Category:HowTo:Directory:LDAP

From Snom User Wiki

(Difference between revisions)
Jump to: navigation, search
(Example 2: LDAP number filter)
(Replaced content with 'This page has been moved to https://service.snom.com/display/wiki/LDAP+Directory')
 
(8 intermediate revisions not shown)
Line 1: Line 1:
-
== Introduction ==
+
This page has been moved to https://service.snom.com/display/wiki/LDAP+Directory
-
If LDAP is properly configured, the phone performs a lookup on the LDAP server for any entries with a telephoneNumber attribute set each time you start entering a number or name on the phone keypad.
+
-
 
+
-
If you type in digits then the phone displays all entries where the telephoneNumber begins with the same number entered so far.
+
-
If you are typing in a name then the phone displays all entries where the displayName (or whatever name filter is set) begins with what has been entered so far. (This is not case-sensitive.)
+
-
 
+
-
Use the up and down arrows of the button [[Image:Navigation.png|20px]] to scroll through results and dial a highlighted entry by pressing [[Image:Ok_key.png|20px]].
+
-
 
+
-
== Usage ==
+
-
 
+
-
There are two ways to perform a LDAP search on your phone:
+
-
 
+
-
#Simply start a search against LDAP by '''pressing a number'''. All corresponding entries will be shown accordingly to your query setup. Default edit mode is numeric.
+
-
#Allocate the [[Settings/F_DIRECTORY_SEARCH|Directory Search function]] to one of the function keys. To do so take the following steps:
+
-
## Navigate to the "Function Keys" Web User Interface page
+
-
##* Firmware Version [[Image:Fw-version-6.gif]] [[Web Interface/V6/Function Keys#Free Function Keys|Free Function Keys Section]]
+
-
##* Firmware Version [[Image:Fw-version-7.gif]] [[Web Interface/V7/Function Keys#Free Function Keys|Free Function Keys Section]]
+
-
##* Firmware Version [[Image:Fw-version-8.gif]] [[Web Interface/V8/Function Keys#Free Function Keys|Free Function Keys Section]]
+
-
## Choose one of the free function keys and select the "[[Settings/fkey_context|Context]]", i.e. the SIP identity.
+
-
## Choose the "[[Settings/fkey|Type]]" [[Settings/fkey/keyevent|"Key Event"]]
+
-
## Enter the value '''F_DIRECTORY_SEARCH''' in the "Number" field and press "Save".
+
-
 
+
-
[[Image:03_ldap_fkey.png|600px]]
+
-
 
+
-
== Configuration ==
+
-
 
+
-
The internal LDAP client can be configured at the [[Web_Interface/V7/Advanced#LDAP|LDAP Section]]  of your phone's Web User Interface (WUI).
+
-
In your snom phone you will see something like the following screenshot, For more details and comprehension see examples 1 to 6:
+
-
 
+
-
[[Image:screenshot-ldap1.png]]
+
-
 
+
-
Since version V10.1.27.0 two additional LDAP settings are available: LDAP Name Filter During Call and LDAP Number Filter During Call.
+
-
These filter rules are taken during call, for example when dialing or for looking up an incoming call.
+
-
 
+
-
=== Example Configuration===
+
-
 
+
-
You can use the below settings as a starting point and adjust the filter and display attributes according to your needs.
+
-
 
+
-
;[[Settings/ldap_search_filter|LDAP name filter]]
+
-
: (&(telephoneNumber=*)(sn=%)) --> [[:Category:HowTo:Directory:LDAP#Example_Configuration|Example 1]]
+
-
;[[Settings/ldap_number_filter|LDAP number filter]]
+
-
: (&(telephoneNumber=%)(sn=*)) --> [[:Category:HowTo:Directory:LDAP#Example_2:_LDAP_number_filter|Example 2]]
+
-
;[[Settings/ldap_search_filter_during_call|LDAP Name Filter During Call]]
+
-
: (&(telephoneNumber=*)(sn=%)) --> [[:Category:HowTo:Directory:LDAP#Example_Configuration|Example 1]]
+
-
;[[Settings/ldap_number_filter_during_call|LDAP Number Filter During Call]]
+
-
: (&(telephoneNumber=%)(sn=*)) --> [[:Category:HowTo:Directory:LDAP#Example_2:_LDAP_number_filter|Example 2]]
+
-
;[[Settings/ldap_server|Server Address]]
+
-
:[IP address or domain]. Examples: 192.168.1.100, ldap.uno.edu, ldap.company.com
+
-
;[[Settings/ldap_port|Port]]:
+
-
:[blank or specified LDAP port]
+
-
;[[Settings/ldap_base|Base]]
+
-
: DC=domain,DC=com --> [[:Category:HowTo:Directory:LDAP#Example_3:_LDAP_Base|Example 3]]
+
-
;[[Settings/ldap_username|Username]]
+
-
:Admin
+
-
;[[Settings/ldap_password|Password]]
+
-
: PASSWORD
+
-
;[[Settings/ldap_max_hits|Max.Hits]]
+
-
:50
+
-
;[[Settings/ldap_name_attributes |LDAP Name Attributes]]
+
-
: cn sn displayName --> [[:Category:HowTo:Directory:LDAP#Example_4:_LDAP_name_attributes|Example 4]]
+
-
;[[Settings/ldap_number_attributes|LDAP Number Atrributes]]
+
-
: Mobile telephoneNumber ipPhone  --> [[:Category:HowTo:Directory:LDAP#Example_5:_LDAP_number_attributes|Example 5]]
+
-
;[[Settings/ldap_display_name|LDAP display Name]]
+
-
: %displayName --> [[:Category:HowTo:Directory:LDAP#Example_6:_LDAP_display_name|Example 6]]
+
-
;[[Settings/country_code|Countrycode]]
+
-
: +49
+
-
;[[Settings/area_code|Areacode]]
+
-
: 030
+
-
 
+
-
*Make also sure, that the [[Settings/display_method|Number Display Style]] is set accordingly to return either name, number or both.
+
-
 
+
-
=== Migrating settings for LDAP to Version V10.1.27.0 ===
+
-
 
+
-
Very often no special migration steps are necessary, the LDAP filter will still work. Still this section describes how the old settings in conjunction worked, and how that can be adjusted in the filter rules.
+
-
Now additional filter rules are available, and the full notation of substring filters can be used.
+
-
 
+
-
==== [http://wiki.snom.com/Settings/partial_lookup Partial Lookup] is no longer taken for LDAP ====
+
-
 
+
-
Please note that the setting partial lookup was only taken into account for searches during call, meaning displaying the name
+
-
of a caller, direct dial, or in connected state. To adjust the settings (if necessary) please use the new settings
+
-
[http://wiki.snom.com/wiki/index.php?title=Settings/ldap_number_filter_during_call ldap_number_filter_during_call] and
+
-
[http://wiki.snom.com/wiki/index.php?title=Settings/ldap_name_filter_during_call ldap_name_filter_during_call].
+
-
The described filter syntax can of course also be used for the old settings [http://wiki.snom.com/wiki/index.php?title=Settings/ldap_number_filter ldap_number_filter] and
+
-
[http://wiki.snom.com/wiki/index.php?title=Settings/ldap_name_filter ldap_name_filter]. They are used in cases if the search takes place via the LDAP directory.
+
-
 
+
-
* Partial Lookup off meant, that all filter rules where interpreted as equality filter. This meant that a filter like this:
+
-
 
+
-
:cn=*% was interpreted as cn=%
+
-
 
+
-
:This means that if you want to have the same effect as partial lookup = off, you need to change the filter rules to attributeName=%
+
-
 
+
-
* Partial Lookup on meant, that all filter rules where interpreted as substring any filter. This meant that a filter like this:
+
-
 
+
-
: cn=*% would have been interpreted as cn=*%*.
+
-
 
+
-
: If you want to have the same effect as partial lookup = on, you need to change the filter rules to attributeName=*%*
+
-
 
+
-
* Old behavior: Partial Lookup with a number like 4 meant, that all filter rules where interpreted as substring final. This meant that a filter like this:
+
-
 
+
-
: cn=*%, but also cn=%* or cn=*%* would have been interpreted as final. The search string would be limited to 4 characters.
+
-
 
+
-
: New behavior: If you want to have the same effect, you need to write a filter rule like cn=*%. A limitation to the characters is no longer possible this way.
+
-
: In most cases throwing away some search string characters is not wanted. Every additional character only narrows the search.
+
-
: If the new search request is now too narrow, it might be necessary to set an areacode or contrycode. Also the full support of LDAP substrings
+
-
: of [https://tools.ietf.org/html/rfc2254 RFC2254] can be used to solve the problem.
+
-
 
+
-
* Support of substring filters, less-or-equal filters, greater-or-equal filters, approximate filters  [https://tools.ietf.org/html/rfc2254 RFC2254]
+
-
 
+
-
: Now very complex filters can be build. The limitation to only apply one kind of substring filter (initial/any/final) is no longer necessary.
+
-
 
+
-
: Example: telephoneNumber=123*456*789 : Must start with 123, must contain 456, and must end with 789
+
-
 
+
-
==== [http://wiki.snom.com/Settings/perform_initial_query_in_ldap_state Perform Initial Query in LDAP state] changed slightly ====
+
-
 
+
-
* If this setting was switched on, any substring filter was interpreted as initial.
+
-
: cn=*%, but also cn=%* or cn=*%* where all interpreted as cn=%*
+
-
 
+
-
:This now changed, the % placeholder will be replaced with the * and consecutive stars will be removed. In most old filter rules this will lead to the same result.
+
-
:The new approach will keep some explicit characters inside the search string, like cn=*456% would lead to cn=*456* (any), or cn=456%* would lead to cn=456*
+
-
 
+
-
===Example 1: LDAP name filter===
+
-
 
+
-
Here you have to specify your search criteria for name look ups.
+
-
*When you type in this field :'''(&(telephoneNumber=*)(sn=%))'''
+
-
the result of your search will be all LDAP records which have the “telephoneNumber” field set and the (“sn”-->surname) field is equal the entered search string.
+
-
*When you type in this field : '''(|(cn=%)(sn=%))'''
+
-
the result of your search will be all LDAP records which have the (“cn”-->CommonName) OR (“sn”-->Surname) field is equal the entered search string.
+
-
* When you type in this field: '''(!(cn=%))'''
+
-
the result of your search will be all LDAP records which “do not” have the “cn” field with the entered search string.
+
-
 
+
-
*'''Additional filter options as of version 10.1.27.0:'''
+
-
** When you type '''(cn=John*)''' the result represents a substring filter with a subInitial component of “John” and no subAny or subFinal components. Everything starting with John will be matched
+
-
** When you type '''(cn=*John*)''' the result represents a a substring filter with a single subAny component of “John” and no subInitial or subFinal components. Anything which contains John will be matched
+
-
** When you type '''(cn=*John*Doe*)''' the result represents a substring filter with two subAny components of “John” and “Doe” and no subInitial or subFinal components. Anything which contains John and Doe will be matched
+
-
** When you type '''(cn=*Doe)''' the string represents a substring filter with a subFinal component of “Doe” and no subInitial or subAny elements. Anything ending with Doe will be matched
+
-
** Additionally the '''greater or equal , less or equal and approximate filters''' are supported as of version 10.1.27.0. What is returned is dependent of the server implementation. If you enter '''(cn>=Doe)''', it could result in a numeric or lexicographic comparison, and the subsequent result. Likewise <=.
+
-
** The '''approximate filter''' is also implementation dependent. When you type '''(cn~=John)''' the return type could be Jon and John.
+
-
 
+
-
===Example 2: LDAP number filter===
+
-
Here you have to specify your search criteria for number look ups.
+
-
*When you  type in this field for example:'''(|(telephoneNumber=%)(Mobile=%)(ipPhone=%))'''
+
-
the result of your search will be all LDAP records which have the “telephoneNumber” OR “Mobile” OR “ipPhone”field equal the the entered prefix.
+
-
* When you type in this field: '''(&(telephoneNumber=%)(sn=*))'''
+
-
the result of your search will be all LDAP records which have the “sn” field set and the “telephoneNumber” field is equal the entered prefix.
+
-
 
+
-
* Additionally as of version 10.1.27.0 the '''greater or equal , less or equal and approximate filters''' are supported. What is returned is dependent of the server implementation. When you type '''(telephoneNumber >= 5)''' , it could result in a numeric or lexicographic comparison, and the subsequent result. Likewise <=.
+
-
 
+
-
 
+
-
https://ldap.com/ldap-filters/
+
-
 
+
-
===Example 3: LDAP Base===
+
-
Here are some examples of what you cound enter for the [[Settings/ldap_base|ldap_base]] setting
+
-
o=UNIVERSITY OF NEW ORLEANS,c=US
+
-
o=SFU,c=CA
+
-
dc=telesec,dc=de
+
-
 
+
-
===Example 4: LDAP name attributes===
+
-
The LDAP name attributes setting can be used to specify the “name” attributes of each record which are to be returned in the LDAP search results.
+
-
*When you  type in this field for example:'''cn sn displayName'''
+
-
this requires to specify “cn”-->commonName means Full name of the user, “sn”-->Surname, last name or family name and “displayName” fields for each LDAP record.
+
-
 
+
-
See the following screenshot example of an Active Directory:
+
-
 
+
-
[[Image:name-attri.png|700px]]
+
-
 
+
-
;Further Examples
+
-
cn sn displayName
+
-
Requires “cn”, “sn” and “displayName” fields for each LDAP record.
+
-
givenName
+
-
Requires “givenName” field for each LDAP record.
+
-
<br>
+
-
'''Note:''' Only ''givenName'' is being accepted as name attribute but not its abbreviation ''gn''!
+
-
vorName nachName
+
-
Requires “vorName” and “nachName” fields for each LDAP record.
+
-
 
+
-
===Example 5: LDAP number attributes===
+
-
 
+
-
The LDAP number attributes setting can be used to specify the “number” attributes of each record which are to be returned in the LDAP search results.
+
-
*When you  type in this field for example:'''Mobile telephoneNumber ipPhone'''
+
-
this requires to specify “Mobile”, “telephoneNumber” and “ipPhone” fields for each LDAP record.
+
-
 
+
-
See this screenshot example of an Active Directory:
+
-
[[Image:numberattri.png|700px]]
+
-
 
+
-
;Further examples:
+
-
Mobile telephoneNumber ipPhone
+
-
Requires “Mobile”, “telephoneNumber” and “ipPhone” fields for each LDAP record.
+
-
Home Private Office
+
-
Requires “Home”, “Private” and “Office” fields for each LDAP record.
+
-
 
+
-
===Example 6: LDAP display name===
+
-
 
+
-
This setting specifies the format in which the “name, e.g. here Mike Black” of each returned search result is to be displayed on the snom phone.
+
-
*When you  type in this field for example:'''%sn, %givenName'''
+
-
the displayed returned result should be “Black, John”
+
-
*When you  type in this field for example:'''%cn'''
+
-
the displayed returned result should be  “Mike Black”.
+
-
*When you  type in this field for example:'''%givenName'''
+
-
the displayed returned result should be “Mike Black"
+
-
*When you  type in this field for example:'''%givenName  - %sn '''
+
-
the displayed returned result should be “Mike - Black"
+
-
 
+
-
 
+
-
=== Common attributes  ===
+
-
 
+
-
Most common attributes used to configure LDAP lookup in your phone with:
+
-
 
+
-
{|border="0" cellpadding="7" cellspacing="0" valign="top" style="width: 80%; text-align: left; border:1px solid #C0C0C0"
+
-
|-
+
-
! Abbrevation
+
-
! Name
+
-
! Description
+
-
! Example
+
-
|-
+
-
| gn
+
-
| givenName
+
-
| Firstname also called Christian name
+
-
| John
+
-
|-
+
-
| sn
+
-
| surname
+
-
| Surname, last name or family name
+
-
| Doe
+
-
|-
+
-
| cn
+
-
| commonName
+
-
| LDAP attribute being made up from givenName joined to SN
+
-
| John Doe
+
-
|-
+
-
| -
+
-
| displayName
+
-
| When using this property, be sure you understand which field you are configuring.  DisplayName can be confused with CN or description.
+
-
| John Doe
+
-
|-
+
-
| -
+
-
| company
+
-
| Company or organisation name
+
-
| snom Technology
+
-
|-
+
-
| o
+
-
| organizationName
+
-
| Organization name or even organizational name
+
-
| Germany
+
-
|-
+
-
| ou
+
-
| organizationalUnitName
+
-
| Usually department or any sub entity of larger entity
+
-
| Documentation
+
-
|-
+
-
| DC
+
-
| DC
+
-
| Domain Component
+
-
| snom com
+
-
|-
+
-
|DN
+
-
|distinguishedName
+
-
| unique identifier for each entry
+
-
| cn=John Doe,ou=Documentation,dc=snom,dc=com
+
-
|-
+
-
| -
+
-
| telephoneNumber
+
-
| Office phone number
+
-
| +493012345678
+
-
|-
+
-
| mobile
+
-
| mobileTelephoneNumber
+
-
| Mobile or cellular phone number
+
-
| +4917212993833
+
-
|-
+
-
| homePhone
+
-
| homeTelephoneNumber
+
-
| Home Phone number
+
-
| +492088190292
+
-
|}
+
-
 
+
-
== Troubleshooting ==
+
-
 
+
-
A good method to troubleshoot problems with LDAP implementation is to do a [[Web_Interface/V7/PCAP_Trace|PCAP trace]] while performing a lookup.
+
-
By tracing the search requests you can check if the phone connects and authenticates correctly and determine which requests are being sent from phone to LDAP server.
+
-
 
+
-
 
+
-
Below you can see an example of a successful LDAP lookup:
+
-
 
+
-
[[Image:01_ldap_trace.png|600px]]
+
-
 
+
-
[[Image:02_ldap_trace.png|500px]]
+
-
 
+
-
[[Category:HowTo]][[Category:Directory:LDAP]]
+

Latest revision as of 10:24, 26 February 2019

This page has been moved to https://service.snom.com/display/wiki/LDAP+Directory

This category currently contains no pages or media.

Personal tools
Interoperability