Active directory integration

[c-wex]

Hello All.
I'm quite new to kayako and want to do active directory integration via loginshare.
Running v3.00.13 I am not succeeding.

there are numerous threads on the subject but none tells the whole story.

One basic problem for me in setting this up is that no one tells how to tell if AD integration actually works.

So for the configuring steps i have found is the following

1. ldap must be compiled in to the PHP or setup as extension in PHP.INI
2. under admin cp -> templates -> manage groups ... Click settings and set loginshare = Microsoft Active Directory
3. under admin cp -> templates -> login share ... locate "Microsoft Active directory" and click settings.
3a. Configure the active directory as follows:

Active Directory Host = ip adress of your AD server
Port (Default: 389) = 389
Base DN = cn=users,dc=domain,dc=com
RDN = cn=administrator,cn=users,dc=domain,dc=com (Here there are diffrent versions of what should be entered. Som say that it could be domain.com\administrator ???)
Password = password

And thats what i have been able to find of more or less concrete material.

so now i need to check if this works ... i try to login as a user fra AD ... does not work !

I look under staff CP manage users no users fro AD here .. should i import them or something ????

In one thread i read that i had to create all the users myself ???

Anyone who can provide me with the rest of the solution ???

Your configuration steps look good. We had to use our pre-Windows 2000 domain in the RDN field (i.e. DOMAIN\Administrator) for ours to work. Also, our Base DN was just 'dc=subdomain,dc=domain,dc=com', no cn's were entered here.

The Active Directory integration only lets AD users log in to the client-side of the support system (not the staff or admin side). I also found out the hard way that SupportSuite does not import AD users. As they login using their AD user name and password, it creates accounts in the support system.

I'm trying to create a simple VB script to do an import of all AD users within a given AD container but I haven't had the time to do it yet. :-/

But first, check that port 389 is not being blocked by any firewalls and try removing the cn=users from your Base DN.

[c-wex]

It Works !!!
So here is the formula for setting up active directory integration

1. ldap must be compiled in to the PHP or setup as extension in PHP.INI
2. under admin cp -> templates -> manage groups ... Click settings and set loginshare = Microsoft Active Directory
3. under admin cp -> templates -> login share ... locate "Microsoft Active directory" and click settings.
3a. Configure the active directory as follows:

Active Directory Host = [ip adress of your AD server]
Port (Default: 389) = [389]
Base DN = [dc=domain,dc=com]
RDN = [prewin2k username for user with access to AD eg domain\administrator]
Password = [password for user in the RDN field]

Test by logging in to the support part of kayako.
There is no support for AD integration with the Staff CP or the Admin CP.
When the integration works users beeing logged in will be "imported" to :
Staff CP -> Manage Users.

[c-wex]

As an add on and a new question

In my case i see that every user is imported twice for some reasen
My users have 3 smtp email adresses like this :

1. username@onedomain.dk (Primary)
2. username@someotherdomain.dk
3. username@internaldomain.local

It imports Emails 1 and 2 ?

Anyone know how to get around this ?
With a bit of luck system wil be user for a 450 user domain, and i think maybe i wil have a problem with the dublets

Awesome!

Welcome to the AD integration club... :-D

[c-wex]

Thank you ... and thank you for the hint !!!

I doubt this post will help you but this is one issue that we've noticed at Beck's.

In our case, the system grabs the first SMTP address for the AD user as dictated by the default recipient policy in MS Exchange. However, when they login again (or submit a ticket via email), additional accounts appear to be created using the other email addresses.

When you look closer, the User IDs are the same so technically, only 1 account was created but multiple email addresses are assigned to it.

Do you only want 1 email address to be assigned per user?

[c-wex]

Hmm you are right !
Same id but 2 email adresses. Both coming from default recipient policy.

However it seems to generate both emails on first login.

yes i only want 1 email adress

Looks like the only two ways to make that happen right now are:

1.) Change your default recipient policy. (Note: Looks like SupportSuite only checks this when the account is created. So changes to it right now would not affect the users already created.)

2.) Manually delete the email address that you do not want. (You could create a MySQL script to run against the db that would delete the *@someotherdomain.dk addresses. I'm not sure how this would affect the rest of the db though.)

[c-wex]

Ok... i will see if it becomes a problem
i can also mass delete emails from the manage users i see
So it will probably be ok.

You said you were working on some vbscript to import all ad users ?
Is it a script that runs beside the kayako and makes a pull of all ad users and enters them in to mysql or ???

Yes, it's a VBscript that grabs all the users in a given AD container and inserts them into the supportsuite database. I haven't had much time to think it out fully or even work on it yet but it's on my to-do list.

[c-wex]

Ok ... i might get there too.
Have you investigated the user relations in the database yet ? is it "just" to input the users in one table, or are there more tables affected ?

[Hybrid]

Excellent, maybe this thread should be pinned or made a sticky?

I shall have to give this a try today.

Thnaks for the help!

[jnygaard]

Importing the user from the AD into the supportsuite is one thing. But what happens when a user is deleted (or marked disabled) is the AD. Will he still be able to login then??

[Hybrid]

I dont think so... if the user is disabled/deleted then kayako cant sync with AD to get the U/P.