Category:HowTo:Directory:LDAP

From Snom User Wiki

(Difference between revisions)
Jump to: navigation, search
(Redirecting to Category:Directory features)
Line 1: Line 1:
-
#redirect [[:Category:Directory features]]
+
== Definition ==
 +
 
 +
LDAP stands for Lightweight Directory Access Protocol which is a client-server protocol for accessing a directory service. It was initially used as a front-end to X.500, but can also be used with stand-alone and other kinds of directory servers. LDAP lets you locate organizations, individuals, and other resources such as files and devices in a network, whether on the Internet or on a corporate intranet, and whether or not you know the domain name, IP address, or geographic whereabouts. An LDAP directory can be distributed among many servers on a network, then replicated and synchronized regularly.
 +
 
 +
Perhaps the biggest plus for LDAP is that the users can access the central LDAP directory of your organization using LDAP aware applications such as snom [[IP-Phones]] without having the need to maintain local address books.
 +
The LDAP protocol is both cross-platform and standards-based, so applications needn't worry about the type of server hosting the directory. In fact, LDAP has found much wider industry acceptance because of its status as an Internet standard. Vendors are more willing to write LDAP integration into their products because they don't have to worry about what's at the other end. Your LDAP server could be any one of a number of open-source or commercial LDAP directory servers (or perhaps even a DBMS server with an LDAP interface), since interacting with any true LDAP server involves the same protocol, client connection package, and query commands.
 +
 
 +
LDAP is particularly useful for storing information that you wish to read from many locations, but update infrequently. For example, your company could store all of the following very efficiently in an LDAP directory:
 +
*The company employee phone book and organizational chart
 +
*External customer contact information
 +
*Infrastructure services information, including NIS maps, email aliases, and so on
 +
*Configuration information for distributed software packages
 +
*Public certificates and security keys
 +
 
 +
== Availability on snom phones ==
 +
 
 +
{|
 +
|-
 +
|{{MenuHeading}}width:25%;" |FW Version
 +
|{{MenuHeading}}width:35%;" |Phone Type
 +
|{{MenuHeading}}width:35%;" |Features
 +
|-
 +
|[[Image:Fw-version-5.gif]] (Stable: 5.5)
 +
|[[Image:s320.png|50px]] [[Image:s360.png|50px]]
 +
|
 +
*Basic '''LDAP V2''' support
 +
|-
 +
|[[Image:Fw-version-6.gif]] (Enhanced: 6.3)
 +
|[[Image:s300.png|26px]] [[Image:s320.png|50px]] [[Image:s360.png|50px]]
 +
|
 +
*Enhanced navigation ('''LDAP V2''' )
 +
|-
 +
|[[Image:Fw-version-7.gif]] (from 7.1.29 beta)
 +
|[[Image:s300.png|26px]] [[Image:s320.png|50px]] [[Image:s360.png|50px]] [[Image:s370.png|50px]]
 +
|rowspan=2|
 +
*'''LDAP V3'''
 +
*Enhanced Configuration
 +
*Filter Functions
 +
*Directory Search Option
 +
|-
 +
|[[Image:Fw-version-8.gif]]
 +
|[[Image:s820.png|32px]] [[Image:s870.png|35px]] [[Image:snom_mp.png|50px]]
 +
|-
 +
|[[Image:Fw-version-9.png]]
 +
|style="width:10%;"|<imagemap>Image:Snom m9 frontcombo WEB.jpg|70px
 +
default [[Snom_m9|snom m9 support page]]
 +
desc none</imagemap>
 +
|
 +
*'''LDAP V3'''
 +
|-
 +
|}
 +
 
 +
== Introduction ==
 +
If LDAP is properly configured, the phone performs a lookup on the LDAP server for any entries with a telephoneNumber attribute set each time you start entering a number or name on the phone keypad.
 +
 
 +
If you type in digits then the phone displays all entries where the telephoneNumber begins with the same number entered so far.
 +
If you are typing in a name then the phone displays all entries where the displayName (or whatever name filter is set) begins with what has been entered so far. (This is not case-sensitive.)
 +
 
 +
Use the up and down arrows of the button [[Image:Navigation.png|20px]] to scroll through results and dial a highlighted entry by pressing [[Image:Ok_key.png|20px]].
 +
 
 +
== Usage ==
 +
 
 +
There are two ways to perform a LDAP search on your phone:
 +
 
 +
#Simply start a search against LDAP by '''pressing a number'''. All corresponding entries will be shown accordingly to your query setup. Default edit mode is numeric.
 +
#Allocate the [[Settings/F_DIRECTORY_SEARCH|Directory Search function]] to one of the function keys. To do so take the following steps:
 +
## Navigate to the "Function Keys" Web User Interface page
 +
##* Firmware Version [[Image:Fw-version-6.gif]] [[Web Interface/V6/Function Keys#Free Function Keys|Free Function Keys Section]]
 +
##* Firmware Version [[Image:Fw-version-7.gif]] [[Web Interface/V7/Function Keys#Free Function Keys|Free Function Keys Section]]
 +
##* Firmware Version [[Image:Fw-version-8.gif]] [[Web Interface/V8/Function Keys#Free Function Keys|Free Function Keys Section]]
 +
## Choose one of the free function keys and select the "[[Settings/fkey_context|Context]]", i.e. the SIP identity.
 +
## Choose the "[[Settings/fkey|Type]]" [[Settings/fkey/keyevent|"Key Event"]]
 +
## Enter the value '''F_DIRECTORY_SEARCH''' in the "Number" field and press "Save".
 +
 
 +
[[Image:03_ldap_fkey.png|600px]]
 +
 
 +
== Configuration ==
 +
 
 +
The internal LDAP client can be configured at the [[Web_Interface/V7/Advanced#LDAP|LDAP Section]]  of your phone's Web User Interface (WUI).
 +
In your snom phone you will see something like the following screenshot, For more details and comprehension see examples 1 to 6:
 +
 
 +
[[Image:screenshot-ldap1.png]]
 +
 
 +
=== Example Configuration===
 +
 
 +
You can use the below settings as a starting point and adjust the filter and display attributes according to your needs.
 +
 
 +
;[[Settings/ldap_search_filter|LDAP name filter]]
 +
: (&(telephoneNumber=*)(sn=%)) --> [[Features/LDAP#Example_1:_LDAP_name_filter|Example 1]]
 +
;[[Settings/ldap_number_filter|LDAP number filter]]
 +
: (&(telephoneNumber=%)(sn=*)) --> [[Features/LDAP#Example_2:_LDAP_number_filter|Example 2]]
 +
;[[Settings/ldap_server|Server Address]]
 +
:[IP address or domain]. Examples: 192.168.1.100, ldap.uno.edu, ldap.company.com
 +
;[[Settings/ldap_port|Port]]:
 +
:[blank or specified LDAP port]
 +
;[[Settings/ldap_base|Base]]
 +
: DC=domain,DC=com --> [[Features/LDAP#Example_3:_LDAP_Base|Example 3]]
 +
;[[Settings/ldap_username|Username]]
 +
:Admin
 +
;[[Settings/ldap_password|Password]]
 +
: PASSWORD
 +
;[[Settings/ldap_max_hits|Max.Hits]]
 +
:50
 +
;[[Settings/ldap_name_attributes |LDAP Name Attributes]]
 +
: cn sn displayName --> [[Features/LDAP#Example_4:_LDAP_name_attributes|Example 4]]
 +
;[[Settings/ldap_number_attributes|LDAP Number Atrributes]]
 +
: Mobile telephoneNumber ipPhone  --> [[Features/LDAP#Example_5:_LDAP_number_attributes|Example 5]]
 +
;[[Settings/ldap_display_name|LDAP display Name]]
 +
: %displayName --> [[Features/LDAP#Example_6:_LDAP_display_name|Example 6]]
 +
;[[Settings/country_code|Countrycode]]
 +
: +49
 +
;[[Settings/area_code|Areacode]]
 +
: 030
 +
 
 +
*Make also sure, that the [[Settings/display_method|Number Display Style]] is set accordingly to return either name, number or both.
 +
 
 +
===Example 1: LDAP name filter===
 +
 
 +
Here you have to specify your search criteria for name look ups.
 +
*When you type in this field :'''(&(telephoneNumber=*)(sn=%))'''
 +
the result of your search will be all LDAP records which have the “telephoneNumber” field set and the (“sn”-->surname) field starts with the entered prefix.
 +
*When you type in this field : '''(|(cn=%)(sn=%))'''
 +
the result of your search will be all LDAP records which have the (“cn”-->CommonName) OR (“sn”-->Surname) field starting with the entered prefix.
 +
* When you type in this field: '''(!(cn=%))'''
 +
the result of your search will be all LDAP records which “do not” have the “cn” field starting with the entered prefix.
 +
 
 +
===Example 2: LDAP number filter===
 +
Here you have to specify your search criteria for number look ups.
 +
*When you  type in this field for example:'''(|(telephoneNumber=%)(Mobile=%)(ipPhone=%))'''
 +
the result of your search will be all LDAP records which have the “telephoneNumber” OR “Mobile” OR “ipPhone”field  starting with the entered prefix.
 +
* When you type in this field: '''(&(telephoneNumber=%)(sn=*))'''
 +
the result of your search will be all LDAP records which have the “sn” field set and the “telephoneNumber” field starts with the entered prefix.
 +
===Example 3: LDAP Base===
 +
Here are some examples of what you cound enter for the [[Settings/ldap_base|ldap_base]] setting
 +
o=UNIVERSITY OF NEW ORLEANS,c=US
 +
o=SFU,c=CA
 +
dc=telesec,dc=de
 +
 
 +
===Example 4: LDAP name attributes===
 +
The LDAP name attributes setting can be used to specify the “name” attributes of each record which are to be returned in the LDAP search results.
 +
*When you  type in this field for example:'''cn sn displayName'''
 +
this requires to specify “cn”-->commonName means Full name of the user, “sn”-->Surname, last name or family name and “displayName” fields for each LDAP record.
 +
 
 +
See the following screenshot example of an Active Directory:
 +
 
 +
[[Image:name-attri.png|700px]]
 +
 
 +
;Further Examples
 +
cn sn displayName
 +
Requires “cn”, “sn” and “displayName” fields for each LDAP record.
 +
givenName
 +
Requires “givenName” field for each LDAP record.
 +
vorName nachName
 +
Requires “vorName” and “nachName” fields for each LDAP record.
 +
 
 +
===Example 5: LDAP number attributes===
 +
 
 +
The LDAP number attributes setting can be used to specify the “number” attributes of each record which are to be returned in the LDAP search results.
 +
*When you  type in this field for example:'''Mobile telephoneNumber ipPhone'''
 +
this requires to specify “Mobile”, “telephoneNumber” and “ipPhone” fields for each LDAP record.
 +
 
 +
See this screenshot example of an Active Directory:
 +
[[Image:numberattri.png|700px]]
 +
 
 +
;Further examples:
 +
Mobile telephoneNumber ipPhone
 +
Requires “Mobile”, “telephoneNumber” and “ipPhone” fields for each LDAP record.
 +
Home Private Office
 +
Requires “Home”, “Private” and “Office” fields for each LDAP record.
 +
 
 +
===Example 6: LDAP display name===
 +
 
 +
This setting specifies the format in which the “name, e.g. here Mike Black” of each returned search result is to be displayed on the snom phone.
 +
*When you  type in this field for example:'''%sn, %givenName'''
 +
the displayed returned result should be “Black, John”
 +
*When you  type in this field for example:'''%cn'''
 +
the displayed returned result should be  “Mike Black”.
 +
*When you  type in this field for example:'''%givenName'''
 +
the displayed returned result should be “Mike Black"
 +
*When you  type in this field for example:'''%givenName  - %sn '''
 +
the displayed returned result should be “Mike - Black"
 +
 
 +
 
 +
=== Common attributes  ===
 +
 
 +
Most common attributes used to configure LDAP lookup in your phone with:
 +
 
 +
{|border="0" cellpadding="7" cellspacing="0" valign="top" style="width: 75%; text-align: left; border:1px solid #C0C0C0"
 +
|-
 +
! Abbrevation
 +
! Name
 +
! Description
 +
|-
 +
| cn
 +
| commonName
 +
| Full name of the user.
 +
|-
 +
| company
 +
| company
 +
| Company or organisation name
 +
|-
 +
| gn
 +
| givenName
 +
| Firstname also called Christian name
 +
|-
 +
| homePhone
 +
| homeTelephoneNumber
 +
| Home Phone number
 +
|-
 +
| mobile
 +
| mobileTelephoneNumber
 +
| Mobile or cellular phone number
 +
|-
 +
| o
 +
| organizationName
 +
| Organization name or even organizational name
 +
|-
 +
| ou
 +
| organizationalUnitName
 +
| Usually department or any sub entity of larger entity
 +
|-
 +
| pager
 +
| pagerTelephoneNumber
 +
| pager telephone number
 +
|-
 +
| sn
 +
| surname
 +
| Surname, last name or family name
 +
|-
 +
| -
 +
| telephoneNumber
 +
| Office phone number
 +
|}
 +
 
 +
== Troubleshooting ==
 +
 
 +
A good method to troubleshoot problems with LDAP implementation is to do a [[Web_Interface/V7/PCAP_Trace|PCAP trace]] while performing a lookup.
 +
By tracing the search requests you can check if the phone connects and authenticates correctly and determine which requests are being sent from phone to LDAP server.
 +
 
 +
 
 +
Below you can see an example of a successful LDAP lookup:
 +
 
 +
[[Image:01_ldap_trace.png|600px]]
 +
 
 +
[[Image:02_ldap_trace.png|500px]]
 +
 
 +
[[Category:HowTo]][[Category:Directory:LDAP]]

Revision as of 13:31, 4 August 2010

Contents

Definition

LDAP stands for Lightweight Directory Access Protocol which is a client-server protocol for accessing a directory service. It was initially used as a front-end to X.500, but can also be used with stand-alone and other kinds of directory servers. LDAP lets you locate organizations, individuals, and other resources such as files and devices in a network, whether on the Internet or on a corporate intranet, and whether or not you know the domain name, IP address, or geographic whereabouts. An LDAP directory can be distributed among many servers on a network, then replicated and synchronized regularly.

Perhaps the biggest plus for LDAP is that the users can access the central LDAP directory of your organization using LDAP aware applications such as snom IP-Phones without having the need to maintain local address books. The LDAP protocol is both cross-platform and standards-based, so applications needn't worry about the type of server hosting the directory. In fact, LDAP has found much wider industry acceptance because of its status as an Internet standard. Vendors are more willing to write LDAP integration into their products because they don't have to worry about what's at the other end. Your LDAP server could be any one of a number of open-source or commercial LDAP directory servers (or perhaps even a DBMS server with an LDAP interface), since interacting with any true LDAP server involves the same protocol, client connection package, and query commands.

LDAP is particularly useful for storing information that you wish to read from many locations, but update infrequently. For example, your company could store all of the following very efficiently in an LDAP directory:

  • The company employee phone book and organizational chart
  • External customer contact information
  • Infrastructure services information, including NIS maps, email aliases, and so on
  • Configuration information for distributed software packages
  • Public certificates and security keys

Availability on snom phones

FW Version Phone Type Features
Image:Fw-version-5.gif (Stable: 5.5)
  • Basic LDAP V2 support
Image:Fw-version-6.gif (Enhanced: 6.3)
  • Enhanced navigation (LDAP V2 )
Image:Fw-version-7.gif (from 7.1.29 beta)
  • LDAP V3
  • Enhanced Configuration
  • Filter Functions
  • Directory Search Option
Image:Fw-version-8.gif
Image:Fw-version-9.png
  • LDAP V3

Introduction

If LDAP is properly configured, the phone performs a lookup on the LDAP server for any entries with a telephoneNumber attribute set each time you start entering a number or name on the phone keypad.

If you type in digits then the phone displays all entries where the telephoneNumber begins with the same number entered so far. If you are typing in a name then the phone displays all entries where the displayName (or whatever name filter is set) begins with what has been entered so far. (This is not case-sensitive.)

Use the up and down arrows of the button to scroll through results and dial a highlighted entry by pressing .

Usage

There are two ways to perform a LDAP search on your phone:

  1. Simply start a search against LDAP by pressing a number. All corresponding entries will be shown accordingly to your query setup. Default edit mode is numeric.
  2. Allocate the Directory Search function to one of the function keys. To do so take the following steps:
    1. Navigate to the "Function Keys" Web User Interface page
    2. Choose one of the free function keys and select the "Context", i.e. the SIP identity.
    3. Choose the "Type" "Key Event"
    4. Enter the value F_DIRECTORY_SEARCH in the "Number" field and press "Save".

Configuration

The internal LDAP client can be configured at the LDAP Section of your phone's Web User Interface (WUI). In your snom phone you will see something like the following screenshot, For more details and comprehension see examples 1 to 6:

Image:screenshot-ldap1.png

Example Configuration

You can use the below settings as a starting point and adjust the filter and display attributes according to your needs.

LDAP name filter
(&(telephoneNumber=*)(sn=%)) --> Example 1
LDAP number filter
(&(telephoneNumber=%)(sn=*)) --> Example 2
Server Address
[IP address or domain]. Examples: 192.168.1.100, ldap.uno.edu, ldap.company.com
Port
[blank or specified LDAP port]
Base
DC=domain,DC=com --> Example 3
Username
Admin
Password
PASSWORD
Max.Hits
50
LDAP Name Attributes
cn sn displayName --> Example 4
LDAP Number Atrributes
Mobile telephoneNumber ipPhone --> Example 5
LDAP display Name
 %displayName --> Example 6
Countrycode
+49
Areacode
030
  • Make also sure, that the Number Display Style is set accordingly to return either name, number or both.

Example 1: LDAP name filter

Here you have to specify your search criteria for name look ups.

  • When you type in this field :(&(telephoneNumber=*)(sn=%))

the result of your search will be all LDAP records which have the “telephoneNumber” field set and the (“sn”-->surname) field starts with the entered prefix.

  • When you type in this field : (|(cn=%)(sn=%))

the result of your search will be all LDAP records which have the (“cn”-->CommonName) OR (“sn”-->Surname) field starting with the entered prefix.

  • When you type in this field: (!(cn=%))

the result of your search will be all LDAP records which “do not” have the “cn” field starting with the entered prefix.

Example 2: LDAP number filter

Here you have to specify your search criteria for number look ups.

  • When you type in this field for example:(|(telephoneNumber=%)(Mobile=%)(ipPhone=%))

the result of your search will be all LDAP records which have the “telephoneNumber” OR “Mobile” OR “ipPhone”field starting with the entered prefix.

  • When you type in this field: (&(telephoneNumber=%)(sn=*))

the result of your search will be all LDAP records which have the “sn” field set and the “telephoneNumber” field starts with the entered prefix.

Example 3: LDAP Base

Here are some examples of what you cound enter for the ldap_base setting

o=UNIVERSITY OF NEW ORLEANS,c=US
o=SFU,c=CA
dc=telesec,dc=de

Example 4: LDAP name attributes

The LDAP name attributes setting can be used to specify the “name” attributes of each record which are to be returned in the LDAP search results.

  • When you type in this field for example:cn sn displayName

this requires to specify “cn”-->commonName means Full name of the user, “sn”-->Surname, last name or family name and “displayName” fields for each LDAP record.

See the following screenshot example of an Active Directory:


Further Examples
cn sn displayName

Requires “cn”, “sn” and “displayName” fields for each LDAP record.

givenName

Requires “givenName” field for each LDAP record.

vorName nachName 

Requires “vorName” and “nachName” fields for each LDAP record.

Example 5: LDAP number attributes

The LDAP number attributes setting can be used to specify the “number” attributes of each record which are to be returned in the LDAP search results.

  • When you type in this field for example:Mobile telephoneNumber ipPhone

this requires to specify “Mobile”, “telephoneNumber” and “ipPhone” fields for each LDAP record.

See this screenshot example of an Active Directory:


Further examples
Mobile telephoneNumber ipPhone

Requires “Mobile”, “telephoneNumber” and “ipPhone” fields for each LDAP record.

Home Private Office

Requires “Home”, “Private” and “Office” fields for each LDAP record.

Example 6: LDAP display name

This setting specifies the format in which the “name, e.g. here Mike Black” of each returned search result is to be displayed on the snom phone.

  • When you type in this field for example:%sn, %givenName

the displayed returned result should be “Black, John”

  • When you type in this field for example:%cn

the displayed returned result should be “Mike Black”.

  • When you type in this field for example:%givenName

the displayed returned result should be “Mike Black"

  • When you type in this field for example:%givenName - %sn

the displayed returned result should be “Mike - Black"


Common attributes

Most common attributes used to configure LDAP lookup in your phone with:

Abbrevation Name Description
cn commonName Full name of the user.
company company Company or organisation name
gn givenName Firstname also called Christian name
homePhone homeTelephoneNumber Home Phone number
mobile mobileTelephoneNumber Mobile or cellular phone number
o organizationName Organization name or even organizational name
ou organizationalUnitName Usually department or any sub entity of larger entity
pager pagerTelephoneNumber pager telephone number
sn surname Surname, last name or family name
- telephoneNumber Office phone number

Troubleshooting

A good method to troubleshoot problems with LDAP implementation is to do a PCAP trace while performing a lookup. By tracing the search requests you can check if the phone connects and authenticates correctly and determine which requests are being sent from phone to LDAP server.


Below you can see an example of a successful LDAP lookup:



This category currently contains no pages or media.

Personal tools
Interoperability