Documentation forWeb Help Desk

Import Active Directory/LDAP directory connections

Use the Active Directory/Lightweight Directory Access Protocol (AD/LDAP) Connections settings to discover and import client AD/LDAP information from the client’s Microsoft Exchange or LDAP server.

AD/LDAP Connections can perform bulk data imports of AD and LDAP directories that speeds up the client setup process and greatly reduces manual input errors. You can use the AD/LDAP Connections to synchronize Web Help Desk user information with the latest information on your Microsoft Exchange or LDAP server.

About LDAP

LDAP is a protocol that creates a central user database for single sign-on (SSO), allowing you to access resources and services in a network. LDAP implementations use self-signed certificates by default. To use a trusted certificate issued by a Certificate Authority (CA), you can import the certificate into your Java key store.

Validate LDAP certificates

You can establish a secure connection from Web Help Desk to an LDAP server by selecting the SSL check box. To accept certificates issued by a CA, select the Accept only trusted Certificates check box. When selected, Web Help Desk verifies the host LDAP certificate against the certificates in your Java key store. If Web Help Desk detects a certificate that is not signed by a trusted CA or uploaded to your Java key store, Web Help Desk generates a warning in the user interface and does not store the LDAP connection.

The WHDGlobalConfig.properties file contains the name, password, and location of your Java key store. This file is located in the following directory: 

c:\\<WebHelpDesk>\conf

To update these parameters, edit the file with your new settings, save the file, and then restart Web Help Desk. See Keystore Settings (for SSL Connections) for more information.

Synchronize Web Help Desk user information

When you import your AD/LDAP connections, use the following conventions:

  • Ensure the person configuring and using this import is experienced with AD and LDAP administration.
  • Work with a client representative familiar with AD/LDAP and the existing structure. The client representative must have administrative access to the customer AD/LDAP server.
  • If your AD/LDAP directory contains mostly users not using Web Help Desk, SolarWinds does not recommend performing a bulk AD/LDAP import.

To connect to a client LDAP server and import or synchronize users:

  1. Click Setup > Clients > AD/LDAP Connections.
  2. To create a new connection, click New.

    To update an existing connection, click the connection name to open it, and then click to edit.

  3. Click the Connection Basics tab.
  4. Select the Enabled checkbox to enable the LDAP connection.

  5. Enter the configuration information about the host or domain controller.

    1. Enter the host parameter for the LDAP connection.
    2. Select the SSL checkbox if LDAP through SSL is used when connecting to the LDAP server. If checked, the SSL protocol will be used when connecting to the LDAP server. This selection automatically uses secure port 636. The default selection is non-secure port 389.

      Click Detect Settings to enter the default connection settings.
    3. Choose whether to accept only trusted certificates.

  6. Select the directory type for the LDAP host.

    Select Active Directory if the LDAP host is a Microsoft Active Directory server. Otherwise, select LDAP directory.

    If you select Active Directory you must provide a connection account name and connection password in the proceeding steps. This is because Active Directory requires authentication to browse data.
  7. Enter the security principal of the LDAP account to use when synchronizing with the LDAP server. See the tooltip for additional information.

    If you selected Active Directory in step 6 as your directory type, enter the security principal, and then go to step 10.

  8. If you selected LDAP Directory in step 6 as your directory type, enter the security principal and the password for the LDAP account to use when synchronizing with the LDAP server.

  9. (Optional) Enter an alternate name for the LDAP connection.

  10. Maximize the Advanced window and review or update the advanced settings.
    1. Enter the number of seconds to wait before aborting attempts to connect to the LDAP server. The default value is 20 seconds.

    2. Enter the distinguished name of the search base for retrieving users.

      The LDAP connection will attempt to retrieve all records under this node of the LDAP directory. If you select the Include subtrees checkbox, records in subcontainers will also be included.

    3. Enter a search filter to apply to the LDAP records. Click the tooltip for details.

    4. If you want to use bulk synchronization, select Enabled and then specify when the synchronization should occur. When enabled, all clients associated with an LDAP connection are synchronized with WHD at the same time. Click the tooltip for details.

      To avoid impacting your network performance, schedule the synchronization for a period of time when your network is least busy.
    5. Select this checkbox to prevent blank LDAP values from replacing existing values in the Client fields.

    6. Select this checkbox to prevent the LDAP connection from creating any client accounts in WHD. The connection will synchronize with the existing client accounts based on the Sync Key attribute. Otherwise, leave this checkbox blank to enable the client accounts to be created for any LDAP records that do not have corresponding accounts in the WHD database.

      This option is useful if you want to manually import a subset of LDAP clients into WHD, but still want them to authenticate with the LDAP directory at login.
    7. Select an action to perform when clients are removed from the LDAP directory.

    8. Select the time period allowed for a user to authenticate with an LDAP connection before requiring authentication to the LDAP server. Click the tooltip for details.

  11. Click Save.
  12. Click Test Settings to test your settings. Make adjustments if needed.

  13. Map the client account fields to attributes in the schema.
    1. Click the Attribute Mappings tab.
    2. Select the targeted AD or LDAP schema.
    3. Locate each client account field that will populate with information from the AD or LDAP server. To map each field, enter the associated schema element as instructed by the AD or LDAP administrator.

      The client's last name, user name, and email must be mapped. If you are using the default schema, these fields are mapped automatically. For custom schemas, you must map these attributes manually.

      Any field, including custom fields, can be mapped if the data is available in the schema.

  14. Click Save.
  15. Verify that all clients can log in to Web Help Desk using their LDAP credentials.

    If your clients are unable to connect, do the following:

    1. Make sure that the LDAP connection is pointing to the correct organizational unit (OU).

    2. Point the LDAP synchronization to a different domain controller.

Troubleshoot a failed AD/LDAP connection

If your clients cannot log in to Web Help Desk, perform the following steps to troubleshoot and resolve a failed AD/LDAP connection.

The following steps apply to a Web Help Desk deployment using the PostgreSQL database. If you are running an MSSQL or MySQL database, you can use the same SQL queries without using pgAdmin3.

  1. Log in to the Web Help Desk server as an administrator using client ID 1.

  2. Navigate to the <WebHelpDesk> directory based on your operating system.

    • Microsoft Windows: \Program Files\WebHelpDesk

    • macOS: /Library/WebHelpDesk

    • Linux: /usr/local/webhelpdesk

  3. Open the <WebHelpDesk> directory and navigate to:

    pgsql13 > pgAdmin III > docs > en_US

  4. Double-click index.htm.

  5. In the pgAdmin3 guide. locate Using pgAdmin II and click Connect to server.

  6. Follow the instructions on your screen to connect to the server using pgAdmin.

  7. Open pgAdmin and click SQL.

  8. Use the following queries to disable LDAP authentication on the technician account. Replace ClientID=1 with the technician ID as displayed in the TECH table.

    UPDATE TECH SET LDAP_CONNECTION_ID=NULL WHERE CLIENT_ID=1;
    UPDATE TECH SET USE_LDAP_AUTHENTICATION=NULL WHERE CLIENT_ID=1;
    
  9. Log in to Web Help Desk using a local account.

  10. Click Setup > Clients > AD / LDAP Connection.

  11. Click the targeted connection in the Connection column.

  12. Update the LDAP settings as required, and then click Save.