User Management with Active Directory
The AD features of the User Management module were later additions and are not fully mature. Expect inconsistency, particularly when scaling to very large directories or when using AD credentials for soft client login.
The Active Directory Directory type is typically associated with Microsoft Windows Servers. It is a variant of LDAP specifically suited for Microsoft Servers in corporate environments.
For troubleshooting tips see How to Authenticate User Manager via Microsoft Active Directory
For more information about filters see: How to write LDAP search filters
Directory Settings
Secure Connection Type:
None: No encryption
Start TLS: TLS is negotiated over a plain TCP connection
SSL: Secure Sockets Layer
SSL / TLS
When setting up a secure connection using Start TLS or SSL options for the Secure Connection Type option, a valid certificate needs to be in place (in the LDAP server) to establish the connection. Self-signed certificates won't work without a custom configuration like the following:
> echo "TLS_REQCERT never" >> /etc/openldap/ldap.conf
The parameter TLS_REQCERT with the value "never" needs to be added to the ldap.conf file to work with self-signed certificates.
Host: The IP address of the AD server
Port: TCP port if 389 for plain connections and 636 for SSL connections
Username: Username of a user that is able to preform filter actions. Typically an administrator
Password:Password of a user that is able to preform filter actions. Typically an administrator
Domain: The active directory domain. Typically in the format of 'domain.local'. EG domain.local
Base DN: The base distinguished name. Usually in the format of DC=domain,DC=local. LDAP uses distinguished names to provide unique names to directory objects; every object in Active Directory has an LDAP distinguished name. A distinguished name is a naming structure that consists of a string of the hierarchical components that make up the complete object.
Status: Upon submittal the status will be green if User Manager was able to connect or red with the error
Operational Settings
Create Missing Extensions: Whether to create extensions based on the 'User Extension link attribute value'
Don't Create: Don't create default extensions
Driver Type: Create default extensions of type driver
Manage Groups Locally:If you select the Manage Groups Locally setting, new groups are created and updated in the User Manager database and not propagated to the AD server. Memberships of local groups are also stored locally. This makes it possible to augment the group structure with new groups even with a read-only AD server. When this option is enabled, only local groups can be created and updated, while groups synchronized from the remote directory cannot be locally modified.
Common Name Attribute:The attribute field to use when loading the object's common name.
Description Attribute:The attribute field to use when loading the object description.
Unique Identifier Attribute: The Unique Identifier Attribute attribute is a single-value attribute that is the unique identifier for the object. This attribute is a Globally Unique Identifier (GUID). When an object is created in the directory, the Active Directory server generates a GUID and assigns it to the object's objectGUID attribute. The GUID is unique across the enterprise and anywhere else. The objectGUID is a 128-bit GUID structure stored as an OctetString.
User Configuration
User DN: This value is used in addition to the base DN when searching and loading users. An example is ou=Users, which would then generate a filter of the 'Base DN' (plus this value) to search for users, creating something similar to ou=User,DC=domain,DC=local. If no value is supplied, the subtree search will start from the base DN, eg just DC=domain,DC=local.
User Object Class: The user object class type to use when loading users.
User Object Filter: The filter to use when searching user objects.
User Name Attribute: The attribute to use when creating a username for login. The User Name attribute is a single-value attribute that is the logon name used to support clients and servers from a previous version (Windows 95, Windows 98, and LAN Manager). The User Name should be less than 20 characters to support clients and servers from a previous version. The User Name must be unique among all security principal objects within a domain.
User First Name Attribute: The attribute to use for the user's first name
User Last Name Attribute: The attribute to use for the user's last name
User Display Name Attribute: The attribute to use for the user's display name
User Group Attribute: The attribute is a multi-valued attribute that contains groups of which the user is a direct member, depending on the domain controller (DC) from which this attribute is retrieved
User email Attribute: The attribute to use for the user's email
User Title Attribute: The attribute to use for the user's title
User Company Attribute: The attribute to use for the user's company name
User Department Attribute: The attribute to use for the user's department name
User Home Phone Attribute: The attribute to use for the user's home phone
User Work Phone Attribute: The attribute to use for the user's work phone
User Cell Phone Attribute: The attribute to use for the user's cell phone
User Fax Attribute: The attribute to use for the user's fax phone
User Extension Link Attribute: The attribute to use for creating or linking this user to an extension in this PBX
Group Configuration
Group DN: This value is used in addition to the base DN when searching and loading groups. An example is ou=Groups, which would then generate a filter of the 'Base DN' (plus this value) to search for groups, creating something similar to ou=Groups,DC=domain,DC=local. If no value is supplied, the subtree search will start from the base DN, eg just DC=domain,DC=local.
Group Object Class: The group object class type to use when loading groups.
Group Object Filter: The filter to use when searching group objects.
Group Members Attribute: The group members attribute is a multi-value attribute that contains the list of distinguished names for the user, group, and contact objects that are members of the group. Each item in the list is a linked reference to the object that represents the member; therefore, the Active Directory server automatically updates the distinguished names in the member property when a member object is moved or renamed.