LDAP Server authentication

You can configure Service Desk and Asset Manager to authenticate directory services users against an LDAP server (using a domain password) instead of using a Service Desk or Asset Manager user's password. This is different from using integrated logon and cannot be used with integrated logon, but still enables user accounts to be maintained separately from Service Desk or Asset Manager and for users to use a single password. The user name provided is used to look up the external user name from the User Network Login value. The Network Login value and the password supplied is then used to authenticate against the directory services object specified in the configuration.

SA always logs in using the standard explicit logon, bypassing the LDAP authentication.

LDAP authentication is not supported in Workspaces.

Before you can use LDAP Server authentication, you need to use the Administration component of the Ivanti Console to add network logins to users, and populate them with the LDAP distinguished names:

  • If authenticating with eDirectory:
    CN=name,O=organisation
  • If authenticating with ActiveDirectory:
    CN=user.name,CN=users,DC=domain,DC=com

You can set up LDAP Server authentication for either Active Directory or eDirectory, and can choose to use either the clear text port (default 389) or the SSL/TLS port (default 636).

To set up LDAP Server authentication for Active Directory:

  1. On your Ivanti Web server, in both of the folders C:\ProgramData\LANDesk\ServiceDesk\servicedesk.Framework and C:\ProgramData\LANDesk\ServiceDesk\servicedesk.WebAccess (where servicedesk is the instance name), update the <ServerObject> value in DirectoryServiceAuthentifictionConfiguration.xml to point to the LDAP server, including the appropriate port number.

For example:

<ServerObject>LDAP://servername:389/cn=users,dc=company,dc=com</ServerObject>

Include the SSL port after the server name. The defaults are 389 for the clear text port or 636 for the SSL port.

  1. In both copies of DirectoryServiceAuthentifictionConfiguration.xml, update the <AuthenticationType>. If you are using the clear text port, set this value to None; if you are using the SSL port, set it to Secure. For example, if you are using the SSL port, enter:

<AuthenticationType>Secure</AuthenticationType>

  1. To both ..ProgramData\LANDesk\ServiceDesk\servicedesk.Framework\tps.config, and ..ProgramData\LANDesk\ServiceDesk\servicedesk.WebAccess\tps.config, add the line:

<add key="AuthenticationProvider" value="Touchpaper.Integrations.LDAPLogon.DirectoryServiceAuthenticationProvider" />

  1. In the Ivanti Configuration Centre, open the required instance.
  2. Alongside the Service Desk Framework application, click Edit.
    The Edit Application dialog for the Service Desk Framework appears.
  3. In the Configuration parameters group, select Explicit only in the Logon policy list, then click OK.
  4. Alongside the Web Access application, click Edit.
    The Edit Application dialog for Web Access appears.
  5. In the Configuration parameters group, select Explicit only in the Logon policy list, then click OK.

When logging on, you use the associated domain user's network password.

To set up LDAP Server authentication for eDirectory:

  1. On your Ivanti Web server, in both of the folders C:\ProgramData\LANDesk\ServiceDesk\servicedesk.Framework and C:\ProgramData\LANDesk\ServiceDesk\servicedesk.WebAccess (where servicedesk is the instance name), open either OpenLDAPAuthentifictionConfiguration.xml or OpenLDAPSSLAuthentifictionConfiguration.xml in a text editor.
  2. Update the <Server> value to the ip address for the LDAP server.
  3. Update the <Port> value to the relevant port (the defaults are 389 for the clear text port or 636 for the SSL/TLS port).
  4. Set the <TestDN> value to an eDirectory object that all users can read. This is used to verify that this object can be read using the supplied credentials. (For example, o=testdomain)
  5. To both ..ProgramData\LANDesk\ServiceDesk\ServiceDesk.Framework\tps.config, and ..ProgramData\LANDesk\ServiceDesk\WebAccess\tps.config, add the line:

<add key="AuthenticationProvider" value="Touchpaper.Integrations.OpenLDAPLogon.OpenLDAPAuthenticationProvider" />

or the line:

<add key="AuthenticationProvider" value="Touchpaper.Integrations.OpenLDAPSSLLogon.OpenLDAPSSLAuthenticationProvider" />

  1. In the Ivanti Configuration Centre, open the required instance.
  2. Alongside the Service Desk Framework application, click Edit.
    The Edit Application dialog for the Service Desk Framework appears.
  3. In the Configuration parameters group, select Explicit only in the Logon policy list, then click OK.
  4. Alongside the Web Access application, click Edit.
    The Edit Application dialog for Web Access appears.
  5. In the Configuration parameters group, select Explicit only in the Logon policy list, then click OK.

When logging on, you use the associated domain user's network password.

Exception logging for LDAP Server authentication

If you are having problems configuring LDAP Server authentication, you can enable exception logging to help you to identify the problem. By default, this is disabled, and we recommend that you disable the exception logging again when you have finished your investigations.

To enable exception logging for LDAP Server authentication:

  1. Open the appropriate authentication configuration XML file in a text editor.
    That is DirectoryServiceAuthentifictionConfiguration.xml, OpenLDAPAuthentifictionConfiguration.xml, or OpenLDAPSSLAuthentifictionConfiguration.xml.
  2. Change the line:
    <ShowExceptions>false</ShowExceptions>
    to
    <ShowExceptions>true</ShowExceptions>
    and save the changes.