.. _set_up_ldap_for_user_synchronization:
Set up LDAP for User Synchronization
------------------------------------
.. _19.1.2|VOSS-541:
.. _19.3.2|EKB-4362:
Follow these steps to set up an LDAP for user synchronization. This process
synchronizes users from the configured LDAP directory into VOSS-4-UC.
The users then appear at the hierarchy node at which the LDAP User Sync object
exists. You can manage the users through User Management menu options
(for example, move users to other hierarchies, or push to Cisco Unified
Communications Manager).
.. note::
The LDAP Authentication Only check box is available only in VOSS-4-UC.
Procedure
.........
1. Log in as provider, reseller, or customer administrator.
2. Set the hierarchy path to the node of the LDAP server you want to
synchronize users from.
3. Choose **LDAP Management > LDAP User Sync**.
4. Click **Add**.
5. On the **Base** tab, provide the following information:
.. tabularcolumns:: |p{4cm}|p{11cm}|
+---------------------+-------------------------------------------------------+
| Field | Description |
+=====================+=======================================================+
| LDAP Server\* | This read-only field displays the LDAP |
| | Server you are synchronizing users from. |
+---------------------+-------------------------------------------------------+
| | Important: |
| | |
| | Leave the check box clear to synchronize users from |
| | LDAP. |
| | |
| | Default is Clear. When cleared, users |
| | are synchronized from the configured LDAP |
| LDAP Authentication | directory and their passwords are |
| Only | authenticated against the configured LDAP |
| | directory. When selected, users are not |
| | synchronized from the configured LDAP |
| | directory, but their passwords are |
| | authenticated against the LDAP directory. |
| | When selected, you can manually add users |
| | from the GUI or API, bulk load them, or |
| | synchronize them from Cisco Unified CM. |
+---------------------+-------------------------------------------------------+
| | The User Model Type identifies which LDAP |
| | object, defined in the configured LDAP |
| | server, is used to import and authenticate |
| | users. |
| | |
| | If the LDAP server is Microsoft Active Directory, the |
| | default is ``device/ldap/user``. |
| | |
| | If the LDAP server is AD LDS (ADAM), |
| | this |
| | should be set to ``device/ldap/userProxy``. |
| User Model Type | |
| | If the LDAP server is OpenLDAP, the default |
| | is ``device/ldap/inetOrgPerson``. |
| | |
| | To identify a non-default User Model Type to |
| | use, contact the LDAP server administrator. |
+---------------------+-------------------------------------------------------+
| LDAP Authentication | The attribute used for creating an LDAP user. |
| Attribute | This value will be used for LDAP authentication |
| | against LDAP when the **LDAP Authentication Only** |
| | check box is selected (see above field). |
+---------------------+-------------------------------------------------------+
| | Choose the User Entitlement Profile that specifies |
| | the devices and services to which users synchronied |
| | users synchronized from the LDAP server are |
| | entitled. |
| User Entitlement | |
| Profile | The chosen entitlement profile is assigned |
| | to each synchronized user. It is checked |
| | during user provisioning to ensure the |
| | user's configuration does not exceed the |
| | allowed services and devices specified in |
| | the entitlement profile. |
+---------------------+-------------------------------------------------------+
| | The default role to assign to the synced user (if no |
| User Role | other LDAP Custom Role Mappings are applicable for |
| (default)\* | the synced user, then this fallback/default role will |
| | be applied). This field is mandatory. |
+---------------------+-------------------------------------------------------+
| | Indicates whether users are automatically |
| User Move Mode | moved to sites based on the filters and |
| | filter order defined in **User Management > |
| | Manage Filters**. |
+---------------------+-------------------------------------------------------+
| | Indicates whether users are automatically |
| | deleted from VOSS-4-UC if they are deleted |
| User Delete Mode | from the LDAP directory. If set to automatic, |
| | all subscriber resources associated with the |
| | user, such as a phone, are also deleted. |
+---------------------+-------------------------------------------------------+
| | Indicates whether users are automatically |
| | deleted from VOSS-4-UC if they are purged |
| User Purge Mode | from the LDAP device model. An administrator |
| | can remove the LDAP user from the device |
| | layer even if the user has not been removed |
| | from the LDAP directory. |
+---------------------+-------------------------------------------------------+
6. Click the **Field Mappings** tab and modify the default mappings if required:
* LDAP Username
* For Microsoft Active Directory, this is typically the ``sAMAccountName``.
* For AD LDS (ADAM), the ``sAMAccountName`` attribute is not part of the default schema,
but can be added if required. Confirm with the LDAP server administrator. Alternatively,
use ``uid``.
* For OpenLDAP, this is typically the ``uid``.
* Sn (Surname)
7. (Optional) Complete other field mappings as needed, for other operations such
as pushing users to Cisco Unified Communications Manager or creating move filters.
8. Click **Save**.
An LDAP synchronization is scheduled, but is not activated by default. See
:ref:`synchronize_users_from_ldap`.
.. note::
The following fields are *not* imported by VOSS-4-UC during LDAP synchronization:
::
photo
jpegPhoto
audio
thumbnailLogo
thumbnailPhoto
userCertificate
logonCount
adminCount
lastLogonTimestamp
whenCreated
uSNCreated
badPasswordTime
pwdLastSet
lastLogon
whenChanged
badPwdCount
accountExpires
uSNChanged
lastLogoff
dSCorePropagationData