LDAP

ServiceDesk Plus allows you to use Lightweight Directory Access Protocol (LDAP) to import users from a user directory through the domain controller. LDAP allows users to use their LDAP credentials while logging into ServiceDesk Plus. LDAP authentication supports both Linux and Windows users.

Role Required: SDAdmin

To configure AD related settings in non-ESM setups, go to Admin > Users > LDAP.

Configure Domain Controller

To import users and set up LDAP authentication, you must initially configure the Domain Controller for the imported domains.

On the LDAP configuration page, click Add New Domain under Domain Controllers block. Use the following pointers to configure the domain controller:

Field Name	Description
Domain Controller*	Specify the domain controller of the domain from where the users have to be imported. The domain controller responds to all security-related authentication requests within the related domain. The URL syntax is as follows: ldap://<server name>:<port number> where the default port is 389. To connect LDAP in secured mode, use the following URL: ldaps://hostname:636 where the default port is 636.
Username	Enter your Active Directory user name along with the Organizational unit (OU) in the given field. Username - distinguishedName of the user Sample: CN=sdp,DC=domainname,DC=com CN=sdp,OU=UsersOU,DC=domainname,DC=com
Password	Specify the password used to log in to the Active Directory.
Base DN*	The Base DN represents the distinguished name of the Base OU. Base DN - distinguishedName of the OU/container. Organizational Units starts with 'OU=' and containers starts with 'CN=' Sample: OU=UsersOU,DC=domainname,DC=com OU=SDPOU,OU=UsersOU,DC=domainname,DC=com CN=Users,DC=domainname,DC=com
Search Filter*	Specify the criteria to apply to the domain controller in the Search Filter field. For ex: mail=* will import users from the parameter mail in the specified domain controller.
LDAP Server Type*	If you have chosen the Server type as default LDAP such as Microsoft Active Directory, Novell eDirectory, and OpenLDAP then the following fields will be auto-populated.
LDAP Server Type*	If the LDAP Server Type is Others then, specify the Login Attribute Label, Mail Attribute Label, and the Distinguished Name Attributed Label (similar to the Base DN) in the respective fields.

* Indicates mandatory fields

distinguishedName

The values should be copied from LDAP servers directly and used while configuring LDAP. It is not advisable to manually construct the distinguishedName
For AD, need to copy the distinguishedName attribute from the object's properties. For other LDAP server Types, the attribute name can be dN or entryDN.
To find distinguishedName in AD

Go to the AD server and open Active Directory Users and Computers. Go to the container where the user or OU object is located, right-click the object, and select Properties. On the Attribute Editor tab, scroll through the list and find the distinguishedName attribute.

Note: If the Attribute Editor tab is not available, enable it from View > Advanced Features.

Search filter

To import all the users inside the Base DN

(&(objectClass=User)(objectCategory=person))

This should be part of the search filter to import only user objects from LDAP servers. Any specific criteria should be added to this.

To import users having mail id

(&(objectCategory=Person)(objectClass=User)(mail=*))

'mail' is the attribute name in LDAP server and it can be replaced with other attribute names for the same purpose.

To import users who are not disabled in AD

(&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

To import users from specific groups

Single group:

(&(objectClass=user)(objectCategory=person)(memberOf=CN=Group1,OU=TestOU,DC=manageengine,DC=com))

Multiple groups:

(&(objectClass=user)(objectCategory=person)(|(memberOf=CN=Group1,OU=TestOU,DC=manageengine,DC=com)(memberOf=CN=Group2,OU=TestOU,DC=manageengine,DC=com)))

'memberOf=' in the above queries should be followed by DistinguishedName of the group.

Click Save or Save and Import. You can also import users from the existing domain by clicking Import Now on the corresponding Domain Controllers. The existing data will be overwritten on importing the users from the same domain.

After importing users, you can configure authentication and schedule import from the LDAP configurations.

You can edit/delete a domain controller from the Domain Controllers table:

Click on a domain controller's name to edit it.
Select the domain controllers from the table and click the icon. Note that users imported from a deleted domain controller will not be able to login to the application further using LDAP credentials.

Set Local Authentication Password

You can set a default local authentication password for users imported through LDAP. Users can change this password after the first login.

You can enforce users to update the default password after their first login from Security Settings.

To set a local authentication password from the LDAP configuration page,

Hover over the Local Authentication Password fields and click Edit.
You can choose to generate a random password for every user or set a predefined password for all users.
Click Save.

Ensure the predefined password meets all the requirements of the password policy.

Users will be notified about their password in their login emails. You can configure email notifications for users from Admin > Helpdesk Customizer > Notification Rules > Requests > Send Self-Service Login details.

Schedule LDAP Import

You can schedule LDAP import at regular intervals to keep your user repository in sync with the LDAP server. When you schedule a LDAP import, data from all the configured LDAP servers in the application is imported once every specified number of days. Users and user details from all the domains available in LDAP are synced to ServiceDesk Plus.

Hover over LDAP Schedule fields and click Edit.
Enable the Schedule LDAP import once in every option and specify the import period.
Specify the date and time to begin the schedule.
Click Save.

The user details from the domains will be imported periodically as per the number of days specified after the start date and time. During consecutive imports in the same domain, the existing data will be overwritten.

LDAP Authentication

You can allow users to log in to ServiceDesk Plus using their LDAP credentials.

After the users are imported, hover over the LDAP authentication check box.
Click Edit.
Select the Enable LDAP Authentication checkbox.
Click Save.

In the Login screen, the users can specify their LDAP login credentials and select the Domain to log into ServiceDesk Plus. They can also bypass LDAP authentication during login by selecting Local Authentication from the Domain drop-down and specifying the local credentials.

For Windows users, AD authentication will be disabled automatically if LDAP authentication is enabled.

Importing User Defined Fields

You can import default user attributes such as the login name, distinguished name, and domain name fields. Other user attributes such as phone, mobile, department, office, jobTitle, and email are mapped to LDAP attributes in the sdldapfieldmap table.

For example, to map the field Emp ID to the employeeID attribute of your directory, such as AD or openLDAP, you'll need to do the following:

Insert a row in the sdldapfieldmap table by executing the following insert query in your database server:

insert into sdldapfieldmap values (7, null, 'employeeid', 'employeeID', true);

Note that the ID column is 7, because there are 6 entries, by default.

To enable the import of a field that already exists in SDLdapFieldMap but is not currently active, follow these steps:

1. Run the following update query to enable the import:

UPDATE sdldapfieldmap SET import = true WHERE id = <ID of the field>;

2. To find the <ID of the field>, execute the select query below:

SELECT * FROM sdldapfieldmap;

3. From the query results, locate the required field and copy its value from the ID column. Replace <ID of the field> in the update query with this value.
4. After executing the update query, restart the application service for the changes to take effect.

Only the fields that have 'import' column value as 'true' will get imported.

LDAP Field Names are not case-sensitive but ServiceDesk Plus Field Names are. Please ensure that you use field names in the correct case as indicated in the list below.

Field Names
phone mobile department office jobTitle email employeeid firstName middleName lastName ReportingTo displayname

Field Names

phone

mobile

department

office

jobTitle

employeeid

firstName

middleName

lastName

ReportingTo

displayname

To import any more additional fields, such as user defined fields, the SDAdmin or users with database access can map the API Field Name to the corresponding LDAP attributes in the sdldapfieldmap table.

For example, to map the user defined field, Company to the Comapny attribute of your directory, you must insert a row in the sdldapfieldmap table using the following insert query:

insert into sdldapfieldmap values (8, null, 'udf_pick_1', 'company', true);

The API Field Name will be listed under the corresponding column under Admin >> User Additional Fields.

Restart the server after executing the queries. Then, import your users from the LDAP server.

Connecting ServiceDesk Plus in secure LDAPS mode

A self-signed certificate must be imported to connect LDAPS in secured mode.

Steps to Generate the LDAPS Certificate:

Click the corresponding link below to download the zip file.
- For Windows
- For Linux
Extract the file to ManageEngineServiceDesk.
Open command prompt and go to ManageEngineServiceDesk.
Run the batch file with the following format:
- For Windows:

C:>ManageEngineServiceDesk>gencert.bat <server name>:<port number>

For Linux:

ManageEngineServiceDesk>gencert.sh <server name>:<port number>

On running the command, a PKIX exception is thrown and you will be asked to enter a value. Enter 1, and a file named jssecacerts will be generated. This file will be saved in ManageEngineServiceDesk.
Copy the file to ManageEngineServiceDeskjrelibsecurity and restart the application.
Save LDAPs configuration once again.