Fortinet white logo
Fortinet white logo

FortiVoice Phone System Administration Guide

Configuring LDAP settings

Configuring LDAP settings

Phone System > LDAP lets you configure LDAP profiles and connectors.

This topic includes:

Configuring LDAP profiles

The LDAP Profile submenu lets you configure LDAP profiles which can query LDAP servers for authentication.

Note

Before using an LDAP profile, verify each LDAP query and connectivity with your LDAP server. When LDAP queries do not match with the server’s schema and/or contents, unintended phone call processing behaviors can result.

LDAP profiles each contains one or more queries that retrieve specific configuration data, such as user groups, from an LDAP server. The LDAP profile list indicates which queries you have enabled in each LDAP profile.

To view the list of LDAP profiles, go to Phone System > LDAP > LDAP Profile.

GUI field

Description

Profile Name

The name of the profile.

Server

The domain name or IP address of the LDAP server.

Port

The listening port of the LDAP server.

Auth

Indicates whether User Authentication Options is enabled.

Cache

Indicates whether query result caching is enabled.

(Green dot in column heading)

Indicates whether the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

You can add an LDAP profile to define a set of queries that the FortiVoice unit can use with an LDAP server. You might create more than one LDAP profile if, for example, you have more than one LDAP server, or you want to configure multiple, separate query sets for the same LDAP server.

After you have created an LDAP profile, LDAP profile options will appear in other areas of the FortiVoice unit’s configuration. These options let you to select the LDAP profile where you might otherwise create a reference to a configuration item stored locally on the FortiVoice unit itself. These other configuration areas will only allow you to select applicable LDAP profiles — that is, those LDAP profiles in which you have enabled the query required by that feature. For example, if a feature requires a definition of user groups, you can select only from those LDAP profiles where Group Query Options are enabled.

To configure an LDAP profile

  1. Go to Phone System > LDAP > LDAP Profile.
  2. Click New to add a profile or double-click a profile to modify it.
  3. GUI field

    Description

    Profile name

    For a new profile, enter its name.

    Server name/IP

    Enter the fully qualified domain name (FQDN) or IP address of the LDAP server.

    Port: Enter the port number where the LDAP server listens.

    The default port number varies by your selection in Use secure connection: port 389 is typically used for non-secure connections, and port 636 is typically used for SSL-secured (LDAPS) connections.

    Fallback server name/IP

    Optional. Enter the fully qualified domain name (FQDN) or IP address of an alternate LDAP server that the FortiVoice unit can query if the primary LDAP server is unreachable.

    Port: Enter the port number where the fallback LDAP server listens.

    The default port number varies by your selection in Use secure connection: port 389 is typically used for non-secure connections, and port 636 is typically used for SSL-secured (LDAPS) connections.

    Use secure connection

    Select whether to connect to the LDAP servers using an encrypted connection.

    • none: Use a non-secure connection.
    • SSL: Use an SSL-secured (LDAPS) connection.

    Click Test LDAP Query to test the connection. A pop-up window appears. For details, see Testing LDAP profile queries.

    Base DN

    Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiVoice unit will search for user objects, such as ou=People,dc=example,dc=com.

    User objects should be child nodes of this location.

    Bind DN

    Enter the bind DN, such as cn=FortiVoiceA,dc=example,dc=com, of an LDAP user account with permissions to query the Base DN.

    This field may be optional if your LDAP server does not require the FortiVoice unit to authenticate when performing queries.

    Bind password

    Enter the password of the Bind DN.

    Click Browse to locate the LDAP directory from the location that you specified in Base DN, or, if you have not yet entered a Base DN, beginning from the root of the LDAP directory tree.

    Browsing the LDAP tree can be useful if you need to locate your Base DN, or need to look up attribute names. For example, if the Base DN is unknown, browsing can help you to locate it.

    Before using, first configure Server name/IP, Use secure connection, Bind DN, Bind password, and Protocol version, then click Create or OK. These fields provide minimum information required to establish the directory browsing connection.

  4. Configure the following sections:
  5. Click Create, OK or Apply.

    The LDAP profile appears in the LDAP profile list. To apply it, select the profile in features that support LDAP queries, such as protected domains and policies.

    Before using the LDAP profile in other areas of the configuration, verify the configuration of each query that you have enabled in the LDAP profile. Incorrect query configuration can result in unexpected phone processing behavior. For information about testing queries, see Testing LDAP profile queries.

Configuring authentication options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP settings.

  1. Go to Phone System > LDAP > LDAP Profile.
  2. Click New to create a new profile or double click on an existing profile to edit it.
  3. Click the arrow to expand the User Authentication Options section.
  4. Configure the following:
  5. GUI field

    Description

    Try Common Name with Base DN as Bind DN

    Select to form the user’s bind DN by prepending a common name to the base DN. Also enter the name of the user objects’ common name attribute, such as cn or uid into the field.

    Search User and Try Bind DN

    Select to form the user’s bind DN by using the DN retrieved for that user by configuring the following:

    • LDAP user query: Enter an LDAP query filter that selects a set of user objects from the LDAP directory.
    • The query string filters the result set, and should be based upon any attributes that are common to all user objects but also exclude non-user objects.

      For example, if user objects in your directory have two distinguishing characteristics, their objectClass and extension attributes, the query filter might be:

      (& (objectClass=inetOrgPerson) (telephonenumber=$u))

      where $u is the FortiVoice variable for a user's extension.

      This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined.

    • Schema: If your LDAP directory’s user objects use a common schema style:
      • Active Directory
      • Lotus Domino
      • Open LDAP

      Select the schema style. This automatically configures the query string to match that schema style.

      If your LDAP server uses any other schema style, select User Defined, then manually configure the query string.

    • Scope: Select which level of depth to query, starting from Base DN.
      • One level: Query only the one level directly below the Base DN in the LDAP directory tree.
      • Subtree: Query recursively all levels below the Base DN in the LDAP directory tree.
    • Derefer: Select the method to use, if any, when dereferencing attributes whose values are references.
      • Never: Do not dereference.
      • Always: Always dereference.
      • Search: Dereference only when searching.
      • Find: Dereference only when finding the base search object.

Configuring advanced options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP settings.

  1. Go to Phone System > LDAP > LDAP Profile.
  2. Click New to create a new profile or double click on an existing profile to edit it.
  3. Click the arrow to expand the Advanced Options section.
  4. Configure the following:
  5. GUI field

    Description

    Timeout (seconds)

    Enter the maximum amount of time in seconds that the FortiVoice unit will wait for query responses from the LDAP server.

    Protocol version

    Select the LDAP protocol version used by the LDAP server.

    Enable cache

    Enable to cache LDAP query results.

    Caching LDAP queries can introduce a delay between when you update LDAP directory information and when the FortiVoice unit begins using that new information, but also has the benefit of reducing the amount of LDAP network traffic associated with frequent queries for information that does not change frequently.

    If this option is enabled but queries are not being cached, inspect the value of TTL. Entering a TTL value of 0 effectively disables caching.

    TTL (minutes)

    Enter the amount of time, in minutes, that the FortiVoice unit will cache query results. After the TTL has elapsed, cached results expire, and any subsequent request for that information causes the FortiVoice unit to query the LDAP server, refreshing the cache.

    The default TTL value is 1440 minutes (one day). The maximum value is 10080 minutes (one week). Entering a value of 0 effectively disables caching.

    This option is applicable only if Enable cache is enabled.

Testing LDAP profile queries

After you have created an LDAP profile, you should test each enabled query in the LDAP profile to verify that the FortiVoice unit can connect to the LDAP server, that the LDAP directory contains the required attributes and values, and that the query configuration is correct.

When testing a query in an LDAP profile, you may encounter error messages that indicate failure of the query and how to fix the problem.

To verify user authentication options

  1. Go to Phone System > LDAP > LDAP Profile.
  2. Double-click the LDAP profile whose query you want to test.
  3. Click Test LDAP Query.

    A pop-up window appears allowing you to test the query.

  4. From Select query type, select Authentication.
  5. In User name, enter the user name or extension of a user on the LDAP server, such as jdoe or 1234, depending your selection of User Authentication Options.
  6. In Password, enter the current password for that user.
  7. Click Test.

    The FortiVoice unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record, or binding to authenticate the user.

Clearing the LDAP profile cache

You can clear the FortiVoice unit’s cache of query results for any LDAP profile.

This may be useful after, for example, you have updated parts of your LDAP directory that are used by that LDAP profile, and you want the FortiVoice unit to discard outdated cached query results and reflect changes to the LDAP directory. After the cache is emptied, any subsequent request for information from that LDAP profile causes the FortiVoice unit to query the updated LDAP server, refreshing the cache.

To clear the LDAP query cache

  1. Go to Phone System > LDAP > LDAP Profile.
  2. Double-click the LDAP profile whose query cache you want to clear.
  3. Click Test LDAP Query.
  4. From Select query type, select Clear Cache.

    A warning appears at the bottom of the window, notifying you that the cache for this LDAP profile will be cleared if you proceed. All queries will therefore be new again, resulting in decreased performance until the query results are again cached.

  5. Click Ok.

    The FortiVoice unit empties cached LDAP query responses associated with that LDAP profile.

Configuring the LDAP connector

    If you have contact or employee information in your LDAP server, you can configure the LDAP attribute mapping templates to retrieve the information and add it to the contact and extension lists. Before doing so, you must configure your LDAP server. For details, see Configuring LDAP settings.

    To view the list of LDAP connectors and take some actions (sync and purge), go to Phone System > LDAP > LDAP Connector.

    GUI field

    Description

    Clone

    Click to duplicate an LDAP connector configuration.

    Actions

    • Sync-Incremental : Select an LDAP connector and click this button to display the newly-added and existing entries for that connector on the LDAP server. Select New or Existing to view the respective entries, and click Import let the FortiVoice unit synchronize the newly-added and existing entries from the LDAP server.
      If any existing entries are deleted on the LDAP server, they will not be removed on the FortiVoice unit during the synchronization.
    • Sync-Full: Select an LDAP connector and click this button to display the newly-added and existing entries for that connector on the LDAP server. Select New or Existing to view the respective entries, and click Import let the FortiVoice unit synchronize the newly-added and existing entries from the LDAP server.
      The FortiVoice unit retrieves all of the newly-added and existing entries from the LDAP server.
    • Sync Report: Select an LDAP connector and click this button to display the synchronization report between the FortiVoice unit and your LDAP server.
    • Purge sync data: Select an LDAP connector and click this button to remove the connector from the FortiVoice unit. You cannot remove a connector if the extension associated with it is used in other places.

    Extension

    Click to view the extensions generated based on the data retrieved from your LDAP server and non-LDAP extensions.

    Name

    Name of the LDAP connector.

    LDAP Profile

    The name of the LDAP profile that has your LDAP server information. For details, see Configuring LDAP settings.

    Type

    The type of the LDAP connector: extension or contact.

    Schedule

    The synchronization schedule between the FortiVoice unit and your LDAP server.

    Last Sync Time

    The latest synchronization time between the FortiVoice unit and your LDAP server.

To configure extension/contact connectors

  1. Go to Phone System > LDAP > LDAP Connector.
  2. Click New > Extension Connector/Contact Connector and configure the following:
  3. GUI field

    Description

    Enabled

    Select to enable the connector.

    Name

    Enter a name for the extension/contact connector.

    LDAP profile

    Select the LDAP profile that has your LDAP server information. You can add a new profile or modify the selected one. For details, see Configuring LDAP settings.

    The FortiVoice unit queries the LDAP server based on the information contained in the LDAP profile.

    Schema

    This option appears after you select the LDAP profile.

    Select the LDAP schema that defines the rules to govern the types of data that the LDAP server can hold.

    If you select Active directory or Open LDAP, the fields under Search Criteria and Mapping are populated. However, you can change them as needed.

    Description

    Click to enter any notes you have for this connector.

    Search Criteria

    You can use the auto-populated search attributes or enter your own search attributes for the data you want the FortiVoice unit to retrieve from the LDAP server.

    Search base

    Enter or browse for the search base to define the search starting point in the LDAP directory tree.

    Search filter

    Enter the complete query filters.

    Scope

    Select the LDAP search scope indicating the set of entries at or below the BaseDN that may be considered potential matches for a SearchRequest.

    Max results

    Enter the search size limit for the returning records.

    Mapping

    The mapping enables the FortiVoice unit to convert the data retrieved from the LDAP server into the FortiVoice extension or contact lists.

    You can use the auto-populated contact attributes or enter the contact attributes used in your LDAP server that match the FortiVoice attributes for extensions or contact lists. For example, you may enter "name" for Display name if that is what you have for display name in your LDAP server.

    You can click the Retrieve LDAP attribute icon ( ) beside each field to choose an LDAP server attribute.

    This section includes the following attributes:

    • User ID: This attribute supports letters, numbers, dots (.), and hyphens (-).
    • Display name: The extension name. For example, you may enter "name" for Display name if that is what you have for display name in your LDAP server.
    • Number: The extension number.
    • Status: The extension status. If we use an Active Directory (AD) setup as an example, this field can include userAccountControl.
    • Value for enabled status: FortiVoice uses this field to determine if the imported extensions need to be enabled or disabled. If we use an AD setup as an example, common values are 512 for enabled and 514 for disabled. If you use 512, it means that when you import extensions from your LDAP server and the AD returns a userAccountControl value of 512, FortiVoice enables the extension. If the AD returns any other value, FortiVoice disables the extension.

      If you leave the Value for enabled status field empty, FortiVoice disables the imported extensions.

    • Email: The extension email.

    More

    For extension connectors, under More, you can configure the Time zone and Voicemail PIN attributes based on the synchronization results with the LDAP server.

    • Time zone:
      • Add entry: Use this option to configure the new time zone attribute retrieved from the LDAP server.
        • Fixed: You can select your own time zone from the list. This value will not be updated with the value from the LDAP server during synchronization.
        • Sync: The current time zone value will be updated with the value from the LDAP server during synchronization. If the time zone value is not available on the LDAP server, the FortiVoice unit time zone (Phone System > Setting > Location > Default time zone) will be used by default.
      • Update entry: Use this option to configure the existing time zone attribute on your FortiVoice unit.
        • Skip: The current time zone attribute is ignored and will not be updated with the value from the LDAP server during synchronization.
        • Sync: The current time zone value will be updated with the value from the LDAP server during synchronization. If the time zone value is not available on the LDAP server, the FortiVoice unit time zone (Phone System > Setting > Location > Default time zone) will be used by default.
    • Voicemail PIN:
      • Add entry: Use this option to configure the new voicemail PIN attribute retrieved from the LDAP server.
        • Fixed: You can enter your own voicemail PIN. This value will not be updated with the value from the LDAP server during synchronization.
        • Sync: The current voicemail PIN value will be updated with the value from the LDAP server during synchronization.
        • Generate: Click to let the system generate a voicemail PIN. This value will not be updated with the value from the LDAP server during synchronization.
      • Update entry: Use this option to configure the existing voicemail PIN attributes on your FortiVoice unit.
        • Skip: The current voicemail PIN attribute is ignored and will not be updated with the value from the LDAP server during synchronization.
        • Sync: The current voicemail PIN value will be updated with the value from the LDAP server during synchronization.

    Schedule

    Set the time schedule for data retrieving and mapping.

  4. Click Create.

Viewing LDAP contact list

After you have configured the LDAP contact connector and synchronized the FortiVoice unit with it, the generated FortiVoice contact list appears in Phone System > LDAP > LDAP Contact.

You can select a contact to view, modify, or delete it.

Clicking LDAP opens the LDAP Connector page.

For details about configuring contact connectors, see Configuring the LDAP connector.

Configuring LDAP settings

Configuring LDAP settings

Phone System > LDAP lets you configure LDAP profiles and connectors.

This topic includes:

Configuring LDAP profiles

The LDAP Profile submenu lets you configure LDAP profiles which can query LDAP servers for authentication.

Note

Before using an LDAP profile, verify each LDAP query and connectivity with your LDAP server. When LDAP queries do not match with the server’s schema and/or contents, unintended phone call processing behaviors can result.

LDAP profiles each contains one or more queries that retrieve specific configuration data, such as user groups, from an LDAP server. The LDAP profile list indicates which queries you have enabled in each LDAP profile.

To view the list of LDAP profiles, go to Phone System > LDAP > LDAP Profile.

GUI field

Description

Profile Name

The name of the profile.

Server

The domain name or IP address of the LDAP server.

Port

The listening port of the LDAP server.

Auth

Indicates whether User Authentication Options is enabled.

Cache

Indicates whether query result caching is enabled.

(Green dot in column heading)

Indicates whether the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

You can add an LDAP profile to define a set of queries that the FortiVoice unit can use with an LDAP server. You might create more than one LDAP profile if, for example, you have more than one LDAP server, or you want to configure multiple, separate query sets for the same LDAP server.

After you have created an LDAP profile, LDAP profile options will appear in other areas of the FortiVoice unit’s configuration. These options let you to select the LDAP profile where you might otherwise create a reference to a configuration item stored locally on the FortiVoice unit itself. These other configuration areas will only allow you to select applicable LDAP profiles — that is, those LDAP profiles in which you have enabled the query required by that feature. For example, if a feature requires a definition of user groups, you can select only from those LDAP profiles where Group Query Options are enabled.

To configure an LDAP profile

  1. Go to Phone System > LDAP > LDAP Profile.
  2. Click New to add a profile or double-click a profile to modify it.
  3. GUI field

    Description

    Profile name

    For a new profile, enter its name.

    Server name/IP

    Enter the fully qualified domain name (FQDN) or IP address of the LDAP server.

    Port: Enter the port number where the LDAP server listens.

    The default port number varies by your selection in Use secure connection: port 389 is typically used for non-secure connections, and port 636 is typically used for SSL-secured (LDAPS) connections.

    Fallback server name/IP

    Optional. Enter the fully qualified domain name (FQDN) or IP address of an alternate LDAP server that the FortiVoice unit can query if the primary LDAP server is unreachable.

    Port: Enter the port number where the fallback LDAP server listens.

    The default port number varies by your selection in Use secure connection: port 389 is typically used for non-secure connections, and port 636 is typically used for SSL-secured (LDAPS) connections.

    Use secure connection

    Select whether to connect to the LDAP servers using an encrypted connection.

    • none: Use a non-secure connection.
    • SSL: Use an SSL-secured (LDAPS) connection.

    Click Test LDAP Query to test the connection. A pop-up window appears. For details, see Testing LDAP profile queries.

    Base DN

    Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiVoice unit will search for user objects, such as ou=People,dc=example,dc=com.

    User objects should be child nodes of this location.

    Bind DN

    Enter the bind DN, such as cn=FortiVoiceA,dc=example,dc=com, of an LDAP user account with permissions to query the Base DN.

    This field may be optional if your LDAP server does not require the FortiVoice unit to authenticate when performing queries.

    Bind password

    Enter the password of the Bind DN.

    Click Browse to locate the LDAP directory from the location that you specified in Base DN, or, if you have not yet entered a Base DN, beginning from the root of the LDAP directory tree.

    Browsing the LDAP tree can be useful if you need to locate your Base DN, or need to look up attribute names. For example, if the Base DN is unknown, browsing can help you to locate it.

    Before using, first configure Server name/IP, Use secure connection, Bind DN, Bind password, and Protocol version, then click Create or OK. These fields provide minimum information required to establish the directory browsing connection.

  4. Configure the following sections:
  5. Click Create, OK or Apply.

    The LDAP profile appears in the LDAP profile list. To apply it, select the profile in features that support LDAP queries, such as protected domains and policies.

    Before using the LDAP profile in other areas of the configuration, verify the configuration of each query that you have enabled in the LDAP profile. Incorrect query configuration can result in unexpected phone processing behavior. For information about testing queries, see Testing LDAP profile queries.

Configuring authentication options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP settings.

  1. Go to Phone System > LDAP > LDAP Profile.
  2. Click New to create a new profile or double click on an existing profile to edit it.
  3. Click the arrow to expand the User Authentication Options section.
  4. Configure the following:
  5. GUI field

    Description

    Try Common Name with Base DN as Bind DN

    Select to form the user’s bind DN by prepending a common name to the base DN. Also enter the name of the user objects’ common name attribute, such as cn or uid into the field.

    Search User and Try Bind DN

    Select to form the user’s bind DN by using the DN retrieved for that user by configuring the following:

    • LDAP user query: Enter an LDAP query filter that selects a set of user objects from the LDAP directory.
    • The query string filters the result set, and should be based upon any attributes that are common to all user objects but also exclude non-user objects.

      For example, if user objects in your directory have two distinguishing characteristics, their objectClass and extension attributes, the query filter might be:

      (& (objectClass=inetOrgPerson) (telephonenumber=$u))

      where $u is the FortiVoice variable for a user's extension.

      This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined.

    • Schema: If your LDAP directory’s user objects use a common schema style:
      • Active Directory
      • Lotus Domino
      • Open LDAP

      Select the schema style. This automatically configures the query string to match that schema style.

      If your LDAP server uses any other schema style, select User Defined, then manually configure the query string.

    • Scope: Select which level of depth to query, starting from Base DN.
      • One level: Query only the one level directly below the Base DN in the LDAP directory tree.
      • Subtree: Query recursively all levels below the Base DN in the LDAP directory tree.
    • Derefer: Select the method to use, if any, when dereferencing attributes whose values are references.
      • Never: Do not dereference.
      • Always: Always dereference.
      • Search: Dereference only when searching.
      • Find: Dereference only when finding the base search object.

Configuring advanced options

The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP settings.

  1. Go to Phone System > LDAP > LDAP Profile.
  2. Click New to create a new profile or double click on an existing profile to edit it.
  3. Click the arrow to expand the Advanced Options section.
  4. Configure the following:
  5. GUI field

    Description

    Timeout (seconds)

    Enter the maximum amount of time in seconds that the FortiVoice unit will wait for query responses from the LDAP server.

    Protocol version

    Select the LDAP protocol version used by the LDAP server.

    Enable cache

    Enable to cache LDAP query results.

    Caching LDAP queries can introduce a delay between when you update LDAP directory information and when the FortiVoice unit begins using that new information, but also has the benefit of reducing the amount of LDAP network traffic associated with frequent queries for information that does not change frequently.

    If this option is enabled but queries are not being cached, inspect the value of TTL. Entering a TTL value of 0 effectively disables caching.

    TTL (minutes)

    Enter the amount of time, in minutes, that the FortiVoice unit will cache query results. After the TTL has elapsed, cached results expire, and any subsequent request for that information causes the FortiVoice unit to query the LDAP server, refreshing the cache.

    The default TTL value is 1440 minutes (one day). The maximum value is 10080 minutes (one week). Entering a value of 0 effectively disables caching.

    This option is applicable only if Enable cache is enabled.

Testing LDAP profile queries

After you have created an LDAP profile, you should test each enabled query in the LDAP profile to verify that the FortiVoice unit can connect to the LDAP server, that the LDAP directory contains the required attributes and values, and that the query configuration is correct.

When testing a query in an LDAP profile, you may encounter error messages that indicate failure of the query and how to fix the problem.

To verify user authentication options

  1. Go to Phone System > LDAP > LDAP Profile.
  2. Double-click the LDAP profile whose query you want to test.
  3. Click Test LDAP Query.

    A pop-up window appears allowing you to test the query.

  4. From Select query type, select Authentication.
  5. In User name, enter the user name or extension of a user on the LDAP server, such as jdoe or 1234, depending your selection of User Authentication Options.
  6. In Password, enter the current password for that user.
  7. Click Test.

    The FortiVoice unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record, or binding to authenticate the user.

Clearing the LDAP profile cache

You can clear the FortiVoice unit’s cache of query results for any LDAP profile.

This may be useful after, for example, you have updated parts of your LDAP directory that are used by that LDAP profile, and you want the FortiVoice unit to discard outdated cached query results and reflect changes to the LDAP directory. After the cache is emptied, any subsequent request for information from that LDAP profile causes the FortiVoice unit to query the updated LDAP server, refreshing the cache.

To clear the LDAP query cache

  1. Go to Phone System > LDAP > LDAP Profile.
  2. Double-click the LDAP profile whose query cache you want to clear.
  3. Click Test LDAP Query.
  4. From Select query type, select Clear Cache.

    A warning appears at the bottom of the window, notifying you that the cache for this LDAP profile will be cleared if you proceed. All queries will therefore be new again, resulting in decreased performance until the query results are again cached.

  5. Click Ok.

    The FortiVoice unit empties cached LDAP query responses associated with that LDAP profile.

Configuring the LDAP connector

    If you have contact or employee information in your LDAP server, you can configure the LDAP attribute mapping templates to retrieve the information and add it to the contact and extension lists. Before doing so, you must configure your LDAP server. For details, see Configuring LDAP settings.

    To view the list of LDAP connectors and take some actions (sync and purge), go to Phone System > LDAP > LDAP Connector.

    GUI field

    Description

    Clone

    Click to duplicate an LDAP connector configuration.

    Actions

    • Sync-Incremental : Select an LDAP connector and click this button to display the newly-added and existing entries for that connector on the LDAP server. Select New or Existing to view the respective entries, and click Import let the FortiVoice unit synchronize the newly-added and existing entries from the LDAP server.
      If any existing entries are deleted on the LDAP server, they will not be removed on the FortiVoice unit during the synchronization.
    • Sync-Full: Select an LDAP connector and click this button to display the newly-added and existing entries for that connector on the LDAP server. Select New or Existing to view the respective entries, and click Import let the FortiVoice unit synchronize the newly-added and existing entries from the LDAP server.
      The FortiVoice unit retrieves all of the newly-added and existing entries from the LDAP server.
    • Sync Report: Select an LDAP connector and click this button to display the synchronization report between the FortiVoice unit and your LDAP server.
    • Purge sync data: Select an LDAP connector and click this button to remove the connector from the FortiVoice unit. You cannot remove a connector if the extension associated with it is used in other places.

    Extension

    Click to view the extensions generated based on the data retrieved from your LDAP server and non-LDAP extensions.

    Name

    Name of the LDAP connector.

    LDAP Profile

    The name of the LDAP profile that has your LDAP server information. For details, see Configuring LDAP settings.

    Type

    The type of the LDAP connector: extension or contact.

    Schedule

    The synchronization schedule between the FortiVoice unit and your LDAP server.

    Last Sync Time

    The latest synchronization time between the FortiVoice unit and your LDAP server.

To configure extension/contact connectors

  1. Go to Phone System > LDAP > LDAP Connector.
  2. Click New > Extension Connector/Contact Connector and configure the following:
  3. GUI field

    Description

    Enabled

    Select to enable the connector.

    Name

    Enter a name for the extension/contact connector.

    LDAP profile

    Select the LDAP profile that has your LDAP server information. You can add a new profile or modify the selected one. For details, see Configuring LDAP settings.

    The FortiVoice unit queries the LDAP server based on the information contained in the LDAP profile.

    Schema

    This option appears after you select the LDAP profile.

    Select the LDAP schema that defines the rules to govern the types of data that the LDAP server can hold.

    If you select Active directory or Open LDAP, the fields under Search Criteria and Mapping are populated. However, you can change them as needed.

    Description

    Click to enter any notes you have for this connector.

    Search Criteria

    You can use the auto-populated search attributes or enter your own search attributes for the data you want the FortiVoice unit to retrieve from the LDAP server.

    Search base

    Enter or browse for the search base to define the search starting point in the LDAP directory tree.

    Search filter

    Enter the complete query filters.

    Scope

    Select the LDAP search scope indicating the set of entries at or below the BaseDN that may be considered potential matches for a SearchRequest.

    Max results

    Enter the search size limit for the returning records.

    Mapping

    The mapping enables the FortiVoice unit to convert the data retrieved from the LDAP server into the FortiVoice extension or contact lists.

    You can use the auto-populated contact attributes or enter the contact attributes used in your LDAP server that match the FortiVoice attributes for extensions or contact lists. For example, you may enter "name" for Display name if that is what you have for display name in your LDAP server.

    You can click the Retrieve LDAP attribute icon ( ) beside each field to choose an LDAP server attribute.

    This section includes the following attributes:

    • User ID: This attribute supports letters, numbers, dots (.), and hyphens (-).
    • Display name: The extension name. For example, you may enter "name" for Display name if that is what you have for display name in your LDAP server.
    • Number: The extension number.
    • Status: The extension status. If we use an Active Directory (AD) setup as an example, this field can include userAccountControl.
    • Value for enabled status: FortiVoice uses this field to determine if the imported extensions need to be enabled or disabled. If we use an AD setup as an example, common values are 512 for enabled and 514 for disabled. If you use 512, it means that when you import extensions from your LDAP server and the AD returns a userAccountControl value of 512, FortiVoice enables the extension. If the AD returns any other value, FortiVoice disables the extension.

      If you leave the Value for enabled status field empty, FortiVoice disables the imported extensions.

    • Email: The extension email.

    More

    For extension connectors, under More, you can configure the Time zone and Voicemail PIN attributes based on the synchronization results with the LDAP server.

    • Time zone:
      • Add entry: Use this option to configure the new time zone attribute retrieved from the LDAP server.
        • Fixed: You can select your own time zone from the list. This value will not be updated with the value from the LDAP server during synchronization.
        • Sync: The current time zone value will be updated with the value from the LDAP server during synchronization. If the time zone value is not available on the LDAP server, the FortiVoice unit time zone (Phone System > Setting > Location > Default time zone) will be used by default.
      • Update entry: Use this option to configure the existing time zone attribute on your FortiVoice unit.
        • Skip: The current time zone attribute is ignored and will not be updated with the value from the LDAP server during synchronization.
        • Sync: The current time zone value will be updated with the value from the LDAP server during synchronization. If the time zone value is not available on the LDAP server, the FortiVoice unit time zone (Phone System > Setting > Location > Default time zone) will be used by default.
    • Voicemail PIN:
      • Add entry: Use this option to configure the new voicemail PIN attribute retrieved from the LDAP server.
        • Fixed: You can enter your own voicemail PIN. This value will not be updated with the value from the LDAP server during synchronization.
        • Sync: The current voicemail PIN value will be updated with the value from the LDAP server during synchronization.
        • Generate: Click to let the system generate a voicemail PIN. This value will not be updated with the value from the LDAP server during synchronization.
      • Update entry: Use this option to configure the existing voicemail PIN attributes on your FortiVoice unit.
        • Skip: The current voicemail PIN attribute is ignored and will not be updated with the value from the LDAP server during synchronization.
        • Sync: The current voicemail PIN value will be updated with the value from the LDAP server during synchronization.

    Schedule

    Set the time schedule for data retrieving and mapping.

  4. Click Create.

Viewing LDAP contact list

After you have configured the LDAP contact connector and synchronized the FortiVoice unit with it, the generated FortiVoice contact list appears in Phone System > LDAP > LDAP Contact.

You can select a contact to view, modify, or delete it.

Clicking LDAP opens the LDAP Connector page.

For details about configuring contact connectors, see Configuring the LDAP connector.