. If you want to use bulk synchronization, select Enabled and then specify when the synchronization should occur. When enabled, all clients associated with an LDAP connection are synchronized with WHD at the same time. Click the tooltip for details.

      To avoid affecting your network performance, schedule the synchronization for a period of time when your network is least busy.

    5. Select the Ignore Blank LDAP Values checkbox to prevent blank LDAP values from replacing existing values in the Client fields.

    6. Select the Sync With Existing WHD Clients Only checkbox to prevent the LDAP connection from creating any client accounts in WHD. The connection synchronizes with the existing client accounts based on the Sync Key attribute. Otherwise, leave this checkbox blank to enable the client accounts to be created for any LDAP records that do not have corresponding accounts in the WHD database.

      This option is useful if you want to manually import a subset of LDAP clients into WHD, but still want them to authenticate with the LDAP directory at login.

    7. In the When LDAP Records Are Removed section, select an action to perform when clients are removed from the LDAP directory.

    8. From the Cache Time Period menu, select the time period allowed for a user to authenticate with an LDAP connection before requiring authentication to the LDAP server. Click the tooltip for details.

  11. Click Save.

  12. Click Test Settings to test your settings. Make adjustments if needed.

  13. Map the client account fields to attributes in the schema.
    1. Click the Attribute Mappings tab.
    2. Select the targeted AD or LDAP schema.

    3. Locate each client account field that will populate with information from the AD or LDAP server. To map each field, enter the associated schema element as instructed by the AD or LDAP administrator.

      The client's last name, user name, and email must be mapped. If you are using the default schema, these fields are mapped automatically. For custom schemas, you must map these attributes manually.

      Any field, including custom fields, can be mapped if the data is available in the schema.

  14. Click Save.

  15. Verify that all clients can log in to Web Help Desk using their LDAP credentials.

    If your clients are unable to connect, do the following:

    1. Make sure that the LDAP connection is pointing to the correct organizational unit (OU).

    2. Point the LDAP synchronization to a different domain controller.

Troubleshoot a failed AD/LDAP connection

If your clients cannot log in to Web Help Desk, perform the following steps to troubleshoot and resolve a failed AD/LDAP connection.

The following steps apply to a Web Help Desk deployment using the PostgreSQL database. If you are running an MS SQL or MySQL database, you can use the same SQL queries without using pgAdmin3.

  1. Log in to the Web Help Desk server as an administrator using client ID 1.

  2. Navigate to the <WebHelpDesk> directory based on your operating system.

    • Microsoft Windows: \Program Files\WebHelpDesk
    • macOS: /Library/WebHelpDesk
    • Linux: /usr/local/webhelpdesk

  3. Open the <WebHelpDesk> directory and navigate to:

    pgsql13 > pgAdmin III > docs > en_US

  4. Double-click index.htm.

  5. In the pgAdmin3 guide. locate Using pgAdmin II and click Connect to server.

  6. Follow the instructions on your screen to connect to the server using pgAdmin.

  7. Open pgAdmin and click SQL.

  8. Use the following queries to disable LDAP authentication on the technician account. Replace ClientID=1 with the technician ID as displayed in the TECH table.

    UPDATE TECH SET LDAP_CONNECTION_ID=NULL WHERE CLIENT_ID=1;
UPDATE TECH SET USE_LDAP_AUTHENTICATION=NULL WHERE CLIENT_ID=1;

  9. Log in to Web Help Desk using a local account.

  10. Click Setup > Clients > AD / LDAP Connection.

  11. Click the targeted connection in the Connection column.

  12. Update the LDAP settings as required, and then click Save.