Configuring Active Directory (LDAP)

Now that the preliminary steps are completed, you can go ahead and begin the actual set up of the Active Directory LDAP connection. This can only be performed by an Issuetrak user with the “Can access and maintain Administration functions” permission or the “Sys Admin” parameter and must be repeated for each AD server that will be communicating with Issuetrak.

It is necessary to activate the Identity Management module before any of these settings can be adjusted. You can learn how to do that here.


 

Adding specifications of the AD server

If you have multiple domain controllers on the same domain and the webserver resides on that domain, normally only one entry is needed in the Server List. For the Server field, input the Domain name, and Issuetrak will use any Domain Controller that is available when connecting to AD.

Steps:

  1. Click the gear icon in the upper right > click Active Directory beneath Identity Management > click Add Server under the Active Directory section in the right quick menu.
  2. Enter the computer name or DNS name in the Server field.
  3. Enter the fully distinguished domain name of the connection user in the User DN field.
  4. Enter the domain \ userid in the User ID field in Domain\SAM Account Name format.
    • The SAM Account Name can be found on the Attribute Editor tab of the user's Active Directory Profile in AD.
  5. Enter the Password for the connection user in the field provided.
  6. Verify the Domain in which the server resides appears accurately in the field provided. This field pre-populates as the connection user is entered. If the domain that appears is incorrect, verify that the User DN is correct.
    • In some cases, the domain listed in AD for the "Pre-Windows 2000" login name will be needed and that may not match the domain derived from the User DN. In that situation, you should update the "Domain" field to match the "Pre-Windows 2000" domain.
  7. Enter the Search Order for this server if you will have multiple servers in the Server List.
  8. If SSL should be used when connecting to this server, select Use SSL and enter the SSL port number and Global Catalog SSL port number in the fields provided.
    • This is normally port 636 for SSL and port 3269 for Global Catalog SSL.
  9. Click Update to save these settings. The message “Server successfully added” will appear when the record has been saved.
  10. Click Test Connection.

A Connection Test window should appear and the message “Connection Test Successful” should be displayed at the bottom. If so, close the Connection Test window. You will be returned to the Active Directory Server Information screen where you can complete the mapping.

If the message “Connection failed” is displayed instead, the specification(s) causing the failure should be identified in red within the Connection Test window. Attempt to correct these specifications in the Active Directory Server Information screen, then click Update. Test the connection again.

If you are using Issuetrak in the cloud, you will need to ensure that your AD domain controller has an externally accessible address and we strongly recommend using SSL.

If you are using Issuetrak in our cloud and you would like to restrict access to your AD domain controller by IP address, please refer to Firewall Exceptions for Use With Issuetrak's Hosted Service.


 

Enable Logging

In the event that you're not able to achieve a successful connection test with the AD settings you've specified, you can enable logging that will capture event detail relating to the test that is performed when clicking on the Test Connection button.

Steps:

  1. On your site's Web server navigate to your site's web folder, then navigate to its \Core\App_Data folder.
  2. Edit the NLog.config file.
  3. Do a CTRL-F and search for the string: writeTo="ActiveDirectoryLogFile
  4. Only one line will be found. It should look like this:
    <logger name="*" levels="Info" writeTo="ActiveDirectoryLogFile" enabled="false" />
    Perform the following actions on that line:
    1. Change Info to Trace.
    2. Change False to True.
  5. Save the file.
  6. Within Issuetrak's Active Directory settings, click the Test Connection button again. A log file should be generated within \Core\App_Data\Logs. This should provide information that can help with troubleshooting the connectivity problem.

When you no longer need logging enabled for this, it is recommended to revert the changes you made above.

If you are unable to achieve a successful connection after following the steps above, please contact our Support Team for assistance.


 

Mapping User Permissions

In order to successfully import a user from Active Directory, an Issuetrak Template under Determining User Permissions and an Organization under Determining Organization are both required to be mapped to that user's Active Directory Group or OU. Location and Department mappings are optional.

Please note that user templates applied via the AD module do not imbue organization memberships to users. 

Best practices dictate that only one of the following types should be used when creating mappings: Active Directory Group or Active Directory OU.

Steps:

  1. Scroll to the Determining User Permissions section of the Active Directory Server Information screen.
  2. Enter an appropriate Group/OU in the field provided for Active Directory Group/OU. There is no need to include the Fully Qualified Distinguished Name (FQDN) in these.
    1. OU mappings should be entered in the format of: ou=OUName
    2. Group mappings are more trivial to add, and can simply be entered into the field as: GroupName
  3. Click the magnifying glass next to the EndUser Template field to select the appropriate End User template.
  4. Click Add.

A confirmation message will appear when this process is complete.

(Optional) If role-based Groups / OUs and templates were established during preparation, repeat the above steps to map each role-based Group/OU on this server to its corresponding user template.


 

Mapping Organizations

The Identity Management module assigns organizations differently depending on whether it is creating new users or merely updating them.

  • New users created by manual AD LDAP import, scheduled import, or upon login will have their organization set only by the organization they are mapped to within Mapping Organizations. This becomes their primary organization, and no membership is granted based on the organization membership of user templates designated in Determining User Permissions.
     
  • Existing users updated by a manual import using AD LDAP, scheduled import, or upon login will have their organization set thusly:
    • If the existing user has only a primary organization membership and it doesn't match the organization they are mapped to, then their primary organization membership is changed to their mapped organization.
    • If the existing user has membership in more than just their primary organization, and their current primary organization differs from the organization they are mapped to, then their primary organization will change to match the organization they're mapped to and they will retain membership in their formerly primary organization.

Steps:

  1. Scroll to the Determining Organization section of the Active Directory Server Information screen.
  2. Enter an appropriate Group / OU in the field provided for Active Directory Group/OU.
  3. Click the magnifying glass next to the Issuetrak Organization field to select the Organization to map to.
  4. Click Add.

A confirmation message will appear when this process is complete.

(Optional) If you have additional Organizations that you need to include, repeat the above steps to map each Group / OU on this server to its corresponding Organization.


 

Mapping Locations

In order for Locations values to be mapped/matched to AD values, these entities must be created in Issuetrak first. This can only be performed by someone with the “Can access and maintain Administration functions” permission or the “Sys Admin” parameter. Please reference the Managing Locations article for instructions.

If the value of the Active Directory attribute 'Office' for a user matches a location name in your Issuetrak instance, this value will be used as the user's location regardless of any other matched location mappings.

Steps:

  1. Scroll to the Determining Location section of the Active Directory Server Information screen.
  2. Enter an appropriate Group/OU in the field provided for Active Directory Group/OU.
  3. Click the magnifying glass next to the Issuetrak Location field to select the location to map to.
  4. Click Add.

A confirmation message will appear when this process is complete.

(Optional) If you have additional Locations that you need to include, repeat the above steps to map each Group / OU on this server to its corresponding Location.


 

Mapping Departments

In order for Departments values to be mapped/matched to AD values, these entities must be created in Issuetrak first. This can only be performed by someone with the “Can access and maintain Administration functions” permission or the “Sys Admin” parameter. Please reference the Managing Departments article for instructions.

If the value of the Active Directory attribute 'Department' for a user matches a department name in your Issuetrak instance, this value will be used as the user's department regardless of any other matched department mappings.

Steps:

  1. Scroll to the Determining Department section of the Active Directory Server Information screen.
  2. Enter an appropriate Group/OU in the field provided for Active Directory Group/OU.
  3. Click the magnifying glass next to the Issuetrak Department field to select the department to map to.
  4. Click Add.

A confirmation message will appear when this process is complete.

(Optional) If you have additional Departments that you need to include, repeat the above steps to map each Group / OU on this server to its corresponding Department.


 

Mapping Additional Attributes

You have the ability to map up to three Additional AD attributes to pull over into your Issuetrak user records. In order to do this, you would need to activate the text fields for the user record User Defined Fields to store these values. During configuration, these fields will be mapped to their corresponding Additional AD attributes.

This task can only be performed by an Issuetrak user with the “Can access and maintain Administration functions” permission or the “Sys Admin” parameter.

Steps:

  1. Click the gear icon in the upper right > click on Active Directory beneath Identity Management section.
  2. On the right quick menu click on Map Add'l Attributes beneath the Active Directory section.
  3. Select Include Extended Attributes at the top of the field list.
    • Only the most popular attributes are listed by default. This step will ensure all available AD attributes appear in the drop-down lists.
  4. Each user defined text field you activated for user records will appear with your defined label and a drop-down next to it.
  5. Click the drop-down next to the user defined field value.
  6. Select the AD attribute this particular field should be mapped to from the list.
  7. Repeat steps 5 and 6 for each additional attribute to be mapped.
  8. Click Update to save these mappings.

A confirmation message will appear when this process is complete.


 

Performing a Search Test

Steps:

  1. Scroll to the Search Test section of the Active Directory Server Information screen.
  2. Enter an AD User ID from this server in the field provided. (Password is not required)
  3. Click Search.

A User Search Test window should appear. The user's organization and any other Issuetrak-related memberships or corresponding templates will be displayed in the grid towards the bottom. If this information has been transferred correctly, close the User Search Test window.

If this information has not been transferred correctly, review the details of the User Search Test window to ensure the user has the appropriate memberships within AD. Then verify all the determining memberships are mapped correctly in the Active Directory Server Information screen. Then try to perform a Search Test on the user again. If you are still encountering difficulty with getting the correct information to display, please contact our Support Team for assistance at 757-213-1351, support@issuetrak.com, or https://support.issuetrak.com.