Service Desk Practitioners Forum
cancel

LDAP Integration

Highlighted
Saurabh Dubey
Acclaimed Contributor.

LDAP Integration

Hi All,

SD 4.5 SP 10. Win 2k3.

My client doesn't want his users to have to maintain 2 different passwords for AD and SD. Now I know that run-time AD integration is not possible with SD 4.5. But I also know that a scheduled LDAP import can help me solve this issue, if every 12 hours or so I replicate the accounts from AD to SD (Service Pages). I need some help as to how can I do that. And I have following questions with regards to that:

1. Can I import the password from an LDAP import? If yes, what parameters should I use?

2. I downloaded the LDAP exporter (Rondovan) and am in process of testing it. Can I use it to solve my requirements?

3. People who have done it before... any suggestions or Best practice recommendations??

Thanks in advance...

Regards,

Saurabh
Modesty is good!! But remember, all your life other people will try and take your achievements away from you, don't make it easy for them.
22 REPLIES
Gyula Matics_1
Acclaimed Contributor.

Re: LDAP Integration

1. You can not synchronize password from LDAP. If you want synchronized passwords, then you have to tap into the password changing process of windows itself. That is not a trivial thing but may be possible with SSO solution like Novell's SecureLogin.

2. nice tool, but won't help much in this case.

3. AD integration is possible for Service Pages, but only for those using service pages only.

The way to do it, is to use known (generated) passwords. Authenticate the user using NTLM on the web server, then login with their generated password into SD.

Gyula
Saurabh Dubey
Acclaimed Contributor.

Re: LDAP Integration

Hi Gyula,

Thanks for the response.

My requirement is for people who have SP access only.

If I can't do synchronization of passwords using LDAP, then is the use of LDAP only for importing Person details??

Also, your suggestion regarding the NTLM authentication... Can you explain it to me in a little more detailed way.

1. How can I enable NTLM authentication in Service Pages?

2. How can I use an autogenerated password concept to get past the SD authentication?

Thanks in advance...

Regards,

Saurabh
Modesty is good!! But remember, all your life other people will try and take your achievements away from you, don't make it easy for them.
Gyula Matics_1
Acclaimed Contributor.

Re: LDAP Integration

Yes, you can only import person details from LDAP.

1. You have to modify the source code of Service Pages and add the authentication yourself. There are 3 methods for a tomcat based web application to authenticate against active directory.
- tomcat behind IIS, so that IIS does the authentication and passes the information to tomcat. This is cumbersome to set up.
- using jcifs, which is a module that can negoitate with internet explorer just like IIS. This is buggy and does not always work in w2k3.
- doing the authentication "by hand" from the jsp code. Which is a bit tricky to code correctly.

As you can see none of these is a simple task. There are several guides out there for each of these, use google.

2. The simplest way is to use a known algorithm to generate the password from the username. The other method is to generate the passwords, and store it in a protected database table.
Then, set up a process (use data exchange or web-api) to set the password of each sp account to this known password.

Then, modify the service pages source code, and add the following algorithm. After you've authenticated your client with NTLM, you can get the AD login name/domain of the user. Look up, or generate the password, and log in to sd with this login name and password.

Gyula
Elias Abboud
Acclaimed Contributor.

Re: LDAP Integration

Hello Saurabh

It seems I am not the only one that suffered from this.

I have faced this exact same problem and the only solution was guess what.....

purchase a single-sign-on solution :)

SD 5 is now integrated with Active Directory but on the Full JAVA client only (where it is practicaly useless) and not on the service pages neither on the web console.

In my case, Even HP Openview Select Access did not fit this scenario. IMHO, HP people should start thinking about integrating these two babies together.

Citrix Password manager did the job quite well. In addition to this, setting it up was as simple as 1-2-3.

Hope This helps.
If you can't solve it, post it :)
Elias Abboud
Acclaimed Contributor.

Re: LDAP Integration

Hi Saurabh,

Did you develop the suggested solution? Could you post additional details on it? It would be very helpful to be able to do it without additional third party software.

Thanks in advance
If you can't solve it, post it :)
Saurabh Dubey
Acclaimed Contributor.

Re: LDAP Integration

Hi,

I am still working on it. I think I may look at the JCIFS approach, since it may allow me to refer to more than one domain. Otherwise, I wouldn't mind going for a third party integration.

Regards,

Saurabh
Modesty is good!! But remember, all your life other people will try and take your achievements away from you, don't make it easy for them.
Vasily Kamenev
Acclaimed Contributor.

Re: LDAP Integration

HI Saurabh.
I working on this problem too, I did all on java JAAS and authentication working fine with AD, except a SD Login function. I don't like turn off "Display Log On Screen on Strartup" and if use a com.hp.ifc.ui.AppConsole /USERNAME=/PASSWORD= with this function in "on" , password cleared from login frame. Did you solve this problem or you does not have this troubles?

Vassili
Saurabh Dubey
Acclaimed Contributor.

Re: LDAP Integration

Hi Vasili,

I am still trying to get the solution. If you have done it, can you tell me the step by step guidelines.

Thanks in Advance...

Regards,

Saurabh
Modesty is good!! But remember, all your life other people will try and take your achievements away from you, don't make it easy for them.
Vasily Kamenev
Acclaimed Contributor.

Re: LDAP Integration

Hi
My appication's workflow in attachment.
But problem in "Display logon.." in general settings and I have not any idea as - switch this setting off/on in login time, but that not good , because working only by system role and on this moment I have not any idea as pass though this problem :(.
and iclude another account with system role in code,so not good solution by working.

Vassili
Elias Abboud
Acclaimed Contributor.

Re: LDAP Integration

Hi Vassili,

Nice work. Could you also post the source code please?

Thanks in advance
If you can't solve it, post it :)
Vasily Kamenev
Acclaimed Contributor.

Re: LDAP Integration

yes if we will exchange ideas as go to next stages and will report me about bugs -:). but code exist without installer. are you accept my rule?

Vassili
Saurabh Dubey
Acclaimed Contributor.

Re: LDAP Integration

Hi Vasili,

I totally agree with your rule. Great workflow by the way. Please forgive me for giving 6 points each instead of 10 each. I don't want this thread to appear with a magical solution icon.

If you can share the sourcecode with us, and we can reach a solution, a lot of worries for a lot of people will get resolved (along with ours).

If you have also created a small Readme, that defines what is what in your source code - something like a detailed comments to your code, it can give us a quickstart.

Also, can you define in a little more detail where you are getting stuck in your workflow. I couldn't quite understand it properly.

Thanks for the help...

Regards,

Saurabh
Modesty is good!! But remember, all your life other people will try and take your achievements away from you, don't make it easy for them.
Vasily Kamenev
Acclaimed Contributor.

Re: LDAP Integration

Ok, but before I'd like remove my garbage from code :), then upload.

Vassili
Elias Abboud
Acclaimed Contributor.

Re: LDAP Integration

Well yes of course,

I would love to participate in this effort.

Thanks in advance
If you can't solve it, post it :)
Vasily Kamenev
Acclaimed Contributor.

Re: LDAP Integration

Hi,
beliave garbage removed. I used 1.4 RTE, but possible another too. define a folder for test, example c:\temp create one more subfolder "src" copy all files from archive to this folder, copy lib folder fom SD client to temp folder, create "dist" subfolder in temp and move jar file to this folder and copy web-api.jar to dist folder too. now you must open ad.conf file and edit for your network settings, save.
run from temp folder next: "java -classpath dist\ActiveDirectory.jar;dist\web-api.jar LoginADForm". in SD need create one account "synchronizer" with system roles'. that's all can run. function for "synchronizer" in code - change password to AD password and check SD account exist or not.

Vassili
Elias Abboud
Acclaimed Contributor.

Re: LDAP Integration

Hi Vasili,

I was unable to run your code although I tried. maybe because I am running Service desk 5.

Currently I am pursuing another way of doing this. It will include running an agent on the client machines. But it needs a lot of time to do it especially with all the work I have. But I will update you when I progress in this.

IMHO this is a real weakness in the product. especially that other vendors are having it. Maybe We should consider issuing an enhancement request.

Thanks for your help
If you can't solve it, post it :)
Vasily Kamenev
Acclaimed Contributor.

Re: LDAP Integration

I have not plan use this tool on sd 5, only for 4.5.

Vassili
Vasily Kamenev
Acclaimed Contributor.

Re: LDAP Integration

Hi
So now I finished build my application and now attached, all about in attachment, extract and read before readme.htm.

Anjoy,
Vassili
Andrej_19
Honored Contributor.

Re: LDAP Integration

Hello,

has anyone tried Vassili's solution ?

I'm very interested in whether this integration works with SD service pages ?

My question would therefore be:

when a service pages user opens service pages, can he login with AD account ?

Any further information will be fully appreciated.

Best regards, Andrej
Vasily Kamenev
Acclaimed Contributor.

Re: LDAP Integration

Hi
It does not build for SSP, for SPP use IIS Auth from AD.

Vassili
Andrej_19
Honored Contributor.

Re: LDAP Integration

Vassili,

thank you for your reply.

Could you explain me this solution a little bit more ? Or anyone ?

To my understanding, there are possibilities of integrating AD and Service pages ?

Now for the questions:

1.)
I was looking at jcifs solution, but are there any specific instructions on how to do that in SD service pages

2.)When you said "use IIS Auth from AD",
did you mean to connect Tomcat and IIS as described in the atttached document ?
Does that solution work ?

Thank you and best regards,
Andrej
Andrej_19
Honored Contributor.

Re: LDAP Integration

Vassili,

thank you for your reply.

Could you explain me this solution a little bit more ? Or anyone ?

To my understanding, there are possibilities of integrating AD and Service pages ?

Now for the questions:

1.)
I was looking at jcifs solution, but are there any specific instructions on how to do that in SD service pages

2.)When you said "use IIS Auth from AD",
did you mean to connect Tomcat and IIS as described in the atttached document ?
Does that solution work ?

Thank you and best regards,
Andrej