Configuring LDAP settings
Phone System > LDAP lets you configure LDAP profiles and connectors.
This topic includes:
Configuring LDAP profiles
The LDAP Profile submenu lets you configure LDAP profiles which can query LDAP servers for authentication.
Before using an LDAP profile, verify each LDAP query and connectivity with your LDAP server. When LDAP queries do not match with the server’s schema and/or contents, unintended phone call processing behaviors can result. |
LDAP profiles each contains one or more queries that retrieve specific configuration data, such as user groups, from an LDAP server. The LDAP profile list indicates which queries you have enabled in each LDAP profile.
To view the list of LDAP profiles, go to Phone System > LDAP > LDAP Profile.
GUI field |
Description |
---|---|
Profile Name |
The name of the profile. |
Server |
The domain name or IP address of the LDAP server. |
Port |
The listening port of the LDAP server. |
Auth |
Indicates whether User Authentication Options is enabled. |
Cache |
Indicates whether query result caching is enabled. |
(Green dot in column heading) |
Indicates whether the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted. |
You can add an LDAP profile to define a set of queries that the FortiVoice unit can use with an LDAP server. You might create more than one LDAP profile if, for example, you have more than one LDAP server, or you want to configure multiple, separate query sets for the same LDAP server.
After you have created an LDAP profile, LDAP profile options will appear in other areas of the FortiVoice unit’s configuration. These options let you to select the LDAP profile where you might otherwise create a reference to a configuration item stored locally on the FortiVoice unit itself. These other configuration areas will only allow you to select applicable LDAP profiles — that is, those LDAP profiles in which you have enabled the query required by that feature. For example, if a feature requires a definition of user groups, you can select only from those LDAP profiles where Group Query Options are enabled.
- Go to Phone System > LDAP > LDAP Profile.
- Click New to add a profile or double-click a profile to modify it.
- none: Use a non-secure connection.
- SSL: Use an SSL-secured (LDAPS) connection.
- Configure the following sections:
- Click Create, OK or Apply.
The LDAP profile appears in the LDAP profile list. To apply it, select the profile in features that support LDAP queries, such as protected domains and policies.
Before using the LDAP profile in other areas of the configuration, verify the configuration of each query that you have enabled in the LDAP profile. Incorrect query configuration can result in unexpected phone processing behavior. For information about testing queries, see Testing LDAP profile queries.
GUI field |
Description |
---|---|
Profile name |
For a new profile, enter its name. |
Server name/IP |
Enter the fully qualified domain name (FQDN) or IP address of the LDAP server. Port: Enter the port number where the LDAP server listens. The default port number varies by your selection in Use secure connection: port 389 is typically used for non-secure connections, and port 636 is typically used for SSL-secured (LDAPS) connections. |
Fallback server name/IP |
Optional. Enter the fully qualified domain name (FQDN) or IP address of an alternate LDAP server that the FortiVoice unit can query if the primary LDAP server is unreachable. Port: Enter the port number where the fallback LDAP server listens. The default port number varies by your selection in Use secure connection: port 389 is typically used for non-secure connections, and port 636 is typically used for SSL-secured (LDAPS) connections. |
Use secure connection |
Select whether to connect to the LDAP servers using an encrypted connection. Click Test LDAP Query to test the connection. A pop-up window appears. For details, see Testing LDAP profile queries. |
Base DN |
Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiVoice unit will search for user objects, such as User objects should be child nodes of this location. |
Bind DN |
Enter the bind DN, such as This field may be optional if your LDAP server does not require the FortiVoice unit to authenticate when performing queries. |
Bind password |
Enter the password of the Bind DN. Click Browse to locate the LDAP directory from the location that you specified in Base DN, or, if you have not yet entered a Base DN, beginning from the root of the LDAP directory tree. Browsing the LDAP tree can be useful if you need to locate your Base DN, or need to look up attribute names. For example, if the Base DN is unknown, browsing can help you to locate it. Before using, first configure Server name/IP, Use secure connection, Bind DN, Bind password, and Protocol version, then click Create or OK. These fields provide minimum information required to establish the directory browsing connection. |
Configuring authentication options
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP settings.
- Go to Phone System > LDAP > LDAP Profile.
- Click New to create a new profile or double click on an existing profile to edit it.
- Click the arrow to expand the User Authentication Options section.
- Configure the following:
- LDAP user query: Enter an LDAP query filter that selects a set of user objects from the LDAP directory.
- Schema: If your LDAP directory’s user objects use a common schema style:
- Active Directory
- Lotus Domino
- Open LDAP
- Scope: Select which level of depth to query, starting from Base DN.
- One level: Query only the one level directly below the Base DN in the LDAP directory tree.
- Subtree: Query recursively all levels below the Base DN in the LDAP directory tree.
- Derefer: Select the method to use, if any, when dereferencing attributes whose values are references.
- Never: Do not dereference.
- Always: Always dereference.
- Search: Dereference only when searching.
- Find: Dereference only when finding the base search object.
GUI field |
Description |
---|---|
Try Common Name with Base DN as Bind DN |
Select to form the user’s bind DN by prepending a common name to the base DN. Also enter the name of the user objects’ common name attribute, such as |
Search User and Try Bind DN |
Select to form the user’s bind DN by using the DN retrieved for that user by configuring the following: The query string filters the result set, and should be based upon any attributes that are common to all user objects but also exclude non-user objects. For example, if user objects in your directory have two distinguishing characteristics, their
where This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined. Select the schema style. This automatically configures the query string to match that schema style. If your LDAP server uses any other schema style, select User Defined, then manually configure the query string. |
Configuring advanced options
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP settings.
- Go to Phone System > LDAP > LDAP Profile.
- Click New to create a new profile or double click on an existing profile to edit it.
- Click the arrow to expand the Advanced Options section.
- Configure the following:
GUI field |
Description |
---|---|
Timeout (seconds) |
Enter the maximum amount of time in seconds that the FortiVoice unit will wait for query responses from the LDAP server. |
Protocol version |
Select the LDAP protocol version used by the LDAP server. |
Enable cache |
Enable to cache LDAP query results. Caching LDAP queries can introduce a delay between when you update LDAP directory information and when the FortiVoice unit begins using that new information, but also has the benefit of reducing the amount of LDAP network traffic associated with frequent queries for information that does not change frequently. If this option is enabled but queries are not being cached, inspect the value of TTL. Entering a TTL value of 0 effectively disables caching. |
TTL (minutes) |
Enter the amount of time, in minutes, that the FortiVoice unit will cache query results. After the TTL has elapsed, cached results expire, and any subsequent request for that information causes the FortiVoice unit to query the LDAP server, refreshing the cache. The default TTL value is This option is applicable only if Enable cache is enabled. |
Testing LDAP profile queries
After you have created an LDAP profile, you should test each enabled query in the LDAP profile to verify that the FortiVoice unit can connect to the LDAP server, that the LDAP directory contains the required attributes and values, and that the query configuration is correct.
When testing a query in an LDAP profile, you may encounter error messages that indicate failure of the query and how to fix the problem.
To verify user authentication options
- Go to Phone System > LDAP > LDAP Profile.
- Double-click the LDAP profile whose query you want to test.
- Click Test LDAP Query.
A pop-up window appears allowing you to test the query.
- From Select query type, select Authentication.
- In User name, enter the user name or extension of a user on the LDAP server, such as
jdoe
or1234
, depending your selection of User Authentication Options. - In Password, enter the current password for that user.
- Click Test.
The FortiVoice unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record, or binding to authenticate the user.
Clearing the LDAP profile cache
You can clear the FortiVoice unit’s cache of query results for any LDAP profile.
This may be useful after, for example, you have updated parts of your LDAP directory that are used by that LDAP profile, and you want the FortiVoice unit to discard outdated cached query results and reflect changes to the LDAP directory. After the cache is emptied, any subsequent request for information from that LDAP profile causes the FortiVoice unit to query the updated LDAP server, refreshing the cache.
To clear the LDAP query cache
- Go to Phone System > LDAP > LDAP Profile.
- Double-click the LDAP profile whose query cache you want to clear.
- Click Test LDAP Query.
- From Select query type, select Clear Cache.
A warning appears at the bottom of the window, notifying you that the cache for this LDAP profile will be cleared if you proceed. All queries will therefore be new again, resulting in decreased performance until the query results are again cached.
- Click Ok.
The FortiVoice unit empties cached LDAP query responses associated with that LDAP profile.
Configuring the LDAP connector
- Sync-Incremental : Select an LDAP connector and click this button to display the newly-added and existing entries for that connector on the LDAP server. Select New or Existing to view the respective entries, and click Import let the FortiVoice unit synchronize the newly-added and existing entries from the LDAP server.
If any existing entries are deleted on the LDAP server, they will not be removed on the FortiVoice unit during the synchronization. - Sync-Full: Select an LDAP connector and click this button to display the newly-added and existing entries for that connector on the LDAP server. Select New or Existing to view the respective entries, and click Import let the FortiVoice unit synchronize the newly-added and existing entries from the LDAP server.
The FortiVoice unit retrieves all of the newly-added and existing entries from the LDAP server. - Sync Report: Select an LDAP connector and click this button to display the synchronization report between the FortiVoice unit and your LDAP server.
- Purge sync data: Select an LDAP connector and click this button to remove the connector from the FortiVoice unit. You cannot remove a connector if the extension associated with it is used in other places.
If you have contact or employee information in your LDAP server, you can configure the LDAP attribute mapping templates to retrieve the information and add it to the contact and extension lists. Before doing so, you must configure your LDAP server. For details, see Configuring LDAP settings.
To view the list of LDAP connectors and take some actions (sync and purge), go to Phone System > LDAP > LDAP Connector.
GUI field |
Description |
---|---|
Clone |
Click to duplicate an LDAP connector configuration. |
Actions |
|
Extension |
Click to view the extensions generated based on the data retrieved from your LDAP server and non-LDAP extensions. |
Name |
Name of the LDAP connector. |
LDAP Profile |
The name of the LDAP profile that has your LDAP server information. For details, see Configuring LDAP settings. |
Type |
The type of the LDAP connector: extension or contact. |
Schedule |
The synchronization schedule between the FortiVoice unit and your LDAP server. |
Last Sync Time |
The latest synchronization time between the FortiVoice unit and your LDAP server. |
To configure extension/contact connectors
- Go to Phone System > LDAP > LDAP Connector.
- Click New > Extension Connector/Contact Connector and configure the following:
- User ID: This attribute supports letters, numbers, dots (.), and hyphens (-).
- Display name: The extension name. For example, you may enter "name" for Display name if that is what you have for display name in your LDAP server.
- Number: The extension number.
- Status: The extension status. If we use an Active Directory (AD) setup as an example, this field can include userAccountControl.
- Value for enabled status: FortiVoice uses this field to determine if the imported extensions need to be enabled or disabled. If we use an AD setup as an example, common values are 512 for enabled and 514 for disabled. If you use 512, it means that when you import extensions from your LDAP server and the AD returns a userAccountControl value of 512, FortiVoice enables the extension. If the AD returns any other value, FortiVoice disables the extension.
If you leave the Value for enabled status field empty, FortiVoice disables the imported extensions.
- Email: The extension email.
- Time zone:
- Add entry: Use this option to configure the new time zone attribute retrieved from the LDAP server.
- Fixed: You can select your own time zone from the list. This value will not be updated with the value from the LDAP server during synchronization.
- Sync: The current time zone value will be updated with the value from the LDAP server during synchronization. If the time zone value is not available on the LDAP server, the FortiVoice unit time zone (Phone System > Setting > Location > Default time zone) will be used by default.
- Update entry: Use this option to configure the existing time zone attribute on your FortiVoice unit.
- Skip: The current time zone attribute is ignored and will not be updated with the value from the LDAP server during synchronization.
- Sync: The current time zone value will be updated with the value from the LDAP server during synchronization. If the time zone value is not available on the LDAP server, the FortiVoice unit time zone (Phone System > Setting > Location > Default time zone) will be used by default.
- Add entry: Use this option to configure the new time zone attribute retrieved from the LDAP server.
- Voicemail PIN:
- Add entry: Use this option to configure the new voicemail PIN attribute retrieved from the LDAP server.
- Fixed: You can enter your own voicemail PIN. This value will not be updated with the value from the LDAP server during synchronization.
- Sync: The current voicemail PIN value will be updated with the value from the LDAP server during synchronization.
- Generate: Click to let the system generate a voicemail PIN. This value will not be updated with the value from the LDAP server during synchronization.
- Update entry: Use this option to configure the existing voicemail PIN attributes on your FortiVoice unit.
- Skip: The current voicemail PIN attribute is ignored and will not be updated with the value from the LDAP server during synchronization.
- Sync: The current voicemail PIN value will be updated with the value from the LDAP server during synchronization.
- Add entry: Use this option to configure the new voicemail PIN attribute retrieved from the LDAP server.
- Click Create.
GUI field |
Description |
---|---|
Enabled |
Select to enable the connector. |
Name |
Enter a name for the extension/contact connector. |
LDAP profile |
Select the LDAP profile that has your LDAP server information. You can add a new profile or modify the selected one. For details, see Configuring LDAP settings. The FortiVoice unit queries the LDAP server based on the information contained in the LDAP profile. |
Schema |
This option appears after you select the LDAP profile. Select the LDAP schema that defines the rules to govern the types of data that the LDAP server can hold. If you select Active directory or Open LDAP, the fields under Search Criteria and Mapping are populated. However, you can change them as needed. |
Description |
Click to enter any notes you have for this connector. |
Search Criteria |
You can use the auto-populated search attributes or enter your own search attributes for the data you want the FortiVoice unit to retrieve from the LDAP server. |
Search base |
Enter or browse for the search base to define the search starting point in the LDAP directory tree. |
Search filter |
Enter the complete query filters. |
Scope |
Select the LDAP search scope indicating the set of entries at or below the BaseDN that may be considered potential matches for a SearchRequest. |
Max results |
Enter the search size limit for the returning records. |
Mapping |
The mapping enables the FortiVoice unit to convert the data retrieved from the LDAP server into the FortiVoice extension or contact lists. You can use the auto-populated contact attributes or enter the contact attributes used in your LDAP server that match the FortiVoice attributes for extensions or contact lists. For example, you may enter "name" for Display name if that is what you have for display name in your LDAP server. You can click the Retrieve LDAP attribute icon ( ) beside each field to choose an LDAP server attribute. This section includes the following attributes: |
More |
For extension connectors, under More, you can configure the Time zone and Voicemail PIN attributes based on the synchronization results with the LDAP server. |
Schedule |
Set the time schedule for data retrieving and mapping. |
Viewing LDAP contact list
After you have configured the LDAP contact connector and synchronized the FortiVoice unit with it, the generated FortiVoice contact list appears in Phone System > LDAP > LDAP Contact.
You can select a contact to view, modify, or delete it.
Clicking LDAP opens the LDAP Connector page.
For details about configuring contact connectors, see Configuring the LDAP connector.