CA Service Management

Hello Guys;

i have some concerns regarding SDM LDAP integration i would like to share it with you.

1- after CA SDM LDAP Integration (Active Directory), can we import the OUs directly from LDAP directly to the CA SDM?

2- we have a case where the customer asking for the capability if one of the users has been moved from one OU to another, Does The Service Desk after running the ldap_sync will reflect such movement automatically?

Appreciate your valuable feedback

Best Regards;

Mohamed El-Fahd  

Hi Mohamed:

For #1 - no we dont have a way to import OU's from AD into SDM.  We dont have an "OU" object actually. You can map AD Groups to SDM Access Types - but you cannot import AD Groups as access types.  Instead, you would need to create the Access Types names to be exactly the same as the AD Group names, and then turn on the option in options manager called LDAD_GROUP_ENABLE.

For #2 - As per above, you can map AD Groups to SDM Access Types, and then if the user is changed from one group to another in AD, it can update that user's access type in SDM when running an LDAP Sync.

So the bottom line on this one is that we dont do anything with OU's in SDM - the only capability we have is to map AD groups to SDM Access Types, and they have to be pre-created in order for it to work.

Jon I.

Thanks jon always appreciate ur prompt feedback, let me give it a try tomorow and i will update you with the outputs

Jon,one last thing regarding point two, so if i have an OU containing for example a contact called mohamed who is in IT (OU called IT) and he moved to HR (OU) in the active directory side, so it can be reflected the same way in service desk after running the ldap_sync i will find that user who is assigned to access type HR automatically transfered to acess type HR?!!

Hi Mohamed,

No, that is incorrect - as I mentioned we do NOT map by OU, only by GROUP.   You can ONLY map an active directory GROUP to a Service Desk Access Type. 

Example:

User: Mohamed

Active Directory Group: IT

IF you have the ldap_group_enable option turned on in Service Desk, and you have an Access Type in Service Desk called "IT" - then it will give that user the access type of "IT" when using ldap import or ldap sync.

If the account changes on the AD side as follows:

User: Mohamed

Active Directory Group: HR

If you have an access type in Service Desk called "HR" then when ldap import or ldap sync is run, it would change Mohammed's access type to HR.

Again ONLY based on Active Directory GROUPS, and NOT OU's.

We do not have any functionality to interact with OUs.

Hope this helps clarify.

Jon

Hi Mohamed,

in fact LDAP_SYNC have never been handy due to too much limitation, that why for such requirements I will look to have another mechanism to sync contact with your AD.

We have our own home made solution that is a combination of an AD export tools looking for OU or others in the DN path and apply rules accordingly to import/update the contacts using Web Service.

May you have a PAM installed with your SDM you can easily do similar there too as PAM have  both a SDM and an AD connector.

My 2 cents,

/J

When you use the tool pdm_ldap_sync / pdm_ldap_import, there is a field that is syncronize to know its "ldap_dn". This value is found in the usp_contact table. So if you search for a user of the ca_contact table and join the contact_uuid of the usp_contact table ... you will be able to find its location in Active Directory.

I hope this will help you.