About Active Directory (LDAP) Integration

The Active Directory Module enables Issuetrak's integration with Microsoft Active Directory (AD LDAP), AD Federation Services, and Azure AD.  This article focuses on Active Directory (LDAP) integration. 

The Active Directory integration is compatible with Secure Socket Layer (SSL) connections and multi-server/multi-domain directory environments. Issuetrak user records are automatically created and updated by the AD integration if enabled. Basic AD user attributes, Issuetrak organization, and user permissions are maintained, along with extended AD attributes, Issuetrak location, and/or department. The Single Sign-On option allows network users to have their credentials passed to Issuetrak with no additional login required.


How does the AD LDAP Integration Work?

The AD LDAP connection connects to your AD server(s) during user authentication and import processes using specifications you define within your Issuetrak site. Within these specifications is a “connection user” that the AD Integration uses to log in and assume proper permissions to execute these processes.

User information from AD is compared to the Issuetrak user tables. When new information is found for an existing user, the Issuetrak record is updated. If there is no Issuetrak record for a user, that user is created. When a user is deactivated in AD, during the next scheduled import, they will be deactivated within Issuetrak.

If a user is deleted from AD, the Issuetrak user will not be deleted. Additionally, if a user has been deactivated in both AD and Issuetrak, and then is reactivated in AD, it will need to be manually reactivated in Issuetrak.


What user information is pulled from AD?

Basic user attributes are pulled directly from AD and mapped to the appropriate fields. These include: Login (User ID), First Name, Last Name, Email, Phone, Address, City, State, Zip, and Country. Up to three additional AD attributes may be mapped through corresponding user-defined fields defined within Issuetrak.

Periods and Apostrophes (among other characters) are not allowed in the Issuetrak Login value. If contained in the Active Directory Login, Issuetrak will substitute the characters for use with our product. This will not affect the actual value in Active Directory.

Additional information regarding entity membership can be pulled from specific fields or mapped to AD Groups or OUs.

Issuetrak Value AD Value
Organization Mapping to AD Group/OU
Location ID AD Office, then mapping to AD Group/OU
Department Name AD Department, then mapping to AD Group/OU

User permissions are granted to AD users through mapping of specific AD Groups/OUs to an end-user template defined within Issuetrak. Agent permissions may be granted through membership in an Issuetrak group, or by AD Group/OU mapping to another template. The number of users imported is directly tied to your license key. If you map Agent permissions via a template ensure importing users will not exceed the licensed Agent count. In the event the count is exceeded, the import will stop and notify the Issuetrak System Administrator. Also, with a productivity key, licenses are based on the total number of users. Therefore the import will stop if it will exceed the maximum number of licensed end users.

It is our Best Practice to import all users with the same end-user template, and then grant additional permissions and Agent designations by membership in Issuetrak groups.

Users outside of the AD structure may be created and maintained through Issuetrak. However, the “No AD Authentication” parameter (pre-11.13 releases) or Issuetrak authentication (11.13 and later) must be applied to these user records manually. Other user-related fields with no relation to AD may also be created and maintained within Issuetrak.


AD user authentication processes

Authentication processes happen in a matter of seconds. AD users will experience little if any delay when accessing Issuetrak.

An AD user will need to enter their network login/user ID and password on the Login screen to access Issuetrak. In the case of multiple domains, the user will also need to select their domain. If Single Sign-On is implemented, the user will not see the Login screen but instead, be taken directly to their Issuetrak Home Page when navigating to Issuetrak.

Single Sign-On in the Cloud is currently only possible with AD Federation Services or Azure AD.

The AD integration sends the user’s credentials to the AD server and asks the server to authenticate (validate) this user. The server responds stating whether or not authentication is successful. If authentication is unsuccessful, an error message will be displayed to the user. If authentication is successful and the option to update users on login is activated, the AD Integration queries the server again, requesting current data related specifically to the user. This information is then compared and applied to the Issuetrak user tables as needed.


AD user import processes

To minimize retrieval of excessive and/or redundant information, import processes are based on a specific AD server and AD Group or OU.

On-demand imports may be executed from the Issuetrak interface. Scheduled imports may be defined within the interface. For scheduled imports to execute at the proper intervals, a Windows Scheduled Task must also be created on the Web server hosting Issuetrak.

The AD integration queries the AD server requesting current data related to the specified Group/OU. For users within this Group/OU, other Group/OU memberships related to Issuetrak are also translated. This information is then compared and applied to the Issuetrak user tables as needed.

To learn more about how user imports can be performed, please see this article for more details.