.. _set-up-an-ldap-server: LDAP server ------------- .. _19.3.4|VOSS-704: .. _20.1.1|VOSS-551|EKB-7380: .. _20.1.1|EKB-6059: .. _21.4-PB5|EKB-18656: .. tip:: :ref:`use-action-search-to-navigate-automate` Add LDAP server ................. This procedure adds and configures the LDAP server for integration with Automate. .. note:: When integrating with a eDirectory LDAP server, OpenLDAP configuration options are followed, except for the primary key configuration options. 1. Log in as Provider, Reseller, or Customer administrator. 2. Set the hierarchy node to the node where you want to sync in users from LDAP to Automate. 3. Go to **LDAP Server**. 4. Click **Add**. 5. Configure the LDAP server. See :ref:`config-ldap-server` for details. * Fill out the fields on the **Base** tab/panel. * Optionally, on the **Sync List** tab/panel, if you choose LDAP sync list option *Create sync list from template*, you can choose a LDAP sync list template (based on the server type) - either of these: * Ldap Sync List Microsoft Active Directory * Ldap Sync List Open Ldap You can choose a template when adding the LDAP server, or update your choice after saving. If you don't choose a template, LDAP sync is not affected by this list. See the tab description, and: * :ref:`set-up-ldap-for-user-synchronization` * :ref:`synchronize-users-from-ldap` 6. Click **Save**. 7. Test the connection to the LDAP server. If the authentication credentials or search base DN are invalid, the system displays an error, for example: *Error encountered while processing your request* *caught exception: [Helper] validation failed; Invalid search base db.* .. _config-ldap-server: LDAP server configuration settings ...................................... This topic is a field reference guide for the fields on the **LDAP Server** when adding or updating an LDAP server. You can select the following tabs on the **LDAP Server** page: .. note:: Use the toolbar tab/panel button to toggle between displaying these fields in tabs or panels. * Base * Sync List Base tab/panel '''''''''''''''''' .. tabularcolumns:: |p{4cm}|p{10cm}| +-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Description | +=========================+===================================================================================================================================================================================================================================================================================================================================+ | Description | Defaults to the current hierarchy level. | +-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Host Name \* | Mandatory. Hostname or IP address of the LDAP server. | +-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Port | Port number for LDAP traffic. Defaults to 389. | +-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | Mandatory. The User Distinguished Name of an admin user that has access rights to | | | the Base DN on the LDAP server. | | User DN \* | | | | Examples: | | | | | | * Administrator@stb.com | | | * OU=LDAP0,DC=stb,DC=com | +-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Admin | Mandatory. Admin password associated with the user. | | Password \* | | +-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | Mandatory. Base Distinguished Name for LDAP search. This should be a container or | | Search Base | directory on the LDAP server where the LDAP users exist, such as an | | DN \* | Organization Unit (OU). For example, to search within an OU called | | | CUS01 under a domain called GCLAB.COM, the Search Base DN would be | | | OU=CUS01,DC=GCLAB,DC=COM. | | | | | | Note that the search will traverse the directory tree from this point down and will include | | | any sub OU's which have been added within the OU. | +-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Search Filter | An RFC 2254 conformant string used to restrict the results returned by list | | | operations on the LDAP server. | +-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Server Type \* | Either **Microsoft Active Directory** or **OpenLDAP**. For AD LDS (ADAM), choose **Microsoft Active Directory**. | +-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | AD Sync Mode \* | Defaults to Direct. | +-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Enable Write Operations | This check box is only shown for Microsoft Active Directory servers (**Server Type** is **Microsoft Active Directory**) when **Encryption Method** is "Use SSL Encryption (ldaps://)" (port is ``636``). When enabled, Automate user management allows for the management of users on the LDAP server (add, modify, delete). | +-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ .. tabularcolumns:: |p{4cm}|p{10cm}| +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Description | +========================+===============================================================================================================================================================================================================================================================================================================================================================================================================================================================+ | CUCM LDAP | Optional. The name of the LDAP Directory configured on CUCM that we want this user to be considered synced from. | | Directory | The LDAP Directory must be configured on CUCM already. | | Name | While this parameter is optional, note the following when this parameter is *not* set: | | | | | | * In a top-down scenario, users are added to CUCM as Local Users | | | * In a bottom-up sync scenario, users won't be able to log on to Automate | +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Encryption | Choose between **No Encryption**, **Use SSL Encryption (ldaps://)**, or **Use StartTLS Extension**. | | Method | | | | * No Encryption - default port for LDAP is port 389 | | | * Use SSL Encryption (ldaps://)a - uses port 636 and establishes TLS/SSL upon connecting with a client. | | | * Use StartTLS Extension - to transition to a TLS connection after connecting on port 389 | +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | If **Trust All** is unchecked, the LDAP server's SSL certificate is validated | | Server Root | against this root certificate. If no **Server Root Certificate** is specified, | | Certificate | validation is done against any existing trusted CA certificates. Use this | | | option for custom root certificates in `.pem` format. See "SSO Certificate | | | Management" for more information. | +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Trust All | Defines whether to disable certificate validation. | +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Primary Key Attribute | The attribute value used to uniquely identify and search for records on an LDAP server. For example, ``uid`` is the attribute when using a 389-Directory Server and ``entryUUID`` when using an OpenLDAP server. The attribute must be unique, should not change over time and should not be location specific. If no attribute is entered, ``entryUUID`` is used for an OpenLDAP server and ``ObjectGUID`` if the LDAP server is Microsoft Active Directory. | | | | | | .. note:: | | | | | | From v21.4-PB5, Automate introduced support for syncs from an eDirectory LDAP server configured as an OpenLDAP server type, and allows the use of an OctetString-formatted ``GUID`` primary key (pk) instead of the ``entryUUID`` attribute. | +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Authentication Scope | Hierarchical scope this server applies to: Local authentication or Full tree authentication. [#]_ | +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | User sync type | Choose the type of users that can authenticate against this server - options are: | | | | | | * All users - all users can authenticate against this server | | | * Synced users only (default) - only users synced in from LDAP can authenticate against this server | +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Authentication enabled | Defines whether the server is available for authentication. Default is True. | +------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ .. rubric:: Search Filter examples: * ``(telephoneNumber=919*)``: all telephone numbers starting with 919 * ``((&(OfficeLocations=RTP)(|(department=Engineering)(department=Marketing)))``: office is located in RTP and department is either Engineering or Marketing * ``(&(MemberOf=cn=Admin,ou=users,dc=foo,dc=com)(!(c=US)))``: all Admins except those in the U.S. User lookup for LDAP authentication is restricted to the ``device/ldap`` model specified in the **Authentication Attribute**: **Model Type**. For example, if this attribute was ``device/ldap/user``, the LDAP user authentication is restricted to ``(objectClass=user)``. .. rubric:: Related Topics .. [#] For details around authentication scope, see :ref:`user-login-auth-method-srv-auth-scope`. Sync List tab/panel '''''''''''''''''''''''' A sync list improves performance, and limits sync attributes to those relevant to your scenario. On this tab you can choose a LDAP sync list option, when adding a new LDAP server or when updating an existing LDAP server (one that was added prior to release 19.3.4). .. important:: The following attributes are always synced in, regardless of the sync list option you choose: * sAMAccountName * userPrincipalName * mail * cn * uid * description The table describes the LDAP sync list options you can choose on this tab: ========================================== ========================================================== LDAP Sync List Option Description ========================================== ========================================================== No sync list - all fields will be synced LDAP sync is not driven by a LDAP sync list. All fields are imported (as they were before release 19.3.4). Create sync list manually The fields to sync can be added or modified manually. For list override precedence and other considerations, see :ref:`ldap-sync-lists`. Create sync list from template Displays an additional field on the tab (LDAP Sync List Template) and allows you to choose a sync list from a predefined configuration template (CFT). Automate provides default Sync List CFTs for the following: * Microsoft AD servers * OpenLDAP servers These CFTs contain LDAP attributes that are typically required to be synced with LDAP. Once you've applied the template, or if a template is not used, a sync list is visible and configurable directly on a saved LDAP server's **Sync List** tab. See :ref:`ldap-sync-lists`. ========================================== ==========================================================