LDAP Integration¶
The table describes two purposes of a LDAP server integration with VOSS Automate:
LDAP sync and authentication |
Sync users from LDAP into VOSS Automate and use LDAP to authenticate users. |
Standalone (LDAP authentication only) |
LDAP authenticates users in VOSS Automate (locally added users, or users synced from CUCM). |
Note
Standalone LDAP authentication only is not available for OpenLDAP.
LDAP authentication-only requires VOSS Automate 10.6(3) or later.
VOSS Automate supports LDAP server support for case-insensitive search base DNs. For example, on an LDAP server, the following search base DNs are equal:
CN=Users,DC=example,DC=com
cn=Users,dc=example,dc=com
LDAP Authentication¶
The user provides their credentials at the VOSS Automate Login page.
An authentication request is sent to the appropriate LDAP server(s), based on the user’s authentication setup.
Default authentication setup |
|
Alternative authentication setup |
VOSS Automate allows an authentication setup where non-matching usernames may be mapped. This is useful where the username in VOSS Automate and the UC apps is different to the username in LDAP. |
When using LDAP Authentication, the password rules of the VOSS Automate credential policy do not apply because the password is managed in the directory. Other credential policy rules are applied (such as session length), as these are managed in VOSS Automate.
Top Down and Bottom Up LDAP Sync Scenarios¶
LDAP user synchronization is available for Active Directory (AD) and OpenLDAP.
The table describes the two supported LDAP user sync scenarios:
Sync scenario |
Description |
|---|---|
Top-Down Bottom-Up |
Users are synced directly from the LDAP directory. User data is sourced from one or more LDAP directories. This setup defines how users are matched to be pulled in (for example, OU definition, LDAP filter, field filters, etc). It also provides the best scenario for the flow-through provisioning functionality. Users are synced indirectly from the LDAP directory, that is, where applications are integrated and syncing the users from the LDAP directory. For example, the system syncs via the CUCM, which is syncing to LDAP. |
Note
In a top-down or bottom-up LDAP sync, a system configuration template sets the CUCM (LDAP)
user’s identity field (userIdentity) to the user principal name (UPN), userPrincipalName,
if it exists; otherwise it uses the email address. This is useful where a user has a
different email address to the UPN and needs to be correctly mapped following a LDAP sync and then
the user is moved to a site.
LDAP Sync Lists¶
The table describes, for LDAP sync, LDAP sync lists, arranged in override order:
|
Fields required to list LDAP Users on the GUI |
|
Fields never imported from LDAP |
|
A change in these fields does not trigger an update |
|
From the LDAP data sync. Set up and used in scheduled syncs |
|
Fields to be imported from LDAP as set up with the LDAP server |
Always Synced List¶
The table describes fields that are always synced :
Note
These field values are required to list LDAP users on the GUI.
Column Name |
Field Name |
|---|---|
Cn |
|
Uid |
|
Description |
|
|
|
User Principal Name |
|
SAM Account Name |
|
Drop Field List¶
If any items in the LDAP Sync List are contained in the DROP_FIELD_LIST below, these are not
synced, since they are not considered during any sync. This list is fixed in the
system and is not configurable:
DROP_FIELD_LIST=[
'photo',
'jpegPhoto',
'audio',
'thumbnailLogo',
'thumbnailPhoto',
'userCertificate',
'logonCount',
'adminCount',
'lastLogonTimestamp',
'whenCreated',
'uSNCreated',
'badPasswordTime',
'pwdLastSet',
'lastLogon',
'whenChanged',
'badPwdCount',
'accountExpires',
'uSNChanged',
'lastLogoff',
'dSCorePropagationData'
]
Data Sync Blacklist¶
Refer to Data Sync Blacklist
An LDAP Sync List will not override any of the Data Sync Blacklist attributes - default or custom - in data/Settings.
In other words, if a field is in both the LDAP Sync List and the Data Sync Blacklist and the field value is
different on LDAP server, then when syncing the LDAP server, the LDAP sync will not trigger any update for the LDAP
entity during sync.
Model Type List¶
Given an existing LDAP server with a LDAP Sync List configured, when executing a data sync against the LDAP server, the existing Model Type List functionality from the LDAP data sync is maintained and takes precedence over the LDAP Sync List.
See:
LDAP Sync List¶
A new LDAP server or one that existed in the system prior to release 19.3.4 allows you to choose the LDAP Sync List Option:
No sync list
Create sync list manually
Create sync list from template
The configuration template (CFT) can also be created and applied to a server. See LDAP Sync List Configuration Templates.
Important
Besides the sync override order indicated above, manual or template sync lists are bound by the following considerations:
If no sync list is set up, LDAP sync is not affected by this list.
When updating the default sync list (or any sync list you choose), a full sync is required (during the next scheduled, or a manual sync). See the Sync and Purge menu, and for more information about data sync and data sync cache, see Data Sync Types.
Until a full LDAP user import is performed, user details are updated in the local cache (when opening a management page).
For these reasons, it is recommended that such updates and syncs should be scheduled for off-peak times, particularly where a large number of users requires a large sync.
For users targeted for Cisco-based services, a field must be mapped to the surname field for users. It is therefore important to include a field in the Sync List that is mapped to the ‘surname’ field, typically
sn.
For details on the LDAP Sync List on the LDAP server, see: Configure LDAP Server for Integration.
Note
By default LDAP user details shown on the GUI display all device/ldap/user
fields. It is recommended that you create a FDP
for device/ldap/user to contain only the fields
from your LDAP Sync List in order to view LDAP user details
according to your configuration.
LDAP Sync List Configuration Templates¶
Administrators can clone the default sync list Configuration Templates (CFTs) to a hierarchy, and modify them for use during initial LDAP server setup. Modified CFTs are available at the hierarchy on the Sync List tab (from the LDAP Sync List Template drop-down).
Two default CFTs are provided. Both can be cloned:
Ldap Sync List Microsoft Active Directory
Ldap Sync List Open Ldap
The table describes the default CFT fields:
Ldap Sync List Microsoft Active Directory |
Ldap Sync List Open Ldap |
|---|---|
Model Type: |
Model Type: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If new LDAP attribute names are added to the cloned CFT and modified on the GUI, type the names in. Initially, all attribute names are imported. The full attribute list and naming is available on the GUI Sync List tab from the default sync list for the server. See: Configure LDAP Server for Integration.
Enter a descriptive name for the cloned CFT, which will then show in the hierarchy on the drop-down list of Sync List CFTs that are available when you modify an LDAP server or create a new server.
Multiple LDAP Organization Units Per Hierarchy¶
Large corporations and institutions with multiple domains or agencies may require more than one LDAP Organizational Unit (OU) to be configured at a hierarchy.
VOSS Automate allows for multiple LDAP OUs at a hierarchy by providing for a unique combination of the following LDAP server properties at the hierarchy:
IP address
Port
search base DN
Multiple search base DNs can therefore be configured at the same hierarchy for different organizations within the same company, so that administrators and self-service users can successfully authenticate. For example:
LDAP server setup:
IP |
Port |
Search base DN |
Hierarchy |
|---|---|---|---|
1.2.3.4 |
389 |
ou=SharedOUA,dc=voss-solutions,dc=com |
Provider.Customer |
1.2.3.4 |
389 |
ou=SharedOUB,dc=voss-solutions,dc=com |
Provider.Customer |
Users:
userA: ou=SharedOUA,dc=voss-solutions,dc=com
userB: ou=SharedOUB,dc=voss-solutions,dc=com