Novell Service Desk Active Directory and LDAP setup

  • 7012209
  • 06-Apr-2005
  • 30-May-2013

Environment

Novell Service Desk 6.5

Situation

Have NSD use AD and LDAP user accounts to administration.

Resolution

Email Address

It should be noted that all user accounts must include an unique email address defined for them to be successfully imported into Novell Service Desk.

Configuring Active Directory Integration

When using Active Directory for user authentication, the server-side user group definitions and subgroups must be of type Universal Distribution. The Domain User group or any other security group cannot be added to any Novell Service Desk group.

Active Directory is a unique implementation of the LDAP standard, as the requirements for communication need to conform to the Microsoft Windows Authentication protocols. To meet this need, it is necessary to enter all domains from which users will authenticate. The Novell Service Desk domain editor does not validate these entries against the Directory Server, so they need to be entered with care. Each domain requires the entry of the Windows NT Style name and the Windows 2000 Style name. For example, the domain mydomain.mycompany.com

translates to:
NT Style = MYDOMAIN
2K Style = mydomain.mycompany.com

The default domain serves three purposes:

1. It is selected by default on the login page
2. It is the domain the application uses to authenticate against when synchronizing with Directory Server.
3. It is the default domain where Novell Service Desk expects to find the Novell Service Desk Groups.

Security - The security type determines how the integration layer will authenticate. For Active Directory this should be set to Cleartext Username + Password. Anonymous connections to Active Directory are rarely enabled.

Server Host - Enter the hostname or IP Address of the Active Directory Server. On a Windows NT domain this will be the primary domain controller.

Server Port - This is the port number of the Active Directory Server. The default port is 389, and this is rarely changed.

Username - The Username is used by Novell Service Desk to authenticate against the Active Directory Server when reading account information. The domain prefix/suffix will be appended based on the default domain when connecting to the Server.

Password - The password for the user account specified in the Username field.

User Node - This is the component of the base DN that refers to the location of the Novell Service Desk Groups. As an example, assume that the location of the Novell Service Desk Groups is the following: ou=Novell Service DeskGroups,ou=MIS,dc=myoffice,dc=mycompany,dc=com These groups have to exist in the default domain, so myoffice.mycompany.com is derived from the Win 2000 domain name. The User Node is therefore: ou=Novell Service DeskGroups,ou=MIS

Include Customers - This flag allows the Customer users to use the internal authentication mechanism instead of the Active Directory Interface. This is limited to Customers and is expected to be used in environments providing external customer support, but has also been made available for internal help desk environments. When this flag is set to 'Yes', customer accounts are determined by the directory server group membership. When set to 'No', the customer accounts need to be created within the 'User--Customers' tab.

Test Button - Clicking test will try to connect to the Active Directory Server and, if successful, then attempt to determine how many users are in the top level of each group. This will show a results page, containing a button in the top right corner which will provide some limited advice in the event the test has failed.

Sync Button - This button provides a manual way to fire the synchronization job. It is most useful for the initial deployment of Novell Service Desk, and where new Active Directory Accounts have been created and those users require immediate access to the system. It should be noted that no more than one synchronize job can run at a time. If multiple users need to be granted access, create all the accounts at once and then run the single synchronize job.

The manual synchronize works best for small directories. Larger Active Directory implementations can take some time to propagate the changes, so the account information may not be available immediately. This may result in Novell Service Desk missing an account if the user tries to access the system before the changes have been fully updated.

Active Directory Updates:

When making Active Directory updates in the administrator console it is important to remember that Active Directory uses a real-time caching for the console so you will always see that latest changes. However, applications that use recent changes.

Configuring LDAP Server Integration

There are several LDAP servers available on the market today, however this section only discusses OpenLDAP and Netscape Directory Server. It should be noted that LDAP does follow a standard and as such, the settings detailed herein should also apply to other implementations.

Security - The security type determines how the integration layer will authenticate. If anonymous is selected, ensure that anonymous access to the directory is available. Be aware that when using anonymous connections, user authentication will use the cleartext username & password option.

Server Host - Enter the hostname or IP Address of your LDAP Server.

Server Port - This is the port number of the LDAP Server. The default port is 389.

Username - The Username is used by Novell Service Desk to authenticate against the LDAP Server when reading account information. For anonymous connections, leave this blank. Where a username is provided, Netscape allows the internal users to connect as the account name, so using cn=Directory Manager is acceptable. OpenLDAP expects the fully qualified DN for the user, regardless of access level, so at the very least cn=Manager,dc=example,dc=com. For other accounts the user BaseDN is required for this setup. On login, users need only enter their login name it is assumed the login name will be unique across the entire directory.

Password - The password for the user account specified in the Username field. This is only required if a Username is entered.

BaseDN - This is the base dn that refers to the location of the Novell Service Desk Groups. As an example, assume that the location of the Novell Service Desk Groups is the following: ou=Novell Service DeskGroups,ou=MIS,dc=myoffice,dc=mycompany,dc=com

The String above would be the DN

Include Customers - This flag allows the Customer users to use the internal authentication mechanism instead of the Active Directory Interface. This is limited to Customers and is expected to be used in environments providing external customer support, but has also been made available for internal help desk environments. When this flag is set to 'Yes', customer accounts are determined by the directory server group membership. When set to 'No', the customer accounts need to be created within the 'User--Customers' tab.

Test Button - Clicking test will try to connect to the LDAP Server and, if successful, then attempt to determine how many users are in the top level of each group. This will show a results page, containing a button in the top right corner which will provide some limited advice in the event the test has failed.

Sync Button - This button provides a manual way to fire the synchronization job. It is most useful for the initial deployment of Novell Service Desk, and where new LDAP Accounts have been created and those users require immediate access to the system. It should be noted that no more than one synchronize job can run at a time. If multiple users need to be granted access, create all the accounts at once and then run the synchronize job. The manual synchronize works best for small directories. Larger LDAP implementations can take some time to propagate the changes, so the account information may not be available immediately. This may result in Novell Service Desk missing an account if the user tries to access the system before the changes have been fully updated.

Configuring Advanced Settings (Common)

Revert to defaults - This button allows the user to revert the Advanced Settings back to the installation defaults.

Update Schedule - A schedule can be set up to allow for automatic synchronization. This means that based on the interval time frame set, Novell Service Desk is routinely updated with ADS/LDAP accounts.

Group Names - The names of the ADS/LDAP Group used to control each user role can be customized to suit the users environment. The basic rule is the name of each group must be unique, and all the groups must be located at the node specified in the Setup tab.

Attribute Mapping - This is used to map attributes (fields) on the authentication server to corresponding fields in Novell Service Desk. Six native fields from Novell Service Desk are listed: First Name, Last Name, Email,Phone, Mobile, and Pager. Next to each field is a drop-down menu containing the list of default fields specific to your server type.

For each native name, the default fields are selected. It is possible to change each of the mapping attributes as desired. This is necessary if custom fields are used, as they require appropriate mapping.

Users are automatically imported to the application when it has been synchronized with the Active Directory/ LDAP server. Users cannot be modified through the application directly as the appropriate authentication server console must be used. The exception to this is when customer accounts are not being derived from the directory.

After any changes are made to the ADS/LDAP, it is necessary for the Administrator to log in to Novell Service Desk, navigate to Setup->Access, select Synchronize to manually update the changes within the application if it is to be used immediately by the effected customer.

If the system is using internal authentication and switches to using the authentication server, all user accounts are disabled. An e-mail is sent notifying users of the change. The user type Customer, will no longer be able to access the online Customer Interface.

Logging In Using LDAP/Active Directory

If the system is using an authentication server, whenever a user who is set up to use the authentication server (or the administrator) tries to log in, the connection to the LDAP server is tested with the account details specified in the setup area. If a connection cannot be established, an e-mail is sent to the administrator notifying them of the error.

Note also that when an ADS user tries to log in, they do NOT have to enter their domain name before their username. However, if there is more then one domain that is used within the application, a drop-down list of domain names is displayed on the log-in screen. The user must select the appropriate domain for the application to authenticate against on the correct server.

Cause

Novell Service Desk allows the Administrator to connect to a Directory Server for user authentication purposes. This removes the need to create user accounts entirely by allowing Novell Service Desk to synchronize user accounts and access levels with an existing Directory Server. This has the added benefit of allowing the administrator to work with their existing infrastructure.

Novell Service Desk requires the groups created correspond to the user access levels (also called roles). The group names that Novell Service Desk expects to find by default are:

- Novell Service DeskAdministrators
- Novell Service DeskSupervisors
- Novell Service DeskTechnicians
- Novell Service DeskPartners
- Novell Service DeskManagers
- Novell Service DeskFinance
- Novell Service DeskCustomers

Please note that these names are exact, that is the names in the Directory Server must be identical to the names above. The members of these groups are assigned the relevant access levels. For example, members of Novell Service DeskAdministrators are given access privileges of the Administrator role.

The group names can be customized in the Advanced Settings. Users can be a member of more than one group, for example they can be a member of Novell Service DeskSupervisors and Novell Service DeskCustomers. However, at any one time they can only be a member of either LTS, LTT or LTP all count towards the license limit. If a user is a member of more than one of these groups, each membership will count as one licensed used.

Additional Information

https://www.novell.com/documentation/servicedesk7/admin/data/b127s52e.html

Formerly known as 10039