About Active Directory (LDAP) Integration

The Active Directory (AD) LDAP integration is compatible with Secure Socket Layer (SSL) connections and multi-server / multi-domain directory environments. Issuetrak user records are automatically created and updated by the AD integration if enabled.

Below is a list of some of the items that can be maintained with the AD LDAP Integration:

  • Basic AD user attributes (first/last name, email address, etc...)
  • Extended AD attributes
  • Issuetrak organization
  • Issuetrak location
  • Issuetrak department
  • End-User permissions
     

The Single Sign-On option allows network users to have their credentials passed to Issuetrak with no additional login required.


 

How does the AD LDAP Integration Work?

The AD LDAP connection connects to your AD server(s) during user authentication and import processes using specifications you define within your Issuetrak site. Within these specifications is a “connection user” that the AD Integration uses to log in and perform LDAP queries.

User information from AD is compared to the Issuetrak user tables. When new information is found for an existing user, the Issuetrak record is updated. If there is no Issuetrak record for a user, that user is created. When a user is deactivated in AD, during the next import (manual or scheduled), they will be deactivated within Issuetrak.

If a user is deleted from AD, the Issuetrak user will not be deleted. Additionally, if a user has been deactivated in both AD and Issuetrak, and then is reactivated in AD, it will need to be manually reactivated in Issuetrak.


 

What user information is pulled from AD?

Basic user attributes are pulled directly from AD and mapped to the appropriate fields. These include Login (User ID), First Name, Last Name, Email, Phone, Address, City, State, Zip, and Country. Up to three additional AD attributes may be mapped through corresponding user-defined fields defined within Issuetrak.

Spaces and apostrophes (among other characters) are not allowed in the Issuetrak Login value. If they are present in the Active Directory Login, Issuetrak will substitute the characters for use with our product. This will not affect the actual value in Active Directory.

Additional information can be pulled from specific fields or mapped to AD Groups or OUs.

Issuetrak Value

Primary Organization Location ID Department Name

AD Value

Mapping to AD Group / OU AD Office, then mapping to AD Group / OU AD Department, then mapping to AD Group / OU

End User permissions are granted to AD users through the mapping of specific AD Groups / OUs to an end-user template defined within Issuetrak. Agent permissions may be granted through membership in an Issuetrak group after the user account has been created.

It is our Best Practice to import all users with the same end-user template, and then grant additional permissions and Agent designations by membership in Issuetrak groups.

Users outside of the AD structure may be created and maintained through Issuetrak. However, the “No AD Authentication” parameter (pre-11.13 releases) or Issuetrak authentication type (11.13 and later) must be applied to these user records manually. Other user-related fields with no relation to AD may also be created and maintained within Issuetrak.


 

AD user authentication processes

Authentication processes happen in a matter of seconds. AD users will experience little if any delay when accessing Issuetrak.

An AD user will need to enter their network login / user ID and password on the Login screen to access Issuetrak. In the case of multiple domains, the user will also need to select their domain. If Single Sign-On is implemented, the user will not see the Login screen but instead, be taken directly to their Issuetrak Home Page when navigating to Issuetrak.

Single Sign-On in the Cloud is currently only possible with AD Federation Services, Azure AD, or OAuth 2.0 / OIDC.


The AD integration sends the user’s credentials to the AD server and asks the server to authenticate (validate) this user. The server responds stating whether or not authentication is successful. If authentication is unsuccessful, an error message will be displayed to the user. If authentication is successful and the option to update users on login is activated, the AD Integration queries the server again, requesting current data related specifically to the user. This information is then compared and applied to the Issuetrak user tables as needed.


 

AD user import processes

To minimize retrieval of excessive and / or redundant information, import processes are based on a specific AD Group or OU.

On-demand imports may be executed from the Issuetrak interface. Scheduled imports may be defined within the interface.

The AD LDAP integration queries the AD server requesting current data related to the specified Group/OU. For users within this Group/OU, other Group/OU memberships related to Issuetrak are also translated. This information is then compared and applied to the Issuetrak user tables as needed.

To learn more about how user imports can be performed, please see this article for more details.