6.11 LDAP

6.11.1 LDAP Authentication

There are several ways to authenticate users of the service management application. By default the system uses its internal authentication mechanism but there is also the option to authenticate against one or more Directory Servers or use OpenID Providers.

Internal Authentication

Using internal authentication requires the Administrator or Supervisor to create accounts for all User types by entering the contact information, access levels and password. This information is then saved to the system database. The typical case for using Internal Authentication is where there are few Users, or in an environment that has no pre-existing directory server. Usually, the Administrator would configure the User accounts prior to announcing the system is operational, and from that point on, maintain the accounts as necessary. (See: Create Customers or Create Users.)

OpenID Providers

OpenID is a decentralized process to verify a Customer's or User's online identity. It addresses the single sign-on issue by not relying on a centralized website to confirm a User's identity. The system can be enabled to be an OpenID consumer, which provides seamless authentication between third party authentication utilities and the service management system. OpenID Providers are configured within the Social tab, and Customers or Users that have accounts with the configured OpenID Providers can log into the system by selecting the relevant icon on the Login page.

Directory Server Authentication

The system allows the Administrator to connect to one or more Directory Servers for User authentication purposes. This removes the need to create User accounts as it allows the application to synchronize User accounts and access levels with the existing Directory Server. It has the added benefit of allowing the Administrator to work with existing infrastructure. (See: AD Authentication or LDAP Authentication.)

Directory Server Groups (External Authentication)

Roles are used to grant access within the application. Users must be assigned to Groups on the directory server that correspond to the Roles within the support system. Group members are assigned Roles and access levels within the service management tool.

The default group names the system expects to find on the directory server are:

  • Administrators

  • Supervisors

  • Technicians

  • Partners

  • Managers

  • Finance

  • Customers

The Group names can be customized in the LDAP/Active Directory Advanced tab. Users can belong to more than one group, for example if a User holds the Roles of Technician and Manager, they would belong to the Technicians and Managers groups.

NOTE:Users can have only one of the Partner, Supervisor and Technician Roles. Therefore, they can belong to only one of these groups. However, they may also belong to any other group, or combination of groups.

The following fields may or may not be mapped, depending on the options set by the system Administrator:

  • First Name

  • Last Name

  • Email

  • Phone

  • Mobile

  • Pager

  • Address

  • City

  • Zip

  • Country

Email Address

All User accounts must include an email address to be successfully imported into the system. If additional fields have been mapped from the authentication server to corresponding fields in the application, a drop-down menu containing all the optional values for the field will be available beside the mapped field. Choose the correct value from each list.

Mixed Mode Authentication

The application can use a combination of internal and external authentication. This means, the service management tool can be synchronized with a Directory Server to import User and Customer details as well as allowing Customer Accounts to be created directly within the system. Such a feature is useful, if the service and support solution is being used for internal and external customer support.

To enable Mixed Mode authentication, after the system has connected to the Directory Server, move to the Setup>Privileges>Customer tab and enable the Include Customers option to display the Mixed Mode field. Set the Mixed Mode option to Yes.

NOTE:If authenticating against a Directory Server, all User accounts will validate against the server except for the application default Administrator User. The default Administrator User account details can be modified within the My Account tab of the application.

6.11.2 Active Directory Integration

Active Directory is a unique implementation of the LDAP standard, as the requirements for communication need to conform to the Microsoft™ Windows Authentication protocols. To meet this need, it is necessary to enter all domains from which Users will authenticate. Multiple sources of Active Directory can be synchronized with the system, if required.

NOTE:

  • From ZENworks Service Desk 8.3.1 onwards, Setup > LDAP is changed to Setup > User Sources.

  • Additionally, Azure Active Directory is available as one of the user sources

For more information on Azure Active Directory Integration, see Azure Active Directory Integration.

Configuring the Active Directory Integration

To configure the Active Directory integration:

  1. Select Setup > LDAP (User Sources)

  2. Click New

    The LDAP/Active Directory Server (User Source Configuration) screen tab is displayed.

  3. Enter the Server Name

  4. Select Active Directory within the Type drop down list

  5. Define all the Domains from which Users will be authenticated

    Domains will need to be entered in both NT and Windows 2000 domain naming systems formats. This is because Active Directory conforms to Microsoft™, Windows NT and Windows 2000 authentication protocols.

    Make entries with care, as they are not validated against the Directory Server by the system Domain Editor.

    NOTE:Verify the Active Directory setup before you provide the Windows NT domain and Windows 2000 domain credentials.

    NOTE:Here is an example of both the naming conventions for the domain:

    mydomain.mycompany.com

    NT Style = MYDOMAIN

    2K Style = mydomain.mycompany.com

  6. Enables Import Groups, if you have configured Store and want to assign store items to an LDAP group using "LDAP Group Extension". To import LDAP Groups, select Import Groups and specify Group Admin DN, Password and Group Node/Base DN.

  7. Click Save

  8. Using the drop-down arrow, select the Default Domain, which is used in the following three ways:

    • on the login page

    • to authenticate against, when synchronizing with the Directory Server

    • where the system expects to find the User Groups.

  9. Enter all other required fields to configure the Directory Server

  10. Settings

    Description

    Security

    Determines how the integration layer will authenticate. For Active Directory this should be set to Cleartext– Username + Password. Anonymous connections to Active Directory are rarely enabled.

    Server Host

    Enter the hostname or IP address of the Active Directory Server. On a Windows NT domain this will be the primary domain controller.

    Server Port

    The default Active Directory Server Port is 389. This is rarely changed.

    Username

    Used by the system to authenticate against the Active Directory Server when reading account information. The domain prefix/suffix will be appended, based on the default domain, when connecting to the Server.

    Password

    Enter the Password for the Username account.

    Users Node

    The component of the base domain name that refers to the location of the User Groups .For example, if the location of the User Groups is the following:

    ou=UserGroups, ou=MIS, dc=myoffice, dc=mycompany, dc=com (SeeLDAP/Active Directory Advanced Settings for information on Group configuration.)

    Groups must be in the default domain, in this case myoffice.mycompany.com. The Users Node only needs the location of the Groups within the default domain, so the Users Node in this example will be: ou=UserGroups, ou=MIS.

    Additional Filter

    LDAP Query

    In this field, you can specify an additional LDAP query to filter-out records based on specified criteria. Filter Query is applied on user attributes and will be applied only within the group names specified in the Advanced tab.

    Following is an example of the LDAP Query:

    (&(mail=*epm.com)(|(department=Biology)(department=Chemical)))

    NOTE:The filter query should be standard LDAP query (vendor specific).

    LDAP Groups for Store Item

    Group Admin DN: Specify the group admin DN.

    Example: cn=user, cn=users, dc=domain, dc=com

    Password: Specify the password of the DN.

    Group Node/Group based DN: If this field is not specified, then it considers the value specified in Users Node/Base DN.

    NOTE:The above options are enabled only when you select Import Groups checkbox in the Groups section. This is used to assign a store item to an imported LDAP Group using the LDAP Group Extension.

    Locale

     

    Default Timezone

    Select the default Timezone to be applied to all User accounts imported via Active Directory.

  11. Click Save.

    Repeat the above process to add more than one authentication server for authorizing User access.

Azure Active Directory Integration

Azure Active Directory is a unique implementation of the LDAP standard, as the requirements for communication need to conform to the various protocols. To meet this need, it is necessary to enter all domains from which Users will authenticate. Multiple sources of Active Directory can be synchronized with the system, if required.

Prerequisites:

  • Register ZENworks Service Desk as an application with the Azure Active directory.

    For more information, see Registering an Application or any documentation provided by the service provider.

    NOTE:

    • While registering the application, use the following URLs as the redirect URI with Web platform:

      • https://<FQDN>/LiveTime/WebObjects/LiveTime.woa/wa/oauthlogin

      • https://<FQDN>/servicedesk/login

    • Ensure that you select platform type as Web.

    • Ensure that you add redirect URIs of all the public interfaces (IP or domain name) of ZENworks Service Desk.

  • Obtain OAuth parameters (Tenant Id, Client Id, Client Secret) from the Azure for the registered ZSD application

  • Provide required Azure API permissions for the registered ZSD application as displayed in the ZSD UI

Configuring the Azure Active Directory Integration

To configure the Azure Active Directory integration, perform the following steps:

  1. Select Setup > User Sources

  2. Click New

    The User Source Configuration tab is displayed.

  3. In the Server panel, specify the Server Name

  4. In the Type drop down, select Azure Active Directory.

    Ensure that you provide the User.Read.All, Group.Read.All permissions in the Application that you had created in the Azure portal.

  5. In the Settings section, specify the following details that is obtained from the Azure portal after registering the application:

    1. Server URL

    2. Tenant ID

    3. Client ID

    4. Client Secret

  6. Enables Import Groups, if you have configured Store and want to assign store items to an LDAP group using "LDAP Group Extension".

    To additionally import groups for the store assignment, ensure that you provide Group.ReadWrite.All permissions in the application that you had created in the Azure portal.

  7. In the Default Timezone, select the default Timezone to be applied to all User accounts imported via Active Directory.

  8. Click Save.

NOTE:If Server URL, Tenant ID, Client ID, or Client Secret is modified, then ensure that you update the same changes in the Azure Active Directory Setup page in ZENworks Service Desk. After making the changes, Save and Test the connection.

Test Button

The Test button creates a connection to the Active Directory Server, applying the configuration settings. If successful, it will attempt to determine how many Users are in each group and display a Results Screen.

If the test fails, an error message will display the cause.

NOTE:If you have configured host address in the Host Address field, it takes precedence while generating the redirect (callback) URI. Hence, ensure that you have configured the correct host address in the Host Address field (Setup >privileges > System) or leave the field blank so that ZENworks Service Desk can use the current URL for generating redirect (callback) URI.

Sync Button

The Sync button runs the synchronization process to import all Users from the Server Directory. If new Active Directory Accounts have been created and those Users require immediate access to the system, a manual synchronization would be used.

Only one synchronization can run at a time. When multiple Users need access, create the accounts, then run a single manual synchronization.

A manual synchronization may take some time as it depends on the connection speed with the external service. The manual synchronization works best for small directories. Larger Active Directory implementations can take some time to propagate the changes, so account information may not be immediately available.

If a user is no longer a technician, then after Sync, the following actions are performed:

  1. The user will be removed from the respective teams.

    Users will not be removed from the team if they are the only user in the team or layer or if the user is a team lead.

  2. All open requests will be reassigned to other technicians.

  3. An alert will be generated with a summary.

Login

After successful configuration and import of user account, user can log into ZSD by providing their complete username. Click Login with Azure, you will be redirected to the Azure portal to complete the login process. After successful login, you will be redirected back to the ZENworks Service Desk portal.

NOTE:After successful login, ZENworks Service Desk will maintain its own session and will not depend on Azure session. Hence, Logging out from ZENworks Service Desk will not log you out from Azure.

Importing Customers

Customer details can be imported using Active Directory by enabling the option, if required. When the system is setup to synchronize with Active Directory, move to the Setup>Privileges>Customer tab and enable the Include Customers option.

If there is a need to create Customers using Active Directory and the system's internal authentication capability, Mixed Mode authentication can also be enabled. After the option to Include Customers is set to Yes in the Customer Privilege tab, the Mixed Mode field is displayed. Set this option to Yes to allow Customers to be created directly in the system and using Active Directory.

Imported Account Usernames

Accounts imported from Active Directory use the UPN as the Username, as opposed to the NT style login. The domain component of the UPN is derived from the selected domain in the popup on the login page, which means Users need to enter their login name only to connect to the support application.

Login details are passed directly to the directory server for authentication and are not retained within the service management system.

6.11.3 LDAP Server Integration

Multiple types and sources of directory servers can be synchronized with the system at any one time. Among the several LDAP servers supported by the system, and which this section discusses, are the following:

  • Open LDAP

  • Netscape Directory Server

  • Micro Focus eDirectory

It should, however, be noted that LDAP does follow a standard and as such the settings detailed herein should also apply to other implementations.

Configuring LDAP Server Integration

To configure LDAP Server integration:

  1. Select Setup>LDAP

  2. Click New

    The LDAP /Active Directory Server tab is displayed.

  3. Enter the Server Name

    (If the system is to synch with Zenworks, ensure the Server Name matches the User Source Name used by Zenworks.)

  4. Select LDAP within the Type drop down list

  5. Complete the Settings fields

  6. Fields

    Description

    Security

    Secure Socket Layering (SSL) encryption is provided for Active Directory and LDAP server integration. Details entered here determines how the integration layer authenticates.

    User authentication can be with Secure Socket Layering (SSL) or Clear Text. Select Anonymous or User name and Password.

    If Anonymous is selected, ensure anonymous access to the directory is available.

    Server Host

    Enter the host name or IP Address of the LDAP Server.

    Server Port

    This is the LDAP Server Port. The default is 389.

    User name

    The system authenticates the user name against the LDAP Server. Leave this blank for anonymous connections.

    Where a user name is provided, Netscape allows the internal users to connect as the account name, so using ‘cn=Directory Manager’ is acceptable.

    Open LDAP expects the fully qualified Domain Name for the user, regardless of access level, so at the very least ‘cn=Manager,dc=example,dc=com’.

    For other accounts the user BaseDN is required. Users logging in need only enter their login name, it is assumed the login name will be unique across the entire directory.

    Password

    If a User account is specified in the User name field, enter the account password.

    BaseDN

    The Base Domain Name refers to the domain location of the User Groups. For example, assume that the location of the User Groups is the following:

    ou=UserGroups,ou=MIS,dc=myoffice,dc=mycompany,dc=com

    The above String would be the BaseDN.

    Additional Filter

    LDAP Query

    In this field, you can specify an additional LDAP query to filter-out records based on specified criteria. Filter Query is applied on user attributes and will be applied only within the group names specified in the Advanced tab.

    Following is an example of the LDAP Query:

    (&(mail=*epm.com)(|(department=Biology)(department=Chemical)))

    NOTE:The filter query should be standard LDAP query (vendor specific).

    LDAP Groups for Store Item

    Group Admin DN: Specify the group admin DN.

    Example: cn=user, cn=users, dc=domain, dc=com

    Password: Specify the password of the DN.

    Group Node/Group based DN: If this field is not specified, then it considers the value specified in Users Node/Base DN.

    NOTE:The above options are enabled only when you select Import Groups checkbox in the Groups section. This is used to assign a store item to an imported LDAP Group using the LDAP Group Extension.

    Locale

     

    Default Timezone

    Select the default Timezone to be applied to all User accounts imported using the authentication server.

  7. Enter all required fields to configure the Directory Server

Test Button

The Test button will create a connection to the LDAP Server using the configuration settings. If successful, it will attempt to determine how many Users are in the top level of each group and display a Results screen.

NOTE:If the test fails, an error message will display the cause.

Configuring OpenLDAP for ZENworks Service Desk

While configuring OpenLDAP for ZENworks Service Desk, ensure that you consider the following points:

  1. The LDAP group has objectClass of top and groupOfUniqueNames

  2. The givenName, sn, and mail attributes are specified.

  3. In the Service Desk LDAP settings, set the Include Disabled Accounts setting to Yes

Following are the LDIF examples to create a user, to create a group and to add user to the group:

  1. To create a user:

    # User Entry (use with ldapadd utility)
    dn: cn=user1,dc=example,dc=com
    cn: user1
    objectClass: inetOrgPerson
    givenName: user
    sn: one
    mail: user1@example.com
    userPassword: <userpassword>
  2. To create a group: (At least one user must be added as a member while creating the group)

    # Group Entry (use with ldapadd utility)
    dn: cn=group1,dc=example,dc=com
    cn: group1
    objectClass: top
    objectClass: groupOfUniqueNames
    uniqueMember: cn=user1,dc=example,dc=com
  3. Add user to the group:

    # Add Member Entry (use with ldapmodify utility)
    dn: cn=group1,dc=example,dc=com
    changetype: modify
    add: uniqueMember
    uniqueMember: cn=user2,dc=example,dc=com

Synch Button

The Synchronization button runs the synchronization process manually. It is most useful for the initial deployment, and when new directory server accounts have been created for Users who require immediate access to the system.

If using Certificates ensure the certificate details are entered in the Certificates tab before synchronizing.

Only one synchronization can run at a time. For multiple users needing access, create the accounts on the LDAP server then run a single manual synchronization.

A manual synchronization may take some time as it depends on the connection speed with the external service. The manual synchronization works best for small directories, as larger directories take more time to propagate changes.

If a user is no longer a technician, then after Sync, the following actions are performed:

  1. The user will be removed from the respective teams.

    Users will not be removed from the team if they are the only user in the team or layer or if the user is a team lead.

  2. All open requests will be reassigned to other technicians.

  3. An alert will be generated with a summary.

Importing Customer Details

Customer details can be imported using LDAP by enabling the option, if required. When the system is setup to synchronize with LDAP, move to the Setup>Privileges>Customer tab and enable the Include Customers option.

If there is a need to create Customers using LDAP and the system's internal authentication capability, Mixed Mode authentication can also be enabled. After the option to Include Customers is set to Yes in the Customer Privilege tab, the Mixed Mode field is displayed. Set this option to Yes to allow Customers to be created directly in the system and using LDAP.

6.11.4 LDAP/Active Directory Advanced Settings

Before setting up the LDAP/ADS configuration within the system, the Advanced settings should be revised. The default setup assumes that the User Groups that the system uses to authenticate match what is on the server, and that the User information imported matches the attributes available on the server.

LDAP/Active Directory Advanced Options Set-up

To configure the Advanced options within the LDAP/Active Directoy Setup window:

  1. Select Setup>Authentication

    The LDAP /Active Directory Setup screen appears.

  2. Click Edit

  3. Move to the Advanced tab of the selected Authentication Server

  4. Enter the relevant details for the fields, as required

  5. Field

    Description

    Revert to Defaults

    Resets the installation defaults.

    Update Schedule

    Sets a routine synchronization to update the system with current AD/LDAP accounts. Select the required Daily, Weekly or Monthly intervals and Commencement details.

    Commencement Time

    Set the day of the week and time the system is to start automatically synchronizing with the directory server.

    User Groups

    Provides imported Users Roles. (The system will look for these groups by default)

    The User Group names can be customized, only requiring a unique name for each group. The group names on the Directory Server must be identical to the User Group names entered here. Customize or use the default User Group names as necessary.

    Members of each group will be assigned the appropriate Role within the system. To assign multiple Roles to a User, make sure they are members of each of the required groups.

    Users can have only one of the Supervisor, Technician or Partner Roles but they can also have any other Role or combination of Roles.

    Settings

    Include Disable Accounts: Set to Yes if the system is to import disabled accounts details when synched with an LDAP/AD server.

    Include Customers: Set to Yes if the system is to import Customer details when synched with an LDAP/AD server.

    Default Date Style: Set this field as the default date format for imported users.

    NOTE:Ensure that you set this field before importing LDAP users, and this will be applicable only for newly imported users.

    Attribute Mapping

    Maps attributes from the directory server to corresponding fields in the system. Native system fields are First Name, Last Name, Email (A unique Email Address must be included for a User account to be created), Phone, Mobile, Pager, Address, City, Zip and Country.

    NOTE:Mandatory User information for new and existing User accounts include the First Name, Last Name and Email address. If these details are not available, the application will not validate an existing User account and automatically reassign any open or active requests to another valid User.

    Standard:Next to each field is a drop-down menu containing the list of default fields specific to either LDAP or ActiveDirectory server type. For each native name, the default fields are selected. Use the default mapping or select the mapping attribute as required.

    Custom: Select the Custom option to manually enter an Attribute Field.

    GUID

    Global Unique Identifier

    For ADS select objectGUID

    For OpenLDAP select entryUUID

    For eDirectory select GUID.

    LDAP User fields/ Mixed Mode User Fields

    The LDAP User field headings will be replaced with any custom LDAP/ADS Accounts fields created by the Administrator in Setup>Custom Fields ( See Custom Fields.), or Mixed Mode User Fields if the Mixed Mode option is enabled in the Server tab.

    Use the drop-down list to select the appropriate mapping to the matching directory server field or select Custom to manually enter a Field.

    Customer Orgs

    Organizational Unit relationships can also be mapped from the authentication server. By default this is not enabled. To activate Customer Organizational Unit mapping, select Yes for the Import Customer Organizational Units option and define where the Company and Department information is to be derived.

    Line Managers

    LDAP attribute that defines a Customer's line manager, which is used for processing approvals on Service and Change Requests. Only system users with the Customer Role can be assigned as Line Managers.

  6. Click Save.

Mapping Fields to the Matching Directory Server Field

The LDAP User field headings will be replaced with any custom LDAP/ADS fields created by the Administrator in Setup>Custom Fields. See Custom Fields. Use the drop-down list to select the appropriate mapping to the matching directory server field or select Custom to manually enter a Field.

User details are imported when synchronization with the Active Directory/LDAP server takes place. Imported fields cannot be modified through the service management tool directly, the appropriate authentication server console must be used.

Import Customer Org Units

Organizational Unit relationships can also be mapped from the authentication server. By default this is not enabled. To activate Customer Organizational Unit mapping, select Yes for the Import Customer Organizational Units option.

NOTE:The details of the Org. Units are not populated upon this synch, only the Org. Unit names.

For the Org. Unit details to be assigned to Customer or User Information, create the Org. Unit in the Supervisor>User>Organizational Units tab and ensure the Org. Unit name is identical to what is stored in the authentication server. If the details are not identical, the system will create another Org. Unit.

6.11.5 User Directory or Domain Migration

If the user accounts are migrated to a different directory server, or to another domain in the same server, perform the follow these steps in the ZENworks Service Desk to sync the existing accounts with the new server:

IMPORTANT:Ensure that the email and username for accounts are the same in the new source, else the accounts will not be reconciled in the ZENworks Service Desk.

  1. In the ZENworks Service Desk, modify the existing LDAP configuration and update the details as required.

  2. Save the details and sync the changes.

  3. The existing user accounts in ZENworks Service Desk will be synced with the new LDAP source.

NOTE:It is recommended that you perform the steps in the test environment and then replicate the same in the production environment.