.. _ldap_integration: LDAP Integration ---------------- .. _19.3.4|VOSS-704: .. _21.2|EKB-10651: Overview ........... The table describes two scenarios for LDAP integration in VOSS Automate: ======================================== =========================================================== LDAP sync and authentication * Users are synced in from LDAP. * LDAP authenticates these users. * LDAP user sync is available for Active Directory (AD) and OpenLDAP. LDAP authentication-only (standalone) * Users are added locally or are synced in from CUCM. * LDAP authenticates these users. * Not available for OpenLDAP. * Requires VOSS Automate version 10.6(3) or later. ======================================== =========================================================== .. note:: * VOSS Automate provides LDAP server support for case-insensitive search base DNs. For example, on an LDAP server, the following search base DNs are equal: * CN=Users,DC=example,DC=com * cn=Users,dc=example,dc=com LDAP Authentication ..................... LDAP authentication works as follows: 1. User provides their credentials in the VOSS Automate system Login page. 2. Authentication request is sent to the relevant LDAP server(s), based on the user's authentication setup: =================================== ================================================================= Default authentication setup Matching username and password * VOSS Automate username and password must match the username and password in the LDAP server (based on the LDAP field chosen for *username*). * Once authenticated, the LDAP username is mapped to VOSS Automate user to determine access, role, and so on. Alternative authentication setup Non-matching username and password VOSS Automate supports authentication for mapping non-matching usernames. This is useful where the username in VOSS Automate and the UC apps is different to the username in LDAP. For example, if the LDAP username is bobsmith but the username in VOSS Automate is bsmith, then choose LDAP as the authentication type and set the LDAP username (bobsmith in this case) to match the username of bsmith in VOSS Automate. You would do this via the LDAP authentication attribute, such as sAMAccountName, mail, or userPrincipalName (which define the field where the username is sourced from, and which is used to authenticate the user.) =================================== ================================================================= .. note:: For LDAP authentication, the password rules of the VOSS Automate credential policy don't apply as the password is managed in the LDAP directory. Other credential policy rules are applied (such as session length), as these are managed in VOSS Automate. LDAP Sync Scenarios (Top-Down and Bottom-Up) ............................................. VOSS Automate supports two LDAP user sync scenarios: Top-Down or Bottom-Up: .. note:: While it is possible to have different LDAP sync types at different parts of the hierarchy, it is recommended that you run either Top-Down or Bottom-Up LDAP syncs. .. tabularcolumns:: |p{5cm}|p{10cm}| +----------------+------------------------------------------------------+ | Sync scenario | Description | +================+======================================================+ | Top-Down | Users are synced *directly* from the LDAP directory. | | | | | | User data is sourced from one or more | | | LDAP directories. | | | | | | This setup defines how users are matched to be | | | pulled in (for example, OU definition, LDAP filter, | | | field filters, etc). It also provides the best | | | scenario for the flow-through provisioning | | | functionality. | +----------------+------------------------------------------------------+ | Bottom-Up | Users are synced *indirectly* from the LDAP | | | directory, that is, where applications are | | | integrated and syncing the users from the LDAP | | | directory. For example, the system syncs via the | | | CUCM, which is syncing to LDAP. | +----------------+------------------------------------------------------+ .. note:: In a Top-Down or Bottom-Up LDAP sync, a system configuration template sets the CUCM (LDAP) user's identity field (``userIdentity``) to the user principal name (UPN), ``userPrincipalName``, if it exists; otherwise it uses the email address. This is useful where a user has a different email address to the UPN and needs to be correctly mapped following a LDAP sync, and then the user is moved to a site. .. _ldap-sync-lists: LDAP Sync Lists ................ The table describes, for LDAP sync, LDAP sync lists, arranged in override order: ========================================= ================================================================= 1. *Always synced list* Fields required to list LDAP Users on the GUI 2. *Drop Field List* Fields never imported from LDAP 3. *Data Sync Blacklist* A change in these fields does not trigger an update 4. *Model Type List* From the LDAP data sync. Set up and used in scheduled syncs 5. *LDAP Sync List* (manual or from CFT) Fields to be imported from LDAP as set up with the LDAP server ========================================= ================================================================= Always Synced List '''''''''''''''''' The following fields are always synced in an LDAP sync as their values are required to list LDAP users on the GUI: =================== =========================== Column Name Field Name =================== =========================== Cn ``cn`` Uid ``uid`` Description ``description`` Mail ``mail`` User Principal Name ``userPrincipalName`` SAM Account Name ``sAMAccountName`` =================== =========================== Drop Field List '''''''''''''''' Any items in the LDAP Sync List from ``DROP_FIELD_LIST`` are excluded from the sync. This list is read-only. :: DROP_FIELD_LIST=[ 'photo', 'jpegPhoto', 'audio', 'thumbnailLogo', 'thumbnailPhoto', 'userCertificate', 'logonCount', 'adminCount', 'lastLogonTimestamp', 'whenCreated', 'uSNCreated', 'badPasswordTime', 'pwdLastSet', 'lastLogon', 'whenChanged', 'badPwdCount', 'accountExpires', 'uSNChanged', 'lastLogoff', 'dSCorePropagationData' ] Data Sync Blacklist ''''''''''''''''''''' .. raw:: latex See Data Sync Blacklist in the Advanced Configuration Guide. .. raw:: html

See Data Sync Blacklist

An LDAP Sync List won't override any of the Data Sync Blacklist attributes (default or custom) in ``data/Settings``. That is, for fields that appear in both the LDAP Sync List and in the Data Sync Blacklist, where the field value is different on the LDAP server, the LDAP sync won't trigger any update for the LDAP entity during a sync. Model Type List '''''''''''''''''' Given an existing LDAP server with a LDAP Sync List configured, when executing a data sync against the LDAP server, the *existing Model Type List functionality* from the LDAP data sync is maintained and takes precedence over the LDAP Sync List. See: * :ref:`create_a_targeted_model_type_list` * :ref:`controlling_a_data_sync_with_a_model_type_list` LDAP Sync List '''''''''''''''' A new LDAP server or one that existed in the system prior to release 19.3.4 allows you to choose the **LDAP Sync List Option**: * No sync list * Create sync list manually * Create sync list from template The configuration template (CFT) can also be created and applied to a server. See :ref:`LDAP-sync-cft`. .. important:: Besides the sync override order indicated above, manual or template sync lists are bound by the following considerations: * If no sync list is set up, LDAP sync is not affected by this list. * When updating the default sync list (or any sync list you choose), a full sync is required (during the next scheduled, or a manual sync). See the **Sync and Purge** menu, and for more information about data sync and data sync cache, see :ref:`data_sync_types`. Until a full LDAP user import is performed, user details are updated in the local cache (when opening a management page). For these reasons, it is recommended that such updates and syncs should be scheduled for off-peak times, particularly where a large number of users requires a large sync. * For users targeted for Cisco-based services, a field must be mapped to the surname field for users. It is therefore important to include a field in the Sync List that is mapped to the 'surname' field, typically ``sn``. For details on the LDAP Sync List on the LDAP server, see: :ref:`set_up_an_ldap_server`. .. note:: By default LDAP user details shown on the GUI display all ``device/ldap/user`` fields. It is recommended that you create a FDP for ``device/ldap/user`` to contain *only* the fields from your LDAP Sync List in order to view LDAP user details according to your configuration. .. _LDAP-sync-cft: LDAP Sync List Configuration Templates ....................................... Administrators can clone the default sync list Configuration Templates (CFTs) to a hierarchy, and modify them for use during initial LDAP server setup. Modified CFTs are available at the hierarchy on the **Sync List** tab (from the **LDAP Sync List Template** drop-down). Two default CFTs are provided. Both can be cloned: * **Ldap Sync List Microsoft Active Directory** * **Ldap Sync List Open Ldap** The table describes the default CFT fields: ========================================= ========================================= Ldap Sync List Microsoft Active Directory Ldap Sync List Open Ldap ----------------------------------------- ----------------------------------------- Model Type: ``device/ldap/user`` Model Type: ``device/ldap/InetOrgPerson`` ========================================= ========================================= ``sAMAccountName`` ``uid`` ``mail`` ``mail`` ``givenName`` ``givenName`` ``sn`` ``sn`` ``title`` ``title`` ``department`` ``departmentNumber`` ``displayName`` ``displayName`` ``employeeNumber`` ``employeeNumber`` ``employeeType`` ``employeeType`` ``homePhone`` ``homePhone`` ``ipPhone`` ``telephoneNumber`` ``telephoneNumber`` ``mobile`` ``mobile`` ``otherMailbox`` ``facsimileTelephoneNumber`` ``facsimileTelephoneNumber`` ``l`` ``l`` ``c`` ``streetAddress`` ``st`` ``street`` ``postalCode`` ``postalCode`` ``physicalDeliveryOfficeName`` ``physicalDeliveryOfficeName`` ``manager`` ``manager`` ``memberOf`` ``memberOf`` ``objectClass`` ``objectClass`` ``o`` ``o`` ``ou`` ``ou`` ========================================= ========================================= If new LDAP attribute names are added to the cloned CFT and modified on the GUI, type the names in. Initially, all attribute names are imported. The full attribute list and naming is available on the GUI **Sync List** tab from the default sync list for the server. See: :ref:`set_up_an_ldap_server`. Enter a descriptive name for the cloned CFT, which will then show in the hierarchy on the drop-down list of **Sync List** CFTs that are available when you modify an LDAP server or create a new server. Multiple LDAP Organization Units Per Hierarchy ................................................... Large corporations and institutions with multiple domains or agencies may require more than one LDAP Organizational Unit (OU) to be configured at a hierarchy. VOSS Automate allows for multiple LDAP OUs at a hierarchy by providing for a *unique combination* of the following LDAP server properties at the hierarchy: * IP address * Port * search base DN Multiple search base DNs can therefore be configured at the *same hierarchy* for different organizations within the same company, so that administrators and self-service users can successfully authenticate. For example: LDAP server setup: +---------+------+---------------------------------------+-------------------+ | IP | Port | Search base DN | Hierarchy | +=========+======+=======================================+===================+ | 1.2.3.4 | 389 | ou=SharedOUA,dc=voss-solutions,dc=com | Provider.Customer | +---------+------+---------------------------------------+-------------------+ | 1.2.3.4 | 389 | ou=SharedOUB,dc=voss-solutions,dc=com | Provider.Customer | +---------+------+---------------------------------------+-------------------+ Users: * userA: ou=SharedOUA,dc=voss-solutions,dc=com * userB: ou=SharedOUB,dc=voss-solutions,dc=com