Import clients from Active Directory
To streamline the client setup process and reduce input errors, you can import client information from one or more Microsoft Active Directory (AD) or LDAP servers. Web Help Desk automatically creates client accounts based on this information, and then updates the client accounts when the information changes.
If you import data from an AD or LDAP server, the client login credentials are evaluated by AD or LDAP, not by Web Help Desk. When a client attempts to log in, Web Help Desk sends the credentials to the AD or LDAP server for authentication.
Determine whether to import all records or individual records
Web Help Desk periodically performs a one-way synchronization with the AD or LDAP server. You can choose to synchronize individual records as needed (individual synchronization) or to synchronize all records at once (bulk synchronization).
Individual synchronization creates and updates client account information as needed, which reduces processing time. Web Help Desk creates each client account the first time a user logs in to the website or submits a ticket through email. The client account is updated whenever the client logs in again or submits another ticket.
Individual synchronization is used unless you choose to enable bulk synchronization.
Bulk synchronization creates a client account for every user record in the AD or LDAP directory. Each time bulk synchronization runs, Web Help Desk examines each user record to determine if a corresponding client account needs to be added or updated. If your organization includes several users, bulk synchronization can affect Web Help Desk performance.
If enabled, bulk synchronization runs at regular intervals based on the schedule that you specify in the connection definition. You can also run it manually by clicking the Sync Now button in the LDAP connection list.
Even if you use bulk synchronization, Web Help Desk still performs an individual synchronization each time a client logs in or sends an email. This keeps active client accounts up-to-date, even if bulk synchronization is not performed frequently.
Most organizations do not need to perform bulk synchronization. However, bulk synchronization can be useful if you need to create all client accounts so that you can make configuration changes before clients log in.
If most of the users in your AD or LDAP directory are not using Web Help Desk, SolarWinds does not recommend using bulk synchronization.
Define a connection
To enable the client account data import, define a connection to each AD or LDAP server.
The connection definition:
- Provides information that enables Web Help Desk to connect to the server
- Enables and schedules bulk synchronization (optional)
- Maps attributes in the AD or LDAP schema to the corresponding fields in the Web Help Desk client account
This example provides connection information for an LDAP server, and maps the custom Contractor field to an attribute in the LDAP schema.
Complete this procedure with an experienced AD or LDAP administrator who is familiar with your existing structure. This person must have administrative access to the AD or LDAP server.
- Click Setup > Clients > AD/LDAP Connections.
To create a new connection, click New.
To update an existing connection, click the connection name to open it, and then click to edit.
- Click the Connection Basics tab.
Select the Enabled checkbox to enable the LDAP connection.
Enter your information about the host or domain controller.
- Enter the host parameter for the LDAP connection.
Select the SSL checkbox if LDAP through SSL is used when connecting to the LDAP server. This selection automatically uses secure port 636. The default selection is non-secure port 389.Click Detect Settings to enter the default connection settings.
Choose whether to accept only trusted certificates.
Select the directory type for the LDAP host.
Select Active Directory if the LDAP host is a Microsoft Active Directory server. Otherwise, select LDAP directory.
Enter the security principal of the LDAP account to use when synchronizing with the LDAP server. Click the tooltips for details.
If you selected Active Directory in step 6 as your directory type, enter the security principal, and then go to step 10.
If you selected LDAP Directory in step 6 as your directory type, enter the security principal and the password for the LDAP account to use when synchronizing with the LDAP server.
If you selected LDAP Directory in step 6 as your directory type, click Browse and select the distinguished name of the search base used to retrieve users.
The LDAP connection attempts to retrieve all records under this node of the LDAP directory. If you select the Include subtrees checkbox, records in subcontainers will also be included.
(Optional) Enter an alternate name for the LDAP connection.
- Maximize the Advanced window and review or update the advanced settings.
Enter the number of seconds to wait before aborting attempts to connect to the LDAP server. The default value is 20 seconds.
Enter the distinguished name of the search base for retrieving users.
The LDAP connection will attempt to retrieve all records under this node of the LDAP directory. If you select the Include subtrees checkbox, records in subcontainers will also be included.
Enter a search filter to apply to the LDAP records. Click the tooltips for details.
If you want to use bulk synchronization, select Enabled and then specify when the synchronization should occur. When enabled, all clients associated with an LDAP connection are synchronized with Web Help Desk at the same time. Click the tooltip for details.To avoid impacting your network performance, schedule the synchronization for a period of time when your network is least busy.
Select this checkbox to prevent blank LDAP values from replacing existing values in the Client fields.
Decide whether to allow the LDAP connection to synchronize with your existing Web Help Desk client accounts,
Select this checkbox to prevent the LDAP connection from creating any client accounts in Web Help Desk. The connection will synchronize with the existing client accounts based on the Sync Key attribute.
Otherwise, leave this checkbox blank to enable the client accounts to be created for any LDAP records that do not have corresponding accounts in the Web Help Desk database.
Select an action to perform when clients are removed from the LDAP directory.
Select the time period allowed for a user to authenticate with an LDAP connection before requiring authentication to the LDAP server. Click the tooltip for details.
- Click Save.
Click Test Settings to test your settings. Make adjustments if needed.
See LDAP fails to connect when initiating a connection for troubleshooting information.
- Map the client account fields to attributes in the schema.
- Click the Attribute Mappings tab.
- Select the targeted AD or LDAP schema.
Locate each client account field that will populate with information from the AD or LDAP server. To map each field, enter the associated schema element as instructed by the AD or LDAP administrator.
The client's last name, user name, and email must be mapped. If you are using the default schema, these fields are mapped automatically. For custom schemas, you must map these attributes manually.
Any field, including custom fields, can be mapped if the data is available in the schema.
- Click Save.