LDAP Integration¶
LDAP servers can be integrated with VOSS-4-UC for these two purposes:
- User synchronization - sync users from LDAP into VOSS-4-UC and use LDAP to authenticate users. In this setup, the user accessing the system provides credentials via the VOSS-4-UC login page and an authentication request is sent to the appropriate LDAP server based on the user setup.
- User authentication only - use LDAP to authenticate users in VOSS-4-UC (either added locally or synced from Cisco Unified CM)
LDAP Authentication and VOSS-4-UC Credential Policies¶
VOSS-4-UC supports LDAP authentication as either standalone (LDAP Authentication only) or in conjunction with LDAP syncing of the users. The user accessing the system provides credentials via the VOSS-4-UC login page and an authentication request is sent to the appropriate LDAP server(s) based on the user setup.
The username and password provided needs to match that in the LDAP server based on the LDAP field selected for username. This username is used to map to the requisite user in VOSS-4-UC to determine access, role, and so on after successful authentication. By default, this mapping is done based on the LDAP field used (as defined in the LDAP setup in VOSS-4-UC) that matches the VOSS-4-UC username. However, if required, VOSS-4-UC does allow you to map non-matching usernames as part of the authentication setup for the user. This is useful when you need to have a different username in VOSS-4-UC and the UC apps than you have in LDAP.
When using LDAP Authentication, the password rules part of the credential policy in VOSS-4-UC do not apply as the password is managed in the directory. Other credential policy rules like session length are applied as they are managed by VOSS-4-UC.
User authentication only is not available for OpenLDAP.
Note
- To use LDAP for authentication only, you must have VOSS-4-UC 10.6(3) or later.
- Since LDAP servers support case insensitive search base DNs,
VOSS-4-UC supports this case insensitivity. For example, on an LDAP server,
the following search base DNs are equal:
- CN=Users,DC=example,DC=com
- cn=Users,dc=example,dc=com
LDAP Sync Scenarios¶
User synchronization is available for Active Directory (AD) and OpenLDAP.
Two sync scenarios are possible:
- “Top Down”: when the system is syncing users directly from the LDAP directory. One or more LDAP directories is the source of the user data. This setup controls how users are matched to be pulled in (for example, OU definition, LDAP filter, field filters, etc). It also provides the best scenario for the flow-through provisioning functionality.
- “Bottom Up”: when the system is syncing users indirectly from the LDAP directory, i.e. where applications are integrated and syncing the users from the LDAP directory. For example, the system syncs via the Cisco Unified CM which is syncing to LDAP.
LDAP Sync Lists¶
With LDAP sync, consider the following lists. They are here arranged in order of override precedence:
Override Order¶
- Always synced list - fields required to list LDAP Users on the GUI
- Drop Field List - fields never imported from LDAP
- Data Sync Blacklist - a change in these fields does not trigger an update
- Model Type List - from the LDAP data sync; set up and used in scheduled syncs
- LDAP Sync List (manual or from CFT) - fields to be imported from LDAP as set up with the LDAP server
Details of these lists are provided below:
Always Synced List¶
A number of fields are always synced, since these are required to list LDAP Users on the GUI:
| Column Name | Field Name |
|---|---|
| Cn | cn |
| Uid | uid |
| Description | description |
mail |
|
| User Principal Name | userPrincipalName |
| SAM Account Name | sAMAccountName |
Drop Field List¶
If any items in the LDAP Sync List are contained in the DROP_FIELD_LIST below, these are not
synced, since they are not considered during any sync. This list is fixed in the
system and is not configurable:
DROP_FIELD_LIST=[
'photo',
'jpegPhoto',
'audio',
'thumbnailLogo',
'thumbnailPhoto',
'userCertificate',
'logonCount',
'adminCount',
'lastLogonTimestamp',
'whenCreated',
'uSNCreated',
'badPasswordTime',
'pwdLastSet',
'lastLogon',
'whenChanged',
'badPwdCount',
'accountExpires',
'uSNChanged',
'lastLogoff',
'dSCorePropagationData'
]
Data Sync Blacklist¶
Refer to Data Sync Blacklist
An LDAP Sync List will not override any of the Data Sync Blacklist attributes - default or custom - in data/Settings.
In other words, if a field is in both the LDAP Sync List and the Data Sync Blacklist and the field value is
different on LDAP server, then when syncing the LDAP server, the LDAP sync will not trigger any update for the LDAP
entity during sync.
Existing Model Type List¶
Given an existing LDAP Server with a LDAP Sync List configured, when executing a Data Sync against the LDAP server, then the existing Model Type List functionality from the LDAP data sync is maintained and takes precedence over the LDAP Sync List.
See:
LDAP Sync List¶
A new LDAP server or one that existed in the system prior to release 19.3.4 allows you to choose the LDAP Sync List Option:
- No sync list
- Create sync list manually
- Create sync list from template
The template (CFT) can also be created and applied to a server - see LDAP Sync List Configuration Templates.
Important
Besides the sync override order indicated above, manual or template sync lists are bound by the following considerations:
If no sync list is set up, LDAP sync will not be affected by this list.
If the default or selected sync list used for a server is modified, a full sync is required during the next scheduled or manual sync, for example, from the Sync and Purge menu.
It is therefore recommended that such changes and sync be scheduled for off-peak times, particularly in the case where there are many users so that a large sync is required.
For users that are targeted for Cisco-based services, it is required to have a field mapped to the surname field for users. It is therefore important to include a field in the Sync List that is mapped to the ‘surname’ field, typically
sn.
For details on the LDAP Sync List on the LDAP server, see: Set up an LDAP Server.
Note
By default LDAP user details shown on the GUI display all device/ldap/user
fields. It is therefore recommended to create a FDP
for device/ldap/user to contain only the fields
from your LDAP Sync List in order to view LDAP user details
according to your configuration.
LDAP Sync List Configuration Templates¶
Administrators can also clone the default sync list Configuration Templates to a hierarchy and modify these for use during initial LDAP server setup. The modified CFTs will then be available at the hierarchy on the Sync List tab from the LDAP Sync List Template drop-down list.
Two default CFTs are provided and can be cloned:
- Ldap Sync List Microsoft Active Directory
- Ldap Sync List Open Ldap
The default CFT fields are:
| Ldap Sync List Microsoft Active Directory | Ldap Sync List Open Ldap |
|---|---|
Model Type: device/ldap/user |
Model Type: device/ldap/InetOrgPerson |
sAMAccountName |
uid |
mail |
mail |
givenName |
givenName |
sn |
sn |
title |
title |
department |
departmentNumber |
displayName |
displayName |
employeeNumber |
employeeNumber |
employeeType |
employeeType |
homePhone |
homePhone |
ipPhone |
|
telephoneNumber |
telephoneNumber |
mobile |
mobile |
otherMailbox |
|
facsimileTelephoneNumber |
facsimileTelephoneNumber |
l |
l |
c |
|
streetAddress |
|
st |
street |
postalCode |
postalCode |
physicalDeliveryOfficeName |
physicalDeliveryOfficeName |
manager |
manager |
memberOf |
memberOf |
objectClass |
objectClass |
o |
o |
ou |
ou |
If new LDAP attribute names are added to the cloned CFT and modified on the GUI, type the names in. Initially, all attribute names are imported. The full attribute list and naming is available on the GUI Sync List tab from the default sync list for the server - see: Set up an LDAP Server.
Enter a descriptive name for the cloned CFT, which will then show in the hierarchy on the drop-down list of Sync List CFTs that are available when you modify an LDAP server or create a new server.
Multiple LDAP OUs Per Hierarchy¶
Large corporations and institutions with multiple domains or agencies may require more than one LDAP Organizational Unit (OU) to be configured at a hierarchy.
VOSS-4-UC allows for multiple LDAP OUs at a hierarchy by providing for a unique combination of the following LDAP server properties at the hierarchy:
- IP address
- Port
- search base DN
Multiple search base DNs can therefore be configured at the same hierarchy for different organizations within the same company, so that administrators and self-service users can successfully authenticate. For example:
LDAP server setup:
| IP | Port | Search base DN | Hierarchy |
|---|---|---|---|
| 1.2.3.4 | 389 | ou=SharedOUA,dc=voss-solutions,dc=com | Provider.Customer |
| 1.2.3.4 | 389 | ou=SharedOUB,dc=voss-solutions,dc=com | Provider.Customer |
Users:
- userA: ou=SharedOUA,dc=voss-solutions,dc=com
- userB: ou=SharedOUB,dc=voss-solutions,dc=com
