.. _set_up_ldap_for_user_synchronization: LDAP User Sync ------------------ .. _19.1.2|VOSS-541: .. _20.1.1|VOSS-551: .. _19.3.4|VOSS-704: .. _21.3-PB2|EKB-13265: Overview .......... You will need to set up an LDAP user sync to sync in users from a specified LDAP directory into VOSS Automate. Users synced in from LDAP appear at the hierarchy node where the LDAP user sync object exists. Once synced in, you can manage these users (via the User Management menu in VOSS Automate). For example, you may want to move users to other hierarchies, or to push users to CUCM. During an LDAP sync: * Some fields are always imported to VOSS Automate * Some fields are not imported into VOSS Automate For details, see :ref:`ldap_integration` Delete or Retain Associated Accounts at User Sync ................................................... You can configure (via **Customizations > Global Settings**) the LDAP user sync to delete or retain Cisco (CUCM) subscriber voicemail and Webex accounts when running syncs after deleting the subscriber. * On the **Webex App** tab of the Global Settings, choose whether to retain or delete the Webex app account * On the **Voicemail** tab of the Global Settings, choose whether to retain or delete the voicemail account. .. rubric:: Related Topics * For details around LDAP server setup and authentication settings, see :ref:`set_up_an_ldap_server` * :ref:`global-settings` Add an LDAP Sync ................. This procedure adds a LDAP sync to prepare for synching users in from LDAP to VOSS Automate. .. warning:: When configuring the LDAP sync, take care when setting the following options to **Automatic**, as this will delete all users from this LDAP server, in VOSS Automate as well as in the UC application users, phones, services, and so on: * **User Purge Mode** * **User Delete Mode** **Perform these steps**: 1. Log in as Provider, Reseller, or Customer administrator. 2. Set the hierarchy path to the node of the LDAP server you want to synchronize users from. 3. Go to (default menus) **LDAP Management > LDAP User Sync**. 4. Click **Add**. 5. Fill out details for the sync: .. tabularcolumns:: |p{4cm}|p{11cm}| +---------------------+-------------------------------------------------------+ | Field | Description | +=====================+=======================================================+ | LDAP Server | Mandatory. The LDAP | | | server you're synching from. | +---------------------+-------------------------------------------------------+ | | This setting is available only in VOSS Automate, and | | | is disabled by default. | | | | | LDAP Authentication | Leave unchecked (clear) to sync in users from LDAP | | Only | (from a predefined LDAP directory). In this case, | | | the user passwords are authenticated against this | | | LDAP directory. | | | | | | Select this checkbox (enable) to prevent user sync | | | from the predefined LDAP directory. In this case: | | | | | | * Only the users passwords are authenticated against | | | the LDAP directory | | | * You can add users manually via the GUI, API, bulk | | | load, or sync users in from CUCM. | +---------------------+-------------------------------------------------------+ | | Defines the LDAP object (from the configured LDAP | | | server), and is used to import and authenticate | | | users. | | | | | | * When LDAP server is Microsoft Active Directory, | | | the default is ``device/ldap/user``. | | | * When LDAP server is AD LDS (ADAM), set to | | | ``device/ldap/userProxy``. | | User Model Type | * When LDAP server is OpenLDAP, the default | | | is ``device/ldap/inetOrgPerson``. | | | | | | Contact the LDAP server administrator if you need to | | | identify a non-default User Model Type to use. | +---------------------+-------------------------------------------------------+ | LDAP Authentication | The attribute used for creating an LDAP user. | | Attribute | This value is used for LDAP authentication | | | against LDAP when the **LDAP Authentication Only** | | | is enabled. | +---------------------+-------------------------------------------------------+ .. tabularcolumns:: |p{4cm}|p{11cm}| +------------------+-------------------------------------------------------+ | | Choose the User Entitlement Profile that specifies | | | the devices and services to which users synced in | | | from the LDAP server are entitled. | | User Entitlement | | | Profile | The chosen entitlement profile is assigned to each | | | synced in user. It is checked during user | | | provisioning to ensure the user's configuration does | | | not exceed the allowed services and devices specified | | | in the entitlement profile. | +------------------+-------------------------------------------------------+ | | The default role to assign to the synced user (if no | | User Role | other LDAP Custom Role Mappings are applicable for | | (default)\* | the synced user, then this fallback/default role will | | | be applied). This field is mandatory. | +------------------+-------------------------------------------------------+ | | Defines whether users are automatically | | User Move Mode | moved to sites based on the filters and | | | filter order defined in **User Management > | | | Manage Filters**. | +------------------+-------------------------------------------------------+ | | Defines whether users are automatically | | | deleted from VOSS Automate if they are deleted | | User Delete Mode | from the LDAP directory. If set to automatic, | | | all subscriber resources associated with the | | | user, such as a phone, are also deleted. | +------------------+-------------------------------------------------------+ | | Defines whether users are automatically | | | deleted from VOSS Automate if they are purged | | User Purge Mode | from the LDAP device model. An administrator | | | can remove the LDAP user from the device | | | layer even if the user has not been removed | | | from the LDAP directory. | +------------------+-------------------------------------------------------+ 6. Inspect the default mappings and modify if required, see :ref:`user-field-mapping`. 7. Click **Save**. An LDAP sync is added, and is inactive by default. See :ref:`synchronize_users_from_ldap`. 8. In the Global Settings, define whether to retain or delete associated webex and/or voicemail accounts in the user sync that runs after deleting a subscriber. See topic Global Settings (Webex App tab, Voicemail tab) .. rubric:: Related Topics * .. raw:: latex Global Settings in the Core Feature Guide .. raw:: html Global Settings (Phones tab)