LDAP

Last Updated : Apr 21, 2016 |

Navigation: System Settings > System > Directory Services > LDAP

Additional configuration information

For additional configuration information, see Centralized System Directory.

Configuration settings

LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network. It can also be used to import directory information.

The IP Office supports both LDAP V2 and LDAP V3:

  • LDAP v2: This menu (System Settings > System > Directory Services > LDAP ) supports LDAP v2 direct from the IP Office service.

  • LDAP v3: The Collaboration service on IP Office R11.1.2 and higher Linux-based IP Office servers supports LDAP v3. For IP500 V2 servers, the Collaboration service is provided by an IP Office Application Server. Using IP Office Web Manager, see Solution > Solution Settings > User Synchronization Using LDAP.

Tip:

  • IP Office systems also support the import of directory records from another IP Office using HTTP. That includes using HTTP to import records that the other IP Office has imported using LDAP.

LDAP records can contain several telephone numbers. Each will be treated as a separate directory record when imported into the system directory.

An LDAP directory is organized in a simple "tree" hierarchy consisting of the following levels:

  • The "root" directory (the starting place or the source of the tree), which branches out to

  • Countries, each of which branches out to

  • Organizations, which branch out to

  • Organizational units (divisions, departments, and so forth), which branches out to (includes an entry for)

  • Individuals (which includes people, files, and shared resources such as printers)

An LDAP directory can be distributed among many servers. Each server can have a replicated version of the total directory that is synchronized periodically. An LDAP server is called a Directory System Agent (DSA). An LDAP server that receives a request from a user takes responsibility for the request, passing it to other DSA's as necessary, but ensuring a single coordinated response for the user.

These settings can be edited online. Changes to these settings do not require a reboot of the system.

Field

Description

LDAP Enabled

Default = Off

This option turns LDAP support on or off. If the server being queried is an LDAP V3 server, support for LDAP V2 may need to be enabled on that server. LDAP V3 servers typically support LDAP V2 but do not have it enabled by default.

User Name

Default = Blank

Enter the user name to authenticate connection with the LDAP database. To determine the domain-name of a particular Windows user look on the "Account" tab of the user's properties under "Active Directory Users and Computers". Note that this means that the user name required is not necessarily the same as the name of the Active Directory record. There should be a built-in account in Active Directory for anonymous Internet access, with prefix "IUSR_" and suffix server_name. Thus, for example, the user name entered is this field might be: IUSR_CORPSERV@example.com

Password

Default = Blank

Enter the password to be used to authenticate connection with the LDAP database. Enter the password that has been configured under Active Directory for the above user.

Alternatively, an Active Directory object may be made available for anonymous read access. This is configured on the server as follows.

  1. In Active Directory Users and Computers, enable Advanced Features under the View menu.

  2. Open the properties of the object to be published and select the Security tab.

  3. Click Add and select ANONYMOUS LOGON and click Add and then OK

  4. Click Advanced and select ANONYMOUS LOGON.

  5. Click View/Edit and change Apply to to This object and all child objects.

  6. Click OK to exit the menus.

  7. Once this has been done on the server, any record can be made in the User Name field in the System configuration form (however, this field cannot be left blank) and the Password field left blank. Other non-Active Directory LDAP servers may allow totally anonymous access, in which case neither User Name nor Password need be configured.

Server IP Address

Default = Blank

Enter the IP address of the server storing the database.

Server Port

Default = 389

This setting is used to indicate the listening port on the LDAP server.

Authentication Method

Default = Simple

Select the authentication method to be used. The options are:

  • Simple: clear text authentication

  • Kerberos: Not used.

Resync Interval (secs)

Default = 3600 seconds. Range = 60 to 99999 seconds.

The frequency at which the system should resynchronize the directory with the server. This value also affects some aspects of the internal operation.

The LDAP search inquiry contains a field specifying a time limit for the search operation and this is set to 1/16th of the resync interval. So by default a server should terminate a search request if it has not completed within 225 seconds (3600/16).

The client end will terminate the LDAP operation if the TCP connection has been up for more than 1/8th of the resync interval (default 450 seconds). This time is also the interval at which a change in state of the "LDAP Enabled" configuration item is checked.

Search Base

Search Filter

Default = Blank

These fields are used together to refine the extraction of directory records.

The Search Base specifies the point in the tree to start searching.

  • The Search Base is a distinguished name in string form as defined in RFC1779.

The Search Filter specifies which objects under the base are of interest.

  • The Search Filter deals with the attributes of the objects found under the Search Base. It uses the format defined in RFC2254 except that extensible matching is not supported.

  • If left blank, the Search Filter defaults to (objectClass=*) which matches all objects under the Search Base.

  • You must ensure that the whole filter, and each object within the filter, are enclosed within ( ) brackets.

The following are some examples applicable to an Active Directory database.

  • To all user phone numbers in a domain:

    • Search Base - cn=users,dc=acme,dc=com

    • Search Filter - (telephonenumber=*)

  • To restrict the search to a particular Organizational Unit (for example an office site) and get cell phone numbers also:

    • Search Base - ou=holmdel,DC=example,DC=com

    • Search Filter - (|(telephonenumber=*)(mobile=*))

  • To get the members of distribution list "group1":

    • Search Base - cn=users,dc=example,dc=com

    • Search Filter - (&(memberof=cn=group1,cn=users,dc=example,dc=com)(telephonenumber=*))

Number Attributes

Default = telephoneNumber,otherTelephone,homePhone=H,otherHomePhone=H,mobile=M,otherMobile=M

Enter the number attributes the server should return for each record that matches the Search Base/Search Filter.

  • Other Active Directory records are ipPhone, otherIpPhone, facsimileTelephoneNumber, otherfacsimileTelephone Number, pager or otherPager.

  • The attribute names are not case sensitive.

  • Other LDAP servers may use different attributes.

  • The optional "=string" sub-fields define how that type of number is tagged in the directory. Thus, for example, a cell phone number would appear in the directory as: John Birbeck M 7325551234

Auto Populate MS Teams Data

Default = Enabled

When LDAP Enabled setting is enabled, the Auto Populate MS Teams Data setting auto populates the Microsoft Teams URI obtained by IP Office in User | Mobility  > MS Teams URI and makes the MS Teams URI setting read-only.
Related information
Directory Services