sipXecs supports integration with LDAP-enabled directory services. This allows administrators to centrally manage user information including credentials across several applications and including sipXecs.
This page provides implementation details, usage scenarios and instructions on how to use this feature.
First, navigate to the LDAP / AD screen found under the System tab.
The user has the option to add one or more LDAP connection(s). Imports can be scheduled independently for each LDAP connection. Also mappings can be done independently for each LDAP connection
|
During installation of sipXconfig the administrator configures the LDAP server from which sipXecs will import data. The initial import is initiated on demand from the sipXconfig UI. Users are imported and the administrator can proceed to configure the remaining part of the system.
In a running sipXecs system sipXconfig already contains a list of users. The easiest way for the administrator to initiate synchronization with an LDAP server is to create a new user group that contains all the users that will be synchronized with the LDAP server. The administrator then configures the LDAP server address and triggers an import. All users in the specified group are updated, new users are added, and users that are in the group but not in LDAP server are removed.
Automatically scheduled import is performed periodically. Newly added LDAP entries are imported as new sipXconfig users. If any entries were deleted since the last import, sipXconfig will delete those users. If any entries were modified, sipXconfig user data is modified accordingly.
A 3rd party application is used to perform LDAP updates. The SOAP API is used to trigger LDAP import each time the LDAP directory is changed.
Please find below some of the mapping attributes, including Alias multi-selection attribute widget. Among others we can enumerate caller id or address atributes
sipXconfig Field | LDAP Attribute | Description |
---|---|---|
user id | ipPhone | An unique user identification. Use 'uid' for other ldap servers but Active Directory. The administrator can use the user's extension (e.g. 1245) as a user id or more readable identifiers, similar to the user part of an e-mail address (e.g. johndoe, john.doe etc.). A single attribute should be mapped to this field. Changing the value of LDAP attribute mapped to the user id field will be interpreted by sipXconfig as removal followed by an addition of a new user. This is the only mandatory mapping. |
firstname | givenName | User's first (given) name. This is an optional mapping. |
lastname | sn | User's last name. This is an optional mapping. |
aliases |
| Multiple attributes (possibly multi-value attributes) can be mapped to this field. Since sipXconfig requires that all aliases are unique, it will drop any values that are not unique. If non-numeric user ids are configured, administrators may want to add conventional phone (extension) number as one of the aliases. This is an optional mapping. Use 'telephoneNumber' for other ldap servers but Active Directory. For Active Directory use 'sAMAccountName'. There is a Multi Selection widget and you have the option to combine multiple single value and multi-value attributes |
Voicemail PIN |
| Secret used by users to access voice mail. Also used by sipXconfig user portal to access call forwarding, PIN change and other user related functionality. This is an optional mapping. If this field is not mapped, sipXconfig will allow administrators to configure the initial value of PIN. After deployment users will be asked to change PIN using Telephone UI or sipXconfig UI. Subsequent imports will preserve the value of this field. |
SIP password |
| The password used by phones to register with sipXecs. The administrator has the option to: a) map this field to the LDAP attribute; b) set the initial value for all the fields; or c) let sipXconfig randomly generate a value. The last strategy works best if phones, as well as users, are managed by sipXconfig. In this case phones will be automatically configured with randomly generated passwords providing strong security. If the SIP password was randomly generated or preset by the administrator its value will be preserved during subsequent LDAP imports. |
Group |
| Multi-value attribute containing user group name. This is an optional mapping. In addition to groups created by this attribute mapping, sipXconfig will require that administrators provide the name of the group that would contain all imported users. |
Contact Information |
| Job, Office Address, Home Address and other contact information fields are mapped
|
sipXconfig supports different authentication scenarios including LDAP. The administrator has the option to activate a desired authentication scenario here: menu System, page LDAP/AD and tab Settings as shown in the following picture:
NOTE:
sipXconfig supports on demand synchronization triggered through the sipXconfig UI. Additionally, the administrator has an option to configure a synchronization schedule. Weekly, daily and hourly schedules are supported (every Friday, every weekday, Every day, every hour time etc.).
This is a new tab on left side that contains different settings and management options for LDAP users
Users/EditUser pages contain information about LDAP managed users, or Disabled users. Also EditUser page displays last LDAP imported date and disabled date. Any user can be enabled/disabled or marked as LDAP managed or non LDAP managed
On scheduled import a LDAP user that is not marked as LDAP managed will not be imported again
sipXconfig implements a best effort import strategy. All entries that contain enough "well formatted" data are imported, incomplete or invalid entries will be skipped. sipXconfig leverages its error reporting mechanism to inform about problems encountered during LDAP import. The list of successfully imported entries will be available through the UI (Job Status page). The list of entries that failed to import will be available through the UI and in the sipXconfig.log file.
-Contributed by Steven Lam
1.) Pick a Multi- Valued schema in the Active Directory LADP, in our case, we picked otherHomePhone as eZuce aliases
Reference : http://fsuid.fsu.edu/admin/lib/WinADLDAPAttributes.html
2.) Create a VB script to update aliases in the Active Directory otherHomePhone schema.
Const ADS_PROPERTY_UPDATE = 2
Set objGroup = GetObject _
("LDAP://cn=MyerKen,ou=HR,dc=NA,dc=fabrikam,dc=com")
objGroup.PutEx ADS_PROPERTY_UPDATE, _
" otherHomePhone", Array("2125550180", "2125550182", "john")
objGroup.SetInfo
Reference : http://technet.microsoft.com/en-us/library/ee156515.aspx
3.) Add otherHomePhone to Active Directory Users and Computers
1. Open ADSI Edit on your Active Directory Server – on server 2008 it would be start > Administrative Tools > ADSI Edit
2. Now ADSI Edit will prompt you with connection settings, ensure that "Select a well known Naming Context:" is set to "Configuration"
3. Now click OK
4. Expand the "Configuration [ServerName.yourdomain.com]" Tree
5. Expand "CN=Configuration,DC=yourdomain.com"
6. Expand "CN=DisplaySpecifiers"
7. Now Expand "CN=409" (This is just the language code for English)
8. Locate "CN=default-Display" in the right pane
9. Right click "CN=default-Display" and select "Properties"
10. Select the "extraColumns" Attribute in the list and you will notice that your "Edit" button becomes active
11. Now click the edit button
12. In the "Value to add:" field type the following otherHomePhone, eZuceAliases,0,100,0
13. Now click "Add:"
14. Click "OK"
15. Click "OK" again
4.) View eZuceAliases in Active Directory
1. Open ADUC
2. Expand "Saved Queries"
3. Right Click "Saved Queries" select "New > Query"
4. In the "Name:" field type "All Users" and select "Define Query…"
5. On the "Users" tab next to the "Name:" field click on the drop down and select "Has a value"
6. Now Click "OK" and "OK" again
7. Expand "Saved Queries" and select "All Users"
8. Now you will have a list of all your users in the right pane.
9. With the query selected click "View > Add/Remove Columns…" at the top of ADUC
10. Now on the left selection box, locate " eZuceAliases " and click "Add" to add it to the "Displayed Columns"
11. Click "OK"
5.) EDIT eZuceAliases in the Active Directory
1. In ADUC click "View > Advanced Features"
2. Now right click on your "All Users" saved query and select "Refresh"
3. Next, right click any user in the right pane and click "Employee Number"
4. Now right click the user again and click "Properties"
5. Locate the tab called "Attribute Editor"
6. Press the letter "E" twice on your keyboard, which should take you straight to "otherHomePhone "
7. To edit it, simply double click " otherHomePhone " or click on the "Edit" button while "otherHomePhone" is highlighted
Reference : http://iconraja.wordpress.com/2010/12/01/add-employee-number-to-active-directory-users-and-computers-aduc/
Moving to LDAP also allows leveraging tools for user and identity data entry and management. LDAP tools are stable, well developed, available for many platforms also in open source.