.. _set_up_ldap_for_authentication_only: Set up LDAP for Authentication Only ----------------------------------- This procedure sets up LDAP for authentication-only, in VOSS Automate. .. note:: Users can be added locally or synced from Cisco Unified CM (CUCM): ==================================== ============================================================= LDAP authenticated, by default * Users that are LDAP synced in CUCM and then synced into VOSS Automate By default, not LDAP authenticated * Users that are manually configured in CUCM and then synced into VOSS Automate * Users who are manually configured in VOSS Automate ==================================== ============================================================= You can change the default behavior, as described in *View and Update LDAP Authentication Users*. *LDAP for Authentication Only* is available at hierarchy nodes that have an LDAP server; thus, it is not available for users created at the site level. When enabled, you must fill out the **CUCM LDAP Directory Name** for the LDAP server. If two or more LDAP server syncs have been created and you don't provide this detail, no LDAP users are created, and the transaction log displays a warning message. **To set up LDAP for authentication-only**: 1. Log in as provider, reseller, or customer administrator. 2. Set the hierarchy path to the node where you have set up the LDAP server you want to use to authenticate users. 3. Choose **LDAP Management > LDAP User Sync**. 4. Click **Add**. 5. Fill out the relevant details: .. tabularcolumns:: |p{3cm}|p{12cm}| +---------------------+------------------------------------------------+ | Field | Description | +=====================+================================================+ | LDAP Server | Choose the LDAP Server where you are | | | authenticating users. | +---------------------+------------------------------------------------+ | | Disabled by default. When disabled, users are | | | synced from the configured LDAP directory and | | | their passwords are authenticated against the | | | configured LDAP directory. | | | When enabled, the LDAP server is used only to | | | authenticate users. | | | | | LDAP Authentication | | | Only | | | | When selected: | | | | | | * The **CUCM LDAP Directory Name** for the | | | LDAP server must be filled in. When more | | | than one LDAP server sync is created and | | | this is not filled in, no LDAP users will | | | be created and a warning message will be | | | seen in the transaction log. | | | * Users are not | | | synced from the configured LDAP directory, | | | but their passwords are authenticated | | | against the LDAP directory. | | | * You can manually add users from the GUI or | | | API, bulk load them, or sync them from | | | Unified CM. | +---------------------+------------------------------------------------+ | | Read-only. Identifies the LDAP object (defined | | User Model Type | in the configured LDAP server), used to | | | authenticate users. | +---------------------+------------------------------------------------+ | | Choose the LDAP Attribute to be used to | | | authenticate users. This field is mandatory. | | | Options are: | | | | | | * sAMAccountName - AD only, this is the | | | default for AD. | | | * uid - OpenLDAP only, this is the default | | | for OpenLDAP. | | | * mail | | | * employeeNumber | | | * telephoneNumber | | | * userPrincipalName - AD or hybrid (with MS) | | | | | | These are the same values Unified CM users | | | for LDAP Attribute for User ID. | | | | | | AD (Active Directory) only: | | | | | | For the following types of users, do not | | | select userPrincipalName, unless the | | | userPrincipalName value was set as the | | LDAP Authentication | Username when the user was created: | | Attribute | | | | * Users created using the VOSS Automate GUI | | | * Users created using the VOSS Automate API | | | * Users bulk loaded into VOSS Automate | | | * Users manually created in Unified CM and | | | synced into VOSS Automate | | | | | | For users synced from LDAP into Unified CM | | | and then into VOSS Automate: | | | | | | Caveats (AD and OpenLDAP) | | | | | | For users synced from LDAP into Unified CM | | | and then into VOSS Automate: | | | | | | * We strongly recommend selecting the same | | | LDAP Authentication Attribute as Unified | | | CM uses for LDAP Attribute for User ID. | | | * If you sync users into Unified CM using | | | attributes other than sAMAccountName/uid, | | | do not choose sAMAccountName/uid. | | | | | | If you sync users from LDAP into CUCM using | | | employeeNumber, choose employeeNumber for the | | | LDAP Authentication Attribute. | | | However, to get the LDAP Authentication to | | | work properly, one of these conditions must | | | be met: | | | | | | * Before syncing users from CUCM to VOSS | | | Automate, set the Employee Number field on | | | CUCM Server FieldMapping tab to userid | | | | | | * Define the LDAP for Authentication Only | | | sync before syncing users from CUCM into | | | VOSS Automate | +---------------------+------------------------------------------------+ 6. Click **Save**. All users that have ``SyncToHierarchy`` set to the hierarchy of the LDAP server now use the LDAP server for authentication. The users are added to the LDAP Authentication Users list.