Manager: Configuration Settings > System > Directory Services
|
Manager: Configuration Settings > System > Directory Services
|
|
System | Directory Services | LDAP |
LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the Internet or on a corporate intranet. LDAP is a "lightweight" (smaller amount of code) version of DAP (Directory Access Protocol), which is part of X.500, a standard for directory services in a network. LDAP is lighter because in its initial version, it did not include security features.
| • | IP Office 5.0 supports the import of directory records from one IP Office to another using HTTP. That includes using HTTP to import records that another system has learnt using LDAP. HTTP import, which is simpler to configure, can be used to relay LDAP records with LDAP configured on just one system. |
| • | LDAP records can contain several telephone numbers. Each will be treated as a separate directory entry when imported into the IP Office directory. |
| • | The NoUser source number setting ExtendLDAPDirectLimit usable with IP Office 4.1-4.2 systems is no longer supported for IP Office 5.0+. |
Imported Records
| • | Imported directory records are temporary until the next import refresh. They are not added to the IP Office system's configuration. |
| • | They cannot be viewed or edited using IP Office Manager or edited by a System Phone user. |
| • | The temporary records are lost if IP Office is restarted. However the IP Office will request a new set of imported directory records after an IP Office restart. |
| • | The temporary records are lost if an IP Office configuration containing Directory changes is merged. The IP Office will then import a new set of temporary records without waiting for the Resync Interval. |
| • | If an configuration record is edited by a System Phone user to match the name or number of a temporary record, the matching temporary record is discarded. |
Importation Rules
When a set of directory records is imported by HTTP or LDAP, the following rules are applied to the new records:
| • | Imported records with a blank name or number are discarded. |
| • | Imported records that match the name or number of any existing record are discarded. |
| • | When the total number of directory records has reached the system limit, any further imported records are discarded. |
IP Office |
Number of Directory Records |
Total Number of Directory Records |
||
IP Office Configuration |
LDAP Import |
HTTP Import |
||
IP500 |
2500 |
5000 |
5000 |
5000 |
IP412 |
2500 |
2500 |
2500 |
2500 |
IP406 V2 |
2500 |
2500 |
2500 |
2500 |
In a network, a directory tells you where in the network something is located. On TCP/IP networks, including the Internet, the Domain Name System (DNS) is the directory system used to relate the domain name to a specific network address. However, you may not know the domain name. LDAP allows you to search for an individual without knowing where they're located (although additional information will help with the search).
An LDAP directory is organized in a simple "tree" hierarchy consisting of the following levels:
| • | The "root" directory (the starting place or the source of the tree), which branches out to |
| • | Countries, each of which branches out to |
| • | Organizations, which branch out to |
| • | Organizational units (divisions, departments, and so forth), which branches out to (includes an entry for) |
| • | Individuals (which includes people, files, and shared resources such as printers) |
An LDAP directory can be distributed among many servers. Each server can have a replicated version of the total directory that is synchronized periodically. An LDAP server is called a Directory System Agent (DSA). An LDAP server that receives a request from a user takes responsibility for the request, passing it to other DSA's as necessary, but ensuring a single coordinated response for the user.
LDAP Directory Synchronization allows the telephone number Directory held in the Control Unit to be synchronized with the information on an LDAP server.The feature can be configured to interoperate with any server that supports LDAP version 2 or higher.
System | Directory Services | LDAP |
|
Control Unit |
SOE |
Software Level |
1.0+. |
Mergeable |
|
| • | LDAP Enabled: Default = Off This option turns LDAP support on or off. |
| • | User Name: Default = blank Enter the user name to authenticate connection with the LDAP database. To determine the domain-name of a particular Windows 2000 user look on the "Account" tab of the user's properties under "Active Directory Users and Computers". Note that this means that the user name required is not necessarily the same as the name of the Active Directory entry. There should be a built-in account in Active Directory for anonymous Internet access, with prefix "IUSR_" and suffix server_name (whatever was chosen at the Windows 2000 installation). Thus, for example, the user name entered is this field might be: IUSR_CORPSERV@example.com |
| • | Password: Default = blank Enter the password to be used to authenticate connection with the LDAP database. Enter the password that has been configured under Active Directory for the above user. Alternatively an Active Directory object may be made available for anonymous read access. This is configured on the server as follows: |
| • | In "Active Directory Users and Computers" enable "Advanced Features" under the "View" menu. Open the properties of the object to be published and select the "Security" tab. Click "Add" and select "ANONYMOUS LOGON", click "Add", click "OK", click "Advanced" and select "ANONYMOUS LOGON", click "View/Edit", change "Apply onto" to "This object and all child objects", click "OK", "OK", "OK". |
Once this has been done on the server, any entry can be made in the User Name field in the System configuration form (however this field cannot be left blank) and the Password field left blank. Other non-Active Directory LDAP servers may allow totally anonymous access, in which case neither User Name nor Password need be configured.
| • | Server IP Address: Default = blank Enter the IP address of the server storing the database. |
| • | Server Port: Default = 389 This setting is used to indicate the listening port on the LDAP server. |
| • | Authentication Method: Default = Simple Select the authentication method to be used. |
| • | Simple: clear text authentication |
| • | Kerberos: Kerberos 4 LDAP and Kerberos 4 DSA encrypted authentication (for future use). |
| • | Resync Interval (secs): Default = 3600 seconds, Range = 1 to 99999 seconds. The frequency at which the IP Office should resynchronize the directory with the server. This value also affects some aspects of the internal operation. |
| • | The LDAP search inquiry contains a field specifying a time limit for the search operation and this is set to 1/16th of the resync interval. So by default a server should terminate a search request if it has not completed within 225 seconds (3600/16). |
| • | The client end will terminate the LDAP operation if the TCP connection has been up for more than 1/8th of the resync interval (default 450 seconds). This time is also the interval at which a change in state of the "LDAP Enabled" configuration item is checked. |
| • | Search Base / Search Filter: Default = blank These 2 fields are used together to refine the extraction of directory entries. Basically the Base specifies the point in the tree to start searching and the Filter specifies which objects under the base are of interest. The search base is a distinguished name in string form (as defined in RFC1779). |
The Filter deals with the attributes of the objects found under the Base and has its format defined in RFC2254 (except that extensible matching is not supported).
If the Search Filter field is left blank the filter defaults to "(objectClass=*)", this will match all objects under the Search Base.
The following are some examples applicable to an Active Directory database:
| • | To get all the user phone numbers in a domain: |
Search Base: cn=users,dc=acme,dc=com
Search Filter: (telephonenumber=*)
| • | To restrict the search to a particular Organizational Unit (eg office) and get cell phone numbers also: |
Search Base: ou=holmdel,ou=nj,DC=acme,DC=com
Search Filter: (|(telephonenumber=*)(mobile=*))
| • | To get the members of distribution list "group1": |
Search Base: cn=users,dc=acme,dc=com
Search Filter: (&(memberof=cn=group1,cn=users,dc=acme,dc=com)(telephonenumber=*))
| • | Number Attributes: Default = see below Enter the number attributes the server should return for each entry that matches the Search Base and Search Filter. Other entries could be ipPhone, otherIpPhone, facsimileTelephoneNumber, otherfacsimileTelephone Number, pager or otherPager. The attribute names are not case sensitive. Other LDAP servers may use different attributes. |
| • | By default the entry is "telephoneNumber,otherTelephone,homePhone=H,otherHomePhone=H,mobile=M,otherMobile=M", as used by Windows 2000 Server Active Directory for Contacts. |
| • | The optional "=string" sub-fields define how that type of number is tagged in the directory. Thus, for example, a cell phone number would appear in the directory as: John Birbeck M 7325551234 |
|
© 2009 AVAYA 15-601011 Issue 23.p.- 07:06, 30 October 2009 (config_forms_ldap2.htm) Performance figures, data and operation quoted in this document are typical and must be specifically confirmed in writing by Avaya before they become applicable to any particular order or contract. The company reserves the right to make alterations or amendments at its own discretion. The publication of information in this document does not imply freedom from patent or any other protective rights of Avaya or others. All trademarks identified by (R) or TM are registered trademarks or trademarks respectively of Avaya Inc. All other trademarks are the property of their respective owners. Last Modified: 19/03/2009 |
, IP403 
.