.. _set_up_ldap_for_user_synchronization: Configure LDAP for User Synchronization ---------------------------------------- .. _19.1.2|VOSS-541: .. _20.1.1|VOSS-551: .. _19.3.4|VOSS-704: This procedure configures LDAP for user synchronization. .. note:: * Configuring LDAP for user synchronization synchronizes users from the configured LDAP directory into VOSS Automate. These users appear at the hierarchy node at which the LDAP User Sync object exists. You can manage the users via the the **User Management** menu options in the Admin Portal (for example, to move users to other hierarchies, or to push to CUCM). * The **LDAP Authentication Only** check box is available only in VOSS Automate. * For LDAP server setup and authentication settings, see: :ref:`set_up_an_ldap_server`. .. warning:: Setting the following options to **Automatic** will delete all users from this LDAP server, in VOSS Automate as well as the UC Application Users, Phones, Services etc. * **User Purge Mode** * **User Delete Mode** **Perform these steps**: 1. Log in as provider, reseller, or customer administrator. 2. Set the hierarchy path to the node of the LDAP server you want to synchronize users from. 3. Choose **LDAP Management > LDAP User Sync**. 4. Click **Add**. 5. Fill out the relevant details: .. tabularcolumns:: |p{4cm}|p{11cm}| +---------------------+-------------------------------------------------------+ | Field | Description | +=====================+=======================================================+ | LDAP Server\* | This read-only field displays the LDAP | | | Server you are synchronizing users from. | +---------------------+-------------------------------------------------------+ | | Disabled by default. Leave the checkbox clear if you | | | wish to synch users from LDAP (from the configured | | | LDAP directory. In this case, their passwords are | | | authenticated against the configured LDAP directory. | | | | | | When enabled (checkbox selected), users are not | | LDAP Authentication | synchronized from the configured LDAP directory; only | | Only | their passwords are authenticated against the LDAP | | | directory. When this setting is enabled, you can | | | manually add users from the GUI or API, or bulk load | | | these users, or synchronize these users from Cisco | | | Unified CM (CUCM). | +---------------------+-------------------------------------------------------+ | | The User Model Type identifies which LDAP | | | object, defined in the configured LDAP | | | server, is used to import and authenticate | | | users. | | | | | | If the LDAP server is Microsoft Active Directory, the | | | default is ``device/ldap/user``. | | | | | | If the LDAP server is AD LDS (ADAM), | | | this | | | should be set to ``device/ldap/userProxy``. | | User Model Type | | | | If the LDAP server is OpenLDAP, the default | | | is ``device/ldap/inetOrgPerson``. | | | | | | To identify a non-default User Model Type to | | | use, contact the LDAP server administrator. | +---------------------+-------------------------------------------------------+ | LDAP Authentication | The attribute used for creating an LDAP user. | | Attribute | This value will be used for LDAP authentication | | | against LDAP when the **LDAP Authentication Only** | | | check box is selected (see above field). | +---------------------+-------------------------------------------------------+ .. tabularcolumns:: |p{4cm}|p{11cm}| +------------------+-------------------------------------------------------+ | | Choose the User Entitlement Profile that specifies | | | the devices and services to which users synchronied | | | users synchronized from the LDAP server are | | | entitled. | | User Entitlement | | | Profile | The chosen entitlement profile is assigned to each | | | synchronized user. It is checked during user | | | provisioning to ensure the user's configuration does | | | not exceed the allowed services and devices specified | | | in the entitlement profile. | +------------------+-------------------------------------------------------+ | | The default role to assign to the synced user (if no | | User Role | other LDAP Custom Role Mappings are applicable for | | (default)\* | the synced user, then this fallback/default role will | | | be applied). This field is mandatory. | +------------------+-------------------------------------------------------+ | | Indicates whether users are automatically | | User Move Mode | moved to sites based on the filters and | | | filter order defined in **User Management > | | | Manage Filters**. | +------------------+-------------------------------------------------------+ | | Indicates whether users are automatically | | | deleted from VOSS Automate if they are deleted | | User Delete Mode | from the LDAP directory. If set to automatic, | | | all subscriber resources associated with the | | | user, such as a phone, are also deleted. | +------------------+-------------------------------------------------------+ | | Indicates whether users are automatically | | | deleted from VOSS Automate if they are purged | | User Purge Mode | from the LDAP device model. An administrator | | | can remove the LDAP user from the device | | | layer even if the user has not been removed | | | from the LDAP directory. | +------------------+-------------------------------------------------------+ 6. Inspect the default mappings and modify if required, see :ref:`user-field-mapping`. 7. Click **Save**. An LDAP synchronization is scheduled, but is not activated by default. See :ref:`synchronize_users_from_ldap`. .. note:: A number of fields are also *always* and *not* imported by VOSS Automate during LDAP synchronization. See :ref:`ldap_integration`