[Index]

Model: data/Ldap

LDAP Device Connection

LDAP device connections are used in VOSS-4-UC for:

An OpenLDAP server needs to support UUID / RFC 4530.

This section covers configuration of LDAP device connections.

LDAP Filters and Sync

Functionality is available to filter all list requests to the LDAP server by means of a specified search filter. The filter can be seen in the transaction log of an LDAP sync transaction. For example, if a simple search filter is added as follows:

(ipPhone=*)

then the logical AND of this filter with the default filter shows in the transaction log, for example as:

(&(&(objectClass=top)(objectClass=shadowAccount))(ipPhone=*))

The logical AND is applied to any filter following the syntax as specified in RFC2254.

Some examples:

If the filter contains an error, then the transaction will fail and the transaction log will indicate that there was a filter error.

Resources not matching any subsequent filter that is applied in a sync will be purged locally in VOSS-4-UC. This functionality is in keeping with the standard sync behavior.

Create a LDAP Device Connection

  1. Choose the hierarchy node the LDAP server will be associated with.
  2. Choose Network Administration > LDAP Device to open the LDAP device list view, showing the existing LDAP devices (if configured).
  3. Click Add on the button bar.
  4. On the Base tab, as a minimum requirement enter the mandatory LDAP device details.
  5. If required, add a Search Filter to apply. This filter is combined with the default filter as a logical AND filter criterion and is applied when a Data Sync is carried out with an LDAP device. The applied filter can be seen in the Transaction log of a Data Sync.
  6. On the Authentication Attribute tab, specify the LDAP object that contains the LDAP users and the attribute of this user object that is specified as the user name in the login screen. Note that it is not necessary to carry out an LDAP sync and schema import to add Authentication Attributes. For example, the LDAP object can simply be entered (even if these are drop-downs) as device/ldap/User and the value sAMAccountName as authentication attributes without first syncing or importing the LDAP server. However, while the attributes can be specified without syncing or importing the LDAP server, it should be noted that LDAP authentication will only be successful after at least a schema import. Furthermore, making a change to the LDAP authentication attributes are only affected when the system is restarted.
  7. On the Connection Security tab:
    1. Encryption method - From the drop-down list, choose either No Encryption, Use SSL Encryption (ldaps://), or Use StartTLS Extension. VOSS-4-UC supports version three with an extension for TLS as per RFC 2830 - Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security.
    2. In the Certificate Validation section, check the Trust All check box (if required) to make sure that the system will not check if the server's certificate is trusted. If the Trust All check box is not selected, the LDAP server's SSL certificate will be validated against this root certificate. If this is not specified, validation will be done against any existing CA certificates. Server root certificate files must be pre-loaded as part of the system configuration by using the Files 'menu option from Network Administration > SSO. Uploaded files are available from the Server Root Certificate drop down list.
  8. Click Save on the button bar when complete.

Test the connection with the specified LDAP device. Use the Test Connection button on the detail form view of the added device. VOSS-4-UC does a LDAP bind using the specified connection parameters.

The model that stores the connection parameters of an LDAP server.

Model Details: data/Ldap

Title Description Details
Description The description of the LDAP server.
  • Field Name: description
  • Type: String
Host Name * The host name of the LDAP server.
  • Field Name: host
  • Type: String
Port The port number for LDAP traffic. The ports a fully configurable. Default: 389
  • Field Name: port
  • Type: String
  • Default: 389
User DN * The User Distinguished Name (DN) on the LDAP server.
  • Field Name: user_dn
  • Type: String
Admin Password * The administrator Password associated with the Username to connect to the LDAP server.
  • Field Name: password
  • Type: String
  • Is Password: True
  • Store Encrypted: True
Search Base DN * The base Distinguished Name for LDAP search.
  • Field Name: search_base_dn
  • Type: String
Search Filter A RFC 2254 conformant string that is used to restrict the results retuned by list operations on the LDAP server.
  • Field Name: search_filter
  • Type: String
Enable Write Operations Enables Add, Modify and Delete operations for users on the the LDAP server.
  • Field Name: allow_write_back
  • Type: Boolean
Server Type * The selected LDAP server type. The type can be Open LDAP or Microsoft Active Directory.
  • Field Name: server_type
  • Type: String
  • Choices: ["Microsoft Active Directory", "Open LDAP"]
Authentication Attribute
  • Field Name: auth_attribute
  • Type: Object
Model Type The model type to be used for authentication. The defualt choices are device/ldap/inetOrgPerson, device/ldap/person, and device/ldap/user. If the default choices do not fit the deployment scenario, custom values are allowed for this field.
  • Field Name: auth_attribute.model_type
  • Type: String
  • Choices: ["device/ldap/inetOrgPerson", "device/ldap/person", "device/ldap/user"]
Login Attribute Name The selected attribute of the LDAP user login. When Server Type is Microsoft Active Directory, the following default choices are populated employeeNumber, mail, sAMAccountName, telephoneNumber, userPrincipalName. When Server Type is Open LDAP, the following choices are populated employeeNumber, mail, telephoneNumber, uid. If the default choices do not fit the deployment, custom values are allowed for this field.
  • Field Name: auth_attribute.name
  • Type: String
Connection Security
  • Field Name: connection_security
  • Type: Object
Encryption Method The encryption mechanism to be used. This can be No Encryption, Use SSL Encryption (ldaps://), or Use StartTLS Extension Default: no_encryption
  • Field Name: connection_security.encryption_method
  • Type: String
  • Default: no_encryption
  • Choices: ["No Encryption", "Use SSL Encryption (ldaps://)", "Use StartTLS Extension"]
Certificate Validation Specifies behavior for certificate validation eg. Trust all certificates (no validation).
  • Field Name: certificate_validation
  • Type: Object
Trust All When enabled, the system will not check if the server's certificate is trusted.
  • Field Name: connection_security.certificate_validation.trust_all
  • Type: Boolean
Server Root Certificate When trust_all is False, the LDAP server's SSL certificate will be validated against this root certificate. If this certificate is not specified, validation will done against any existing trusted CA certificates. Use this option for custom root certificates in (.pem format)
  • Field Name: connection_security.certificate_validation.server_root_certificate
  • Type: String
  • Target: data/File
  • Format: uri
Advanced Configuration Advanced configuration settings.
  • Field Name: advanced_configuration
  • Type: Object
Primary Key Attribute This field allows an administrator to specify the primary key attribute that will be used to retrieve records from the ldap server.
  • Field Name: advanced_configuration.custom_pk
  • Type: String
Data Sync List LDAP attributes to be included during data sync.
  • Field Name: data_sync_list.[n]
  • Type: Array
Model Type Model type whose attributes should be included (eg device/ldap/user)
  • Field Name: data_sync_list.[n].model_type
  • Type: String
  • Format: uri
Attributes Attributes to be included for model type.
  • Field Name: attributes.[n]
  • Type: Array
Name
  • Field Name: data_sync_list.[n].attributes.[n].name
  • Type: String
Authentication settings Authentication settings.
  • Field Name: authentication
  • Type: Object
Authentication Scope Hierarchical scope this server applies to Default: Down
  • Field Name: authentication.scope
  • Type: String
  • Default: Down
  • Choices: ["Current hierarchy level only", "Current hierarchy level and below"]
User Sync Type Type of users that can authenticate against this server. Default: Synced_only
  • Field Name: authentication.user_type
  • Type: String
  • Default: Synced_only
  • Choices: ["LDAP synced users only", "All users"]
Authentication Enabled Authentication Enabled Default: True
  • Field Name: authentication.auth_enabled
  • Type: Boolean
  • Default: True