LDAP Integration – Active Directory

WHAT IS IT?
LDAP integration is a module inside bigWebApps HelpDesk to synchronize your organization’s LDAP database with bigWebApps HelpDesk user database. 

HOW DOES IT WORK?
Our system will make remote LDAP queries to your domain controller over LDAP's secure ports 636.  No software is required to be installed on your network.  You must enable port forwarding from our data center's IP ranges to one of your domain controllers.  A scheduled nightly replication will run to update any new data that was not updated during a manual replication event.

WHAT DATA IS COPIED?
The AD Replicator will only copy the following fields of data to our data center: FirstName, LastName, EmailAddress, ADSid, ADGuid, AD OU Path.  No passwords or password hashes are copied to our servers.    No user's AD Password or hashes are ever stored on our servers.

WHAT ARE THE REQUIREMENTS?
Currently we only support Windows Server 2003 and 2008 domains.   You must have your firewall administrator forward the proper LDAP ports inbound to one of your domain controllers. You must also set up a domain user account to be used for domain access to your system. This can be a low level standard user for making basic LDAP queries.  Your domain controller must have some type of certificate installed to enable LDAP.

CERTIFICATES
For LDAP to work on ports 636 the domain controller must have some type of certificate installed. We have designed the LDAP replicator to be very forgiving of certificate issues.  Your certificate does NOT have to be issued by a certificate authority; you can use internal self-signed certificates.  The easiest way to install certificates is to install Microsoft Certificate Services on your domain and let it automatically issue a certificate to all domain controllers. If this is not possible, you can either create a self-signed certificate manually or you must get a real certificate from a domain authority.

The name on the certificate must match the fully qualified INTERNAL name of your domain controller, such as server1.acme.local, server1.acme.lan, ...   This is not the external name to the public such as server1.domain.com. It must be the full internal name of the domain controller.

PORTS TO FORWARD INBOUND
To use this system you must open ports 636 inbound from your firewall to one of your domain controllers.  You can translate to another port number on your external WAN if you would like added security, but you must map to port 636 internally.  When setting up the LDAP Replicator you must input the external port that you set up, by default 636, unless your firewall administrator enabled mapping, in which case they must provide you with the port number.


IP RANGES

For added security your firewall administrator can restrict the IP addresses able to access this port mapping from above. If you would like to restrict the port mappings to only our data centers you firewall administrator should apply these restrictions

Range1:  68.64.44.32/28    subnet mask  255.255.255.240

Range2:  204.52.223.176/28  subnet mask  255.255.255.240

Range3:  75.147.199.128    subnet mask 255.255.255.248    (or 75.147.199.129 - 75.147.199.133)

 
FAQ

DOES BIGWEBAPPS AD INTEGRATOR SUPPORT NOVELL OR LINUX?
Currently we only support Microsoft Active Directory.  We are researching open LDAP standards that would allow support for Novell or Linux.

DOES IT SUPPORT OU TO LOCATION MAPPING?
No, we do not currently support OU to bigWebApps HelpDesk location mapping. Upon first login to the application, the user will be prompted to complete their profile, including their base location. Also, if the user attempts to submit a ticket they will be prompted to add their location information.

WHAT IF I USER ACCOUNTS IN SEVERAL GROUPS?
If a user’s account information is placed in multiple mapped groups then the system will promote the user to the highest group available. Meaning if the user is mapped to a group for both a Standard User and Technician then they will adopt the technician role.

AM I ALLOWED TO USE DYNAMIC GROUPS?
No, at this time we only support static groups.


DO ALL MY USERS NEED AN EMAIL ADDRESS?
Yes, all AD users will need to have an associated email address to their account.  We use the email address to help locate the domain and authenticate the user.

WILL IT CHANGE CURRENT USERS PASSWORDS?
When you activate the LDAP your users will then be able to authenticate using their domain passwords which will be stored on your systems. We do not store AD passwords on our local servers. Your users will then be able to access with either their local HelpDesk password or AD password.

WHY DOES BIGWEBAPPS CHARGE AN IMPLEMENTATION FEE?
Each environment is unique.  During installation of these components, there are high varying network security policies, group policy configurations, IE settings, etc.  In each case, we must troubleshoot to make all works properly.  If this were a lab, we would know exactly how long the setup would take. Each setup varies greatly based on variables at the client site.  The implementation fee is to pay for extended support services to help troubleshoot issues on your network that may be unrelated to the AD Replicator.


WHAT ARE THE HELPDESK ROLES?
There are 5 HelpDesk roles in which you are able to map your AD groups.

Standard User - A user who is able to submit their own tickets and view previously submitted tickets.

Super User 
- A user who is able to submit their own tickets AND tickets for other users.  This user is not able to modify, transfer or resolve tickets.

Technician - A user who receives tickets and are able to respond, update, transfer and resolve tickets.  

System Administrator - A user who is able to configure the application settings and set technician's permissions

Organization Administrator - A user who is able to manage multiple instances within an organization.  NOTE: A user will need to be an Organization Administrator in order to setup and run LDAP integration.

NOTE:  If you are setting up LDAP you will need to map ALL of your roles in ALL of your instances before you start replication.

MISC LINKS TO HELP SETUP SSL ON THE DC

View Certificate Diagnostics
http://www.expta.com/2009/11/how-to-test-ldap-over-ssl-connections.html

Install Certificate Services on 2003 Server
http://www.techietips.net/EnableSSL-for-LDAP-on-your-Windows-2003-Active-Directory-Service.html

IIS 6 Resource Kit - SelfSSL.exe
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17275


SSL CERTIFICATE NAME
The common name on the ssl certificate must match the internal fully qualified name of the domain controller.  many times the domain suffix will be suffixes such as:  domain.local , domain.lan , domain.net  .  IN a few cases it can be domain.com if your domain uses the same .com for external and internal.
If the domain controller name is MRBIG and your internal domain name is acme.local the common name must be  "mrbig.acme.local"


WAYS TO SETUP SSL ON THE DOMAIN CONTROLLER

  1. Install Certificate Services.  This is the easiest way to get self-signed certificates installed on all domain controllers.  Has a benefit to your organization beyond LDAP.

  2. Win 2008 Srv with IIS 7 installed. Use the II7 Self Signed certificate wizard to setup a cert.

  3. Win 2008 Srv without IIS.  We have successfully used the IIS 6 resource kit tool "SelfSSL.exe" to inject a self signed certificate onto the server.  The tool will give an error because it is expecting IIS to be installed, but it does work and has been tested to make LDAPS work properly.

  4. Win 2003 Srv IIS 6.   The easiest is to install certificate services. If that is not possible, IIS 6 Resource Kit SelfCert is easy to use.

  5. Purchase a Real Certificate from Network Solutions, Godaddy, or some other certificate reseller.


 I found this article helpful. (0)

Leave a Response

Your Name   

Email Address