LDAP Integration LDAP Integration
Creating
an LDAP Source Definition
The LDAP Integration feature enables an agent that updates and synchronizes iSupport Customer Profile, Support Representative Profile, and Asset records with the information in one or more LDAP sources.
You’ll use the Data Source Integration screen to create a data source integration definition to specify the server and related settings, field mappings, and exclusions, and use sync definitions to specify the type of record you are synchronizing and the directory node and filters for the data to be synchronized. You can utilize both filtering and exclusions to specify the values that should not be synchronized; what you use will depend on how much you need to prevent from synchronizing for the level in the targeted source. You can also set default values based upon the LDAP sync setting entry from which a record was created. Exclusions target everything under a node in a directory and apply to all sync definitions of the same record type within a data source integration definition. Filters use syntax that can target multiple nodes in a tree, and apply to a specified base directory node in a sync definition.
The following occurs when the agent runs:
If there is an entry in LDAP that does not exist in the applicable iSupport table (Customer Profile, Support Representative Profile, or Asset), the entry is created in iSupport. In order for an entry to be added from LDAP, it must contain:
For Customer Profiles: a first name, last name, and email address. If mySupport access is configured, the Approved to Access mySupport field will be enabled on the automatically-created Customer Profile record.
For Support Representative Profiles, a first name, last name, and email address.
For assets, a name.
If a Windows login name exists in the LDAP record, it will be included in the mySupport User Name field for authentication to the mySupport portal. You’ll need to disable LDAP integration in order to enter or change the password for accessing the mySupport portal. The password will not be changed by re-enabling LDAP integration.
If an email address matches an email address in Customer Profiles and the record was directly entered via Customer Profiles, depending on the configured order of precedence, the Customer Profiles record is updated with the latest information from LDAP. If a Customer Profile entry has already been synchronized with LDAP, the Last Modified dates are compared and the Customer Profile is updated with the latest information.
If an entry is deleted in the LDAP, the record will be flagged for deletion and:
If work items or assets are not associated with that name, the entry will be deleted from Customer Profiles when the Database Maintenance agent runs.
If work items or assets are associated with the name, the entry will remain flagged for deletion in Customer Profiles until those incident records no longer exist.
The initial synchronization process will populate the Secondary User Name field if the iSupport Services user account is a domain level user account. For ease of entry, it is approximated by retrieving the text between the @ symbol and the next period from the user’s principal name and converting it to upper case (for example, LBLSOFT would be retrieved from [email protected]) and adding a backslash, and then retrieving the username portion from the samAccountName field of an LDAP user entry.
Because this login may be different if there are multiple domains, this field will be editable and will not be synchronized again after the initial synchronization. If your environment consists of multiple domains, you’ll need to verify that the approximated Secondary User Name entry is correct.
When the feature is enabled, the agent runs immediately and then on an interval basis according to the selection in the LDAP Synchronization field. The LDAP Integration feature does not modify the contents in the LDAP source in any way.
Go to the following links for more information:
http://www.rfc-archive.org/getrfc.php?rfc=3377 - Top level LDAPv3 Technical specs
http://www.rfc-archive.org/getrfc.php?rfc=2254 - Search Filters (with examples)
http://www.rfc-archive.org/getrfc.php?rfc=2255 - URL formats (examples for Search Root field)
http://www.rfc-archive.org/getrfc.php?rfc=2256 - User Schema (standard available attributes, useful for mapping)