Use the Active Directory/Lightweight Directory Access Protocol (AD/LDAP) Connections settings to discover and import client AD/LDAP information from the client’s Microsoft Exchange or LDAP server. AD/LDAP Connections can perform bulk data imports of AD and LDAP directories that speeds up the client setup process and greatly reduces manual input errors. You can use the AD/LDAP Connections to synchronize Web Help Desk user information with the latest information on your Microsoft Exchange or LDAP server.
LDAP is a protocol that creates a central user database for single sign-on (SSO), allowing you to access resources and services in a network. LDAP implementations use self-signed certificates by default. To use a trusted certificate issued by a Certificate Authority (CA), you can import the certificate into your Java key store.
Validate LDAP certificates
You can establish a secure connection from Web Help Desk to an LDAP server by selecting the SSL check box. To accept certificates issued by a CA, select the Accept only trusted Certificates check box. When selected, Web Help Desk verifies the host LDAP certificate against the certificates in your Java key store. If Web Help Desk detects a certificate that is not signed by a trusted CA or uploaded to your Java key store, Web Help Desk generates a warning in the user interface and does not store the LDAP connection.
WHDGlobalConfig.properties file contains the name, password, and location of your Java key store. This file is located in the following directory:
To update these parameters, edit the file with your new settings, save the file, and then restart Web Help Desk. See Keystore Settings (for SSL Connections) for more information.
Synchronize Web Help Desk user information
When you import your AD/LDAP connections, use the following conventions:
- Ensure the person configuring and using this import is experienced with AD and LDAP administration.
- Work with a client representative familiar with AD/LDAP and the existing structure. The client representative must have administrative access to the customer AD/LDAP server.
- If your AD/LDAP directory contains mostly users not using Web Help Desk, SolarWinds does not recommend performing a bulk AD/LDAP import.
To connect to a client LDAP server and import or synchronize users:
- Click Setup > Clients > AD/LDAP Connections.
To create a new connection, click New.
To update an existing connection, click the connection name to open it, and then click to edit.
- Click the Connection Basics tab.
Select the Enabled checkbox to enable the LDAP connection.
Enter your information about the host or domain controller.
- Enter the host parameter for the LDAP connection.
Select the SSL checkbox if LDAP through SSL is used when connecting to the LDAP server. This selection automatically uses secure port 636. The default selection is non-secure port 389.Click Detect Settings to enter the default connection settings.
Choose whether to accept only trusted certificates.
Select the directory type for the LDAP host.
Select Active Directory if the LDAP host is a Microsoft Active Directory server. Otherwise, select LDAP directory.
Enter the security principal of the LDAP account to use when synchronizing with the LDAP server. Click the tooltips for details.
If you selected Active Directory in step 6 as your directory type, enter the security principal, and then go to step 10.
If you selected LDAP Directory in step 6 as your directory type, enter the security principal and the password for the LDAP account to use when synchronizing with the LDAP server.
If you selected LDAP Directory in step 6 as your directory type, click Browse and select the distinguished name of the search base used to retrieve users.
The LDAP connection attempts to retrieve all records under this node of the LDAP directory. If you select the Include subtrees checkbox, records in subcontainers will also be included.
(Optional) Enter an alternate name for the LDAP connection.
- Maximize the Advanced window and review or update the advanced settings.
Enter the number of seconds to wait before aborting attempts to connect to the LDAP server. The default value is 20 seconds.
Enter the distinguished name of the search base for retrieving users.
The LDAP connection will attempt to retrieve all records under this node of the LDAP directory. If you select the Include subtrees checkbox, records in subcontainers will also be included.
Enter a search filter to apply to the LDAP records. Click the tooltips for details.
If you want to use bulk synchronization, select Enabled and then specify when the synchronization should occur. When enabled, all clients associated with an LDAP connection are synchronized with Web Help Desk at the same time. Click the tooltip for details.To avoid impacting your network performance, schedule the synchronization for a period of time when your network is least busy.
Select this checkbox to prevent blank LDAP values from replacing existing values in the Client fields.
Decide whether to allow the LDAP connection to synchronize with your existing Web Help Desk client accounts,
Select this checkbox to prevent the LDAP connection from creating any client accounts in Web Help Desk. The connection will synchronize with the existing client accounts based on the Sync Key attribute.
Otherwise, leave this checkbox blank to enable the client accounts to be created for any LDAP records that do not have corresponding accounts in the Web Help Desk database.
Select an action to perform when clients are removed from the LDAP directory.
Select the time period allowed for a user to authenticate with an LDAP connection before requiring authentication to the LDAP server. Click the tooltip for details.
- Click Save.
Click Test Settings to test your settings. Make adjustments if needed.
See LDAP fails to connect when initiating a connection for troubleshooting information.
- Map the client account fields to attributes in the schema.
- Click the Attribute Mappings tab.
- Select the targeted AD or LDAP schema.
Locate each client account field that will populate with information from the AD or LDAP server. To map each field, enter the associated schema element as instructed by the AD or LDAP administrator.
The client's last name, user name, and email must be mapped. If you are using the default schema, these fields are mapped automatically. For custom schemas, you must map these attributes manually.
Any field, including custom fields, can be mapped if the data is available in the schema.
- Click Save.