User Management with OpenLDAP

The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

For troubleshooting tips see How to Authenticate User Manager via OpenLDAP

Directory Settings

Open

• Secure Connection Type:

  • None: No encryption

  • Start TLS: TLS is negotiated over a plain TCP connection

  • SSL: Secure Sockets Layer

• Host: The IP address of the AD server

• Port: TCP port if 389 for plain connections and 636 for SSL connections

• Bind DN or Username: A bind DN is an object that you bind to inside LDAP to give you permissions to do whatever you're trying to do. Some (many?) LDAP instances don't allow anonymous binds, or don't allow certain operations to be conducted with anonymous binds, so you must specify a bindDN to obtain an identity to perform that operation. Typically an administrator

• Password: Password of a user that is able to preform filter actions. 

• Base DN: The base distinguished name. Usually in the format of DC=domain,DC=local. LDAP uses distinguished names to provide unique names to directory objects; every object in and LDAP server has an LDAP distinguished name. A distinguished name is a naming structure that consists of a string of the hierarchical components that make up the complete object.

• Status: Upon submittal the status will be green if User Manager was able to connect or red with the error

Operational Settings

Open

• Create Missing Extensions: Whether to create extensions based on the 'User Extension link attribute value'

  • Don't Create: Don't create default extensions

  • Driver Type: Create default extensions of type driver

• Manage Groups Locally:If you select the Manage Groups Locally setting, new groups are created and updated in the User Manager database and not propagated to the AD server. Memberships of local groups are also stored locally. This makes it possible to augment the group structure with new groups even with a read-only AD server. When this option is enabled, only local groups can be created and updated, while groups synchronized from the remote directory cannot be locally modified.

• Common Name Attribute:The attribute field to use when loading the object's common name.

• Description Attribute:The attribute field to use when loading the object description.

• Unique Identifier Attribute: The Unique Identifier Attribute attributetype contains binary strings that are used to distinguish between objects when a distinguished name has been reused. Each string is one value of this multi-valued attribute.

User Configuration

• User DN: This value is used in addition to the base DN when searching and loading users. An example is ou=Users, which would then generate a filter of the 'Base DN' (plus this value) to search for users, creating something similar to ou=User,DC=domain,DC=local. If no value is supplied, the subtree search will start from the base DN, eg just DC=domain,DC=local.

• User Object Class: The user object class type to use when loading users.

• User Object Filter: The filter to use when searching user objects.

• User Name Attribute: The attribute to use when creating a username for login.

• User First Name Attribute: The attribute to use for the user's first name

• User Last Name Attribute: The attribute to use for the user's last name

• User Display Name Attribute: The attribute to use for the user's display name

• User Group Attribute: The attribute is a multi-valued attribute that contains groups of which the user is a direct member, depending on the LDAP server from which this attribute is retrieved

• User email Attribute:  The attribute to use for the user's email

• User Title Attribute: The attribute to use for the user's title

• User Company Attribute: The attribute to use for the user's company name

• User Department Attribute: The attribute to use for the user's department name

• User Home Phone Attribute: The attribute to use for the user's home phone

• User Work Phone Attribute: The attribute to use for the user's work phone

• User Cell Phone Attribute: The attribute to use for the user's cell phone

• User Fax Attribute: The attribute to use for the user's fax phone

• User Extension Link Attribute: The attribute to use for creating or linking this user to an extension in this PBX

Group Configuration

• Group DN: This value is used in addition to the base DN when searching and loading groups. An example is ou=Groups, which would then generate a filter of the 'Base DN' (plus this value) to search for groups, creating something similar to ou=Groups,DC=domain,DC=local. If no value is supplied, the subtree search will start from the base DN, eg just DC=domain,DC=local.

• Group Object Class: The group object class type to use when loading groups.

• Group Object Filter: The filter to use when searching group objects.

• Group Members Attribute: The group members attribute is a multi-value attribute that contains the list of distinguished names for the user, group, and contact objects that are members of the group. Each item in the list is a linked reference to the object that represents the member; therefore, the LDAP server automatically updates the distinguished names in the member property when a member object is moved or renamed.