Creating an Active Directory Source Definition

About Active Directory Integration

The Active Directory Integration feature enables an agent that updates and synchronizes iSupport Customer Profile, Support Representative Profile, and Asset records with the information in one or more Active Directory sources.

You’ll create a data source integration definition to specify the server and related settings, field mappings, and exclusions, and use sync definitions to specify the type of record you are synchronizing and the directory node and filters for the data to be synchronized. You can utilize both filtering and exclusions to specify the values that should not be synchronized; what you use will depend on how much you need to prevent from synchronizing for the level in the targeted source. You can also set default values based upon the AD sync setting entry from which a record was created. Exclusions target everything under a node in a directory and apply to all sync definitions of the same record type within a data source integration definition. Filters use syntax that can target multiple nodes in a tree, and apply to a specified base directory node in a sync definition.

If you are using multiple sources for populating iSupport’s customer, support representative, and asset data, use the Order of Precedence link to specify the order of precedence if there are matching records. (For customers and support representatives: a match on first name, last name, and email address; for assets, a match on name.)

Configuring Basics

Use the Basics tab to specify the primary connection and authentication details for accessing the data source; these settings will apply to all of the sync definitions you create for that data source.

Active Directory Source Definition Example

AD Source Name	Enter a name for the AD source definition. This name will appear in the Source field in the associated Customer Profile record.
Search Root	Enter the directory server machine name or IP address for querying user information in the Active Directory source; precede your entry with the following: LDAP:// Note: Use of secure LDAP is required when authentication is used; port 636 must be used in the Search Root field to resolve the errors that happen during sync. When the Search Root does not contain :636, the Base DN dialog on the Sync Definitions and the Preview dialog on Field Mappings will error and will not synchronize the Customer Approver field. When the Search Root ends with :636, the Customer Approver field for existing customers will be updated to the current Manager in AD.
Domain Controller	If the domain controller that iSupport authenticates against cannot resolve the Secondary Login field, specify the domain controller that can. This can be the name of the domain controller or the fully qualified DNS name of the domain controller. All of the following examples represent correctly formatted domain controller names: FAB-DC-01 \\FAB-DC-01 FAB-DC-01.fabrikam.com \\FAB-DC-01.fabrikam.com
Connect As	Select: Anonymous to connect to the data source as an anonymous user. Specified User to enter a login for connecting to the data source.
Username Password	If anonymous Active Directory connections are not allowed in your environment, use these optional fields to enter a username and password for authentication when queries are performed. If anonymous connections are allowed, leave these fields blank.
Active	Select Yes to enable the Active Directory Integration agent that updates the records in Customer Profiles with the information in Active Directory. The agent runs immediately and then continues to run as scheduled in the AD Synchronization Interval field.
AD Synchronization Interval	Select the amount of time in the interval for the synchronization to be performed.

Configuring a Sync Definition

Use the Sync Definition section to select the type of record that you are synchronizing, select the directory node that contains the data to be synchronized, and enter a search filter if applicable. Click the Create link to create a sync definition.

Active	Select Yes to enable the sync definition.
Sync Entries As	Select the type of record that you are synchronizing: Customer Profile, Support Representative Profile, or Asset record. When synchronization occurs, the record will be created if there is an entry in Active Directory that does not exist in iSupport. If synchronizing customers, the Enable mySupport Access field will appear. Select Yes to enable the Approved to Access mySupport field by default. If a login name and password exists in the Active Directory record, it will be included in the mySupport login fields for authentication to the mySupport portal. This is not a mapped or synchronized value; it can be edited in iSupport. If synchronizing support representatives, the Default Primary Group field will appear. Select the iSupport group to assign as the primary group by default; you can use the Create New and View/Edit icons to access the Group configuration screen and configure the roles/permissions, Desktop components, the work items/features involved in global search, work item UI settings, and mySupport chat settings for group members. This is not a mapped or synchronized value; it can be edited in iSupport. If synchronizing assets, the Default Type field will appear. Select the asset type to assign by default. You can use the Create New and View/Edit icons to access the Asset Type configuration screen and configure a login for running asset scans, optional and custom fields, maintenance/warranty notifications, and count tracking for the asset type. This is not a mapped or synchronized value; it can be edited in iSupport.
Base DN	Click this button to select the directory node that contains the data to be synchronized.
Search Filter	Enter the conditions that must be met for returning a specific set of information to iSupport. Note that a filter is required for synchronizing assets, but for customers and support representatives a filter is only needed if the selected Base DN contains unwanted lower level nodes or if the data source's exclusions do not already remove the unwanted nodes. This feature utilizes LDAP (Light Weight Directory Access Protocol), which defines how information can be accessed in directories. Active Directory supports the LDAP search filter syntax as specified in RFC 1960. For information on LDAP and search filters, see http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx#Examples. Examples All users that contain a first and last name: (& (objectCategory=Person) (objectClass=user) (givenName=) (sn=) ) All users that contain a first and last name excluding Tom Jones and SQL Account: (& (objectCategory=Person) (objectClass=user) (givenName=) (sn=) (!name =Tom Jones) (!name=SQL Account) ) All users and contacts that contain a first and last name: (& (objectCategory=Person) (givenName=) (sn=) (\| (objectClass=user) (objectClass=contact) ) ) All users and contacts that contain a first and last name, excluding Tom Jones, Barry White, and SQL Account: (& (objectCategory=Person) (\| (objectClass=user) (objectClass=contact) ) (givenName=) (sn=) (!name =Tom Jones) (!name=SQL Account) (!name =Barry White) ) All users with a valid Microsoft Windows user name (domainname\username): (& (objectCategory=Person) (objectClass=user) (givenName=) (sn=) (userPrincipalName=@) (samAccountName=*) )

Setting Default Values

Use the Default Values section to set Customer Profile, Support Representative, and Asset field values based upon the AD sync setting entry from which a record was created. For example, if AD users are organized into a specific OU or group that indicates other user properties (such as location) and if the AD user profiles don't have the location attribute populated in the directory, you can simply add a default value for the location field to the sync setting entry that is linked to the OU or group.

In the Force column, select Yes if you wish to have the configured default value override the AD value in cases where the attribute was populated in the source record. If the Force field is set to No, the default value will only be applied if the AD attribute is either unmapped or has no value on the record.

Field Mappings

Use the applicable subtab (Customer, Support Rep, or Asset) under the Field Mappings tab to specify the attributes in your Active Directory source from which data will be pulled for corresponding iSupport fields.

Mapping options include:

Use iSupport Default which populates the default mapping; see the Active Directory/LDAP Data Map for the attributes used by default by iSupport. Note that we recommend that you use iSupport’s default for the Sync Key and Avatar field because the applicable schema property may vary depending on your version of Active Directory. If iSupport Default is selected for the Groups field, all groups associated with a customer will be created via the MemberOf attribute.
An applicable schema property. Defaults appear in the dropdown; to add an attribute, enter its exact name and it will be retained in the list.
[Unmapped] which will enable entry in the field. Note that the First Name, Last Name, Email, Sync Key, and Login fields cannot be left unmapped.

Use the Sync Key field to map to a value that is an unchanging unique identifier field in the source database.

To assign a primary group to multiple iSupport Customer Profile records, select a customer view on the Desktop and then click the Add to Group icon.

Use the Map a Custom Field button at the bottom of the screen to select a custom field to add to the list of fields to be mapped. Use the Preview button to select a record to use for verifying your selections. Values from the record will appear next to the fields.

Configuring Exclusions

Use the Exclusions tab to specify the nodes or directory objects that should not be synchronized; click the Add link to select the directory nodes or objects that should be excluded. All lower level nodes will also be excluded. Note that exclusions apply to all sync definitions within a data source integration definition.