My client doesn't want his users to have to maintain 2 different passwords for AD and SD. Now I know that run-time AD integration is not possible with SD 4.5. But I also know that a scheduled LDAP import can help me solve this issue, if every 12 hours or so I replicate the accounts from AD to SD (Service Pages). I need some help as to how can I do that. And I have following questions with regards to that:
1. Can I import the password from an LDAP import? If yes, what parameters should I use?
2. I downloaded the LDAP exporter (Rondovan) and am in process of testing it. Can I use it to solve my requirements?
3. People who have done it before... any suggestions or Best practice recommendations??
Thanks in advance...
Modesty is good!! But remember, all your life other people will try and take your achievements away from you, don't make it easy for them.
1. You can not synchronize password from LDAP. If you want synchronized passwords, then you have to tap into the password changing process of windows itself. That is not a trivial thing but may be possible with SSO solution like Novell's SecureLogin.
2. nice tool, but won't help much in this case.
3. AD integration is possible for Service Pages, but only for those using service pages only.
The way to do it, is to use known (generated) passwords. Authenticate the user using NTLM on the web server, then login with their generated password into SD.
Yes, you can only import person details from LDAP.
1. You have to modify the source code of Service Pages and add the authentication yourself. There are 3 methods for a tomcat based web application to authenticate against active directory. - tomcat behind IIS, so that IIS does the authentication and passes the information to tomcat. This is cumbersome to set up. - using jcifs, which is a module that can negoitate with internet explorer just like IIS. This is buggy and does not always work in w2k3. - doing the authentication "by hand" from the jsp code. Which is a bit tricky to code correctly.
As you can see none of these is a simple task. There are several guides out there for each of these, use google.
2. The simplest way is to use a known algorithm to generate the password from the username. The other method is to generate the passwords, and store it in a protected database table. Then, set up a process (use data exchange or web-api) to set the password of each sp account to this known password.
Then, modify the service pages source code, and add the following algorithm. After you've authenticated your client with NTLM, you can get the AD login name/domain of the user. Look up, or generate the password, and log in to sd with this login name and password.
HI Saurabh. I working on this problem too, I did all on java JAAS and authentication working fine with AD, except a SD Login function. I don't like turn off "Display Log On Screen on Strartup" and if use a com.hp.ifc.ui.AppConsole /USERNAME=/PASSWORD= with this function in "on" , password cleared from login frame. Did you solve this problem or you does not have this troubles?
Hi My appication's workflow in attachment. But problem in "Display logon.." in general settings and I have not any idea as - switch this setting off/on in login time, but that not good , because working only by system role and on this moment I have not any idea as pass though this problem :(. and iclude another account with system role in code,so not good solution by working.
Hi, beliave garbage removed. I used 1.4 RTE, but possible another too. define a folder for test, example c:\temp create one more subfolder "src" copy all files from archive to this folder, copy lib folder fom SD client to temp folder, create "dist" subfolder in temp and move jar file to this folder and copy web-api.jar to dist folder too. now you must open ad.conf file and edit for your network settings, save. run from temp folder next: "java -classpath dist\ActiveDirectory.jar;dist\web-api.jar LoginADForm". in SD need create one account "synchronizer" with system roles'. that's all can run. function for "synchronizer" in code - change password to AD password and check SD account exist or not.
I was unable to run your code although I tried. maybe because I am running Service desk 5.
Currently I am pursuing another way of doing this. It will include running an agent on the client machines. But it needs a lot of time to do it especially with all the work I have. But I will update you when I progress in this.
IMHO this is a real weakness in the product. especially that other vendors are having it. Maybe We should consider issuing an enhancement request.