Page 1 of 1

Active Directory integration

PostPosted: 18/02/2015, 17:36
by matteo.erba
Internal users database of the Wildix system can be synced with an external database, one of the most popular ones is the Active Directory (AD) of Microsoft Windows.
  • Before starting the import, check that the “Telephone number” attribute is filled out correctly for all the users.
  • Go to WMS > Users and click “Import” - Fill out the fields of the form:
    • Backend: LDAP
    • Hostname: {SERVER IP}
    • Port: AD port (389 by default)
    • User: username of someone who has domain admin privileges written in format "windomain\username" (e.g. WILDIX\mario.rossi)
    • Password: password for user from point 4.
    • Base DN: base Distinguished Name, depends on customer's database structure (e.g. dc=wildix,dc=local)
    • Map section: check off only the fields that can be imported from AD
    • Filter: depends on customer's DB structure. E.g.:(&(objectCategory=person)(objectClass=user)(|(userAccountControl=512)(userAccountControl=514)))
  • Now it is possible to enable the PBX to check the password of the user for http/https login on the domain server. To enable AD integration, the system administrator must connect to the PBX via SSH and create the config file /etc/ad_connect.conf. An example of the ad_connect config file is:
    Code: Select allhost=192.168.1.254:389
    windomain=WILDIX
  • To enable login via organization name or email address, follow the steps below:
    • Fill in the fields of “Map” section (WMS > Users > Import) with the following parameters:
      • User Name: CN (the attribute which defines the user’s full name, e.g. Mario Rossi)
      • Department: sAMAccountName (the attribute which defines the AD logon name, e.g. m.rossi)
    • In this configuration we import the CN (user full name) attribute into “User Name” field of Wildix DB, and we force the import of sAMAccountName attribute into the “Department” field.
      Add the following line into the /etc/ad_connect.conf file:
      • LdapLoginAttr=ou (to enable login with organization name)
        In this way we force the login to AD using the “ou” attribute (the value defined in the “Department” field of “Map” section) instead of user name
      • LdapLoginAttr=mail (to enable login with email address)
        By adding this line we force the login to AD using the “mail” attribute (the value defined in “Email” field of “Map” section) instead of sAMAccountName.
      • LdapLoginAttr=userPrincipalName (to enable login with login fiels)
        By adding this line we force the login to AD using the “userPrincipalName” attribute (the value defined in “ Login” field of “Map” section) instead of sAMAccountName or userPrincipalName.

Re: Active Directory integration

PostPosted: 28/06/2015, 9:08
by matteo.erba
Starting from the WMS version 3.80.29355.25 the internal LDAP directory is changed by adding one more field especially to improve the AD integration.
Now you can import field like sAMAccount name or userPrincipalName directly in our directory and leave the username "natural" (eg. mario.rossu as userPrincipalName and Mario Rossi as username.

The new field is called "login" in the WMS and userPrincipalName in LDAP.

The option LdapLoginAttr= userPrincipalName can be used in /etc/ad_connect.conf to use it.