User Management with Active Directory

The Active Directory Directory type is typically associated with Microsoft Windows Servers. It is a variant of LDAP specifically suited for Microsoft Servers in corporate environments.

For troubleshooting tips see How to Authenticate User Manager via Microsoft Active Directory

For more information about filters see: How to write LDAP search filters 

Directory Settings

Open

• Secure Connection Type:

  • None: No encryption

  • Start TLS: TLS is negotiated over a plain TCP connection

  • SSL: Secure Sockets Layer
    
    

• Host: The IP address of the AD server

• Port: TCP port if 389 for plain connections and 636 for SSL connections

• Username: Username of a user that is able to preform filter actions. Typically an administrator

• Password:Password of a user that is able to preform filter actions. Typically an administrator

• Domain: The active directory domain. Typically in the format of 'domain.local'. EG domain.local

• Base DN: The base distinguished name. Usually in the format of DC=domain,DC=local. LDAP uses distinguished names to provide unique names to directory objects; every object in Active Directory has an LDAP distinguished name. A distinguished name is a naming structure that consists of a string of the hierarchical components that make up the complete object.

• Status: Upon submittal the status will be green if User Manager was able to connect or red with the error

Operational Settings

Open

• Create Missing Extensions: Whether to create extensions based on the 'User Extension link attribute value'

  • Don't Create: Don't create default extensions

  • Driver Type: Create default extensions of type driver

• Manage Groups Locally:If you select the Manage Groups Locally setting, new groups are created and updated in the User Manager database and not propagated to the AD server. Memberships of local groups are also stored locally. This makes it possible to augment the group structure with new groups even with a read-only AD server. When this option is enabled, only local groups can be created and updated, while groups synchronized from the remote directory cannot be locally modified.

• Common Name Attribute:The attribute field to use when loading the object's common name.

• Description Attribute:The attribute field to use when loading the object description.

• Unique Identifier Attribute: The Unique Identifier Attribute attribute is a single-value attribute that is the unique identifier for the object. This attribute is a Globally Unique Identifier (GUID). When an object is created in the directory, the Active Directory server generates a GUID and assigns it to the object's objectGUID attribute. The GUID is unique across the enterprise and anywhere else. The objectGUID is a 128-bit GUID structure stored as an OctetString.

User Configuration

• User DN: This value is used in addition to the base DN when searching and loading users. An example is ou=Users, which would then generate a filter of the 'Base DN' (plus this value) to search for users, creating something similar to ou=User,DC=domain,DC=local. If no value is supplied, the subtree search will start from the base DN, eg just DC=domain,DC=local.

• User Object Class: The user object class type to use when loading users.

• User Object Filter: The filter to use when searching user objects.

• User Name Attribute: The attribute to use when creating a username for login. The User Name attribute is a single-value attribute that is the logon name used to support clients and servers from a previous version (Windows 95, Windows 98, and LAN Manager). The User Name should be less than 20 characters to support clients and servers from a previous version. The User Name must be unique among all security principal objects within a domain.

• User First Name Attribute: The attribute to use for the user's first name

• User Last Name Attribute: The attribute to use for the user's last name

• User Display Name Attribute: The attribute to use for the user's display name

• User Group Attribute: The attribute is a multi-valued attribute that contains groups of which the user is a direct member, depending on the domain controller (DC) from which this attribute is retrieved

• User email Attribute:  The attribute to use for the user's email

• User Title Attribute: The attribute to use for the user's title

• User Company Attribute: The attribute to use for the user's company name

• User Department Attribute: The attribute to use for the user's department name

• User Home Phone Attribute: The attribute to use for the user's home phone

• User Work Phone Attribute: The attribute to use for the user's work phone

• User Cell Phone Attribute: The attribute to use for the user's cell phone

• User Fax Attribute: The attribute to use for the user's fax phone

• User Extension Link Attribute: The attribute to use for creating or linking this user to an extension in this PBX

Group Configuration

• Group DN: This value is used in addition to the base DN when searching and loading groups. An example is ou=Groups, which would then generate a filter of the 'Base DN' (plus this value) to search for groups, creating something similar to ou=Groups,DC=domain,DC=local. If no value is supplied, the subtree search will start from the base DN, eg just DC=domain,DC=local.

• Group Object Class: The group object class type to use when loading groups.

• Group Object Filter: The filter to use when searching group objects.

• Group Members Attribute: The group members attribute is a multi-value attribute that contains the list of distinguished names for the user, group, and contact objects that are members of the group. Each item in the list is a linked reference to the object that represents the member; therefore, the Active Directory server automatically updates the distinguished names in the member property when a member object is moved or renamed.