As groups and paths in the LDAP / AD environment often differ between organizations, this section may need to be done in consultation with your organization’s AD group.
LDAP Settings
Mividas Installer also has tools to easily test your LDAP or AD settings to make it easier for you to troubleshoot and get started, you can read more about this under Troubleshooting tools.
These settings are optional and will be automatically filled in when installing future products, which will otherwise be left blank.
Server *
Enter the hostname of the current LDAP or AD server to use by default. Use “fqdn:389” to use a specific port
Service account DN / username *
Here you enter the path to the account to be used as a service account. The path is often unique to your particular organization.
Password
Enter the password for your LDAP or AD server. The field will get empty after pressing save.
Use LDAPS-connection
Connect to the server using SSL-based LDAPS-connection (port 636 by default). Make sure you have added any custom CA-certificates to make verification work
Ignore TLS / SSL verification errors
Ignore TLS CA verification.
Disable referral chasing
Base dn *
Specify where in the tree the initial search for results should begin.
User filter *
Here you choose how users are filtered out and displayed.
See more information about filters and examples below
Admin group DN
Specify which group in the tree will have elevated admin rights in the system, which opens up additional settings and functions for the logged-in user.
Superuser group DN
Specify which group in the tree that will give members superuser status (highest). Use this with caution as these users will have full control over the system and should only be assigned to users with high technical knowledge.
Customer attribute
Enter attributes for the customer’s shared key in multi-tenant installations.
Read Only
If this is checked, users will not have access to functions such as changing passwords, e-mails or other information for their users.
Organization membership attribute (only some components)
For automatic mapping of users to the organization tree, specify a comma-separated list of attributes containing different levels of the organization to allow fine-grained call statistics. E.g. topLevelOrganization,secondsLevelOrganization
Username attribute (only some components)
Which attribute to use to generate a username when scheduling meetings. Format: <ldap_fieldname>[/<search>/<replace>]
Example: email/example.org/video.example.org
to use the content of attribute email
but replace example.org with video.example.org. A common use is the email field as-is for Pexip Infinity installations, and email or userPrincipalName with replace string to generate userJid with the correct SIP-domain for Cisco Meeting server
Ldap Filters
To limit access only to users belonging to specific groups you can add a variation of the following filter:
Direct members: (memberOf=cn=group,cn=users,dc=example,dc=org)
Nested membership, if running Active Directory: (memberOf:1.2.840.113556.1.4.1941:=cn=group,cn=users,dc=example,dc=org)
Full example, Active Directory, for users with direct membership of cn=group
(&(|(sAMAccountName=%(user)s)(userPrincipalName=%(user)s))(objectClass=person)(memberOf=cn=group,cn=users,dc=example,dc=org
))
Full example, OpenLDAP/Redhat DS, for users with direct membership of cn=group
(&(|(uid=%(user)s)(objectClass=person))(memberOf=cn=group,cn=users,dc=example,dc=org
))