LDAP Integration¶
LDAP servers can be integrated with VOSS-4-UC for these two purposes:
- User synchronization - sync users from LDAP into VOSS-4-UC and use LDAP to authenticate users. In this setup, the user accessing the system provides credentials via the VOSS-4-UC login page and an authentication request is sent to the appropriate LDAP server(s) based on the user setup.
- User authentication only - use LDAP to authenticate users in VOSS-4-UC (either added locally or synced from Cisco Unified CM)
LDAP Authentication and VOSS-4-UC Credential Policies¶
VOSS-4-UC supports LDAP authentication as either standalone (LDAP Authentication only) or in conjunction with LDAP syncing of the users. The user accessing the system provides credentials via the VOSS-4-UC login page and an authentication request is sent to the appropriate LDAP server(s) based on the user setup.
The username and password provided needs to match that in the LDAP server based on the LDAP field selected for username. This username is used to map to the requisite user in VOSS-4-UC to determine access, role, and so on after successful authentication. By default, this mapping is done based on the LDAP field used (as defined in the LDAP setup in VOSS-4-UC) that matches the VOSS-4-UC username. However, if required, VOSS-4-UC does allow you to map non-matching usernames as part of the authentication setup for the user. This is useful when you need to have a different username in VOSS-4-UC and the UC apps than you have in LDAP.
When using LDAP Authentication, the password rules part of the credential policy in VOSS-4-UC do not apply as the password is managed in the directory. Other credential policy rules like session length are applied as they are managed by VOSS-4-UC.
User authentication only is not available for OpenLDAP.
Note
- To use LDAP for authentication only, you must have VOSS-4-UC 10.6(3) or later.
- Since LDAP servers support case insensitive search base DNs,
VOSS-4-UC supports this case insensitivity. For example, on an LDAP server,
the following search base DNs are equal:
- CN=Users,DC=example,DC=com
- cn=Users,dc=example,dc=com
LDAP Sync Scenarios¶
User synchronization is available for Active Directory (AD) and OpenLDAP.
Two sync scenarios are possible:
- “Top Down”: when the system is syncing users directly from the LDAP directory. One or more LDAP directories is the source of the user data. This setup controls how users are matched to be pulled in (for example, OU definition, LDAP filter, field filters, etc). It also provides the best scenario for the flow-through provisioning functionality.
- “Bottom Up”: when the system is syncing users indirectly from the LDAP directory, i.e. where applications are integrated and syncing the users from the LDAP directory. For example, the system syncs via the Cisco Unified CM which is syncing to LDAP.
Multiple LDAP OUs Per Hierarchy¶
Large corporations and institutions with multiple domains or agencies may require more than one LDAP Organizational Unit (OU) to be configured at a hierarchy.
VOSS-4-UC allows for multiple LDAP OUs at a hierarchy by providing for a unique combination of the following LDAP server properties at the hierarchy:
- IP address
- Port
- search base DN
Multiple search base DNs can therefore be configured at the same hierarchy for different organizations within the same company, so that administrators and self-service users can successfully authenticate. For example:
LDAP server setup:
IP | Port | Search base DN | Hierarchy |
---|---|---|---|
1.2.3.4 | 389 | ou=SharedOUA,dc=voss-solutions,dc=com | Provider.Customer |
1.2.3.4 | 389 | ou=SharedOUB,dc=voss-solutions,dc=com | Provider.Customer |
Users:
- userA: ou=SharedOUA,dc=voss-solutions,dc=com
- userB: ou=SharedOUB,dc=voss-solutions,dc=com