.. _set_up_ldap_for_authentication_only:
Set up LDAP for Authentication Only
-----------------------------------
Use this procedure to set up LDAP to only authenticate users in VOSS-4-UC. Users
may be added locally, or synced from Cisco Unified CM. Users who are LDAP synced
in Cisco Unified CM and then synced into VOSS-4-UC will be LDAP authenticated by
default. Users who are manually configured in Cisco Unified CM and then synced
into VOSS-4-UC will not be LDAP authenticated by default. Users who are manually
configured in VOSS-4-UC also will not be LDAP authenticated by default. The default
behavior can be changed using the procedures described in View and Update LDAP
Authentication Users.
.. note::
LDAP for Authentication Only is available at hierarchy nodes that have an LDAP
server. Therefore, LDAP for Authentication Only is not available for users
created at the site level.
.. important::
When **LDAP Authentication Only** is used (check box selected), then the
**CUCM LDAP Directory Name** for the LDAP server must be filled in.
When more than one LDAP server sync is created and this is not
filled in, no LDAP users will be created and a warning message will
be seen in the transaction log.
Procedure
.........
1. Log in as provider, reseller, or customer administrator.
2. Set the hierarchy path to the node where you have set up the LDAP server you
want to use to authenticate users.
3. Choose **LDAP Management > LDAP User Sync**.
4. Click **Add**.
5. On the **Base** tab, provide this information:
.. tabularcolumns:: |p{3cm}|p{12cm}|
+---------------------+----------------------------------------------+
| Field | Description |
+=====================+==============================================+
| LDAP Server | Choose the LDAP Server you are |
| | authenticating users at. |
+---------------------+----------------------------------------------+
| | Important: |
| | |
| | Select this check box to use the LDAP server |
| | only to authenticate users. |
| | |
| | Default = Cleared. When cleared, users are |
| | synced from the configured LDAP directory |
| LDAP Authentication | and their passwords are authenticated |
| Only | against the configured LDAP directory. |
| | |
| | When selected: |
| | |
| | * The **CUCM LDAP Directory Name** for the |
| | LDAP server must be filled in. When more |
| | than one LDAP server sync is created and |
| | this is not filled in, no LDAP users will |
| | be created and a warning message will be |
| | seen in the transaction log. |
| | * Users are not |
| | synced from the configured LDAP directory, |
| | but their passwords are authenticated |
| | against the LDAP directory. |
| | * You can manually add users from the GUI or |
| | API, bulk load them, or sync them from |
| | Unified CM. |
+---------------------+----------------------------------------------+
| | This read-only field identifies which LDAP |
| User Model Type | object, defined in the configured LDAP |
| | server, is used to authenticate users. |
+---------------------+----------------------------------------------+
| | Choose the LDAP Attribute to be used to |
| | authenticate users. This field is mandatory. |
| | Options are: |
| | |
| | * sAMAccountName - AD only, this is the |
| | default for AD. |
| | * uid - OpenLDAP only, this is the default |
| | for OpenLDAP. |
| | * mail |
| | * employeeNumber |
| | * telephoneNumber |
| | * userPrincipalName - AD only. |
| | |
| | These are the same values Unified CM users |
| | for LDAP Attribute for User ID. |
| | |
| | Caveats (AD only) |
| | |
| | For the following types of users, do not |
| | select userPrincipalName, unless the |
| | userPrincipalName value was set as the |
| LDAP Authentication | Username when the user was created: |
| Attribute | |
| | * Users created using the VOSS-4-UC GUI |
| | * Users created using the VOSS-4-UC API |
| | * Users bulk loaded into VOSS-4-UC |
| | * Users manually created in Unified CM and |
| | synced into VOSS-4-UC |
| | |
| | For users synced from LDAP into Unified CM |
| | and then into VOSS-4-UC: |
| | |
| | Caveats (AD and OpenLDAP) |
| | |
| | For users synced from LDAP into Unified CM |
| | and then into VOSS-4-UC: |
| | |
| | * We strongly recommend selecting the same |
| | LDAP Authentication Attribute as Unified |
| | CM uses for LDAP Attribute for User ID. |
| | * If you sync users into Unified CM using |
| | attributes other than sAMAccountName/uid, |
| | do not choose sAMAccountName/uid. |
| | |
| | If you sync users from LDAP into Unified CM |
| | using employeeNumber, choose employeeNumber |
| | for the LDAP Authentication Attribute. |
| | However, to get the LDAP Authentication to |
| | work properly, one of these conditions must |
| | be met: |
| | |
| | * Before syncing users from Unified CM to |
| | VOSS-4-UC, set the Employee Number field |
| | on the CUCM Server FieldMapping tab to |
| | userid. |
| | * Define the LDAP for Authentication Only |
| | sync before syncing users from Unified CM |
| | into VOSS-4-UC |
+---------------------+----------------------------------------------+
6. Click **Save**.
All users that have SyncToHierarchy set to the hierarchy of the LDAP server now
use the LDAP server for authentication. The users are added to the LDAP
Authentication Users list.