As groups and paths in the LDAP / AD environment often differ between organizations, this section may need to be done in consultation with your organization’s AD group.

LDAP Settings

Mividas Installer also has tools to easily test your LDAP or AD settings to make it easier for you to troubleshoot and get started, you can read more about this under Troubleshooting tools.

These settings are optional and will be automatically filled in when installing future products, which will otherwise be left blank.

Server *
Enter the hostname of the current LDAP or AD server to use by default. Use “fqdn:389” to use a specific port

Service account DN / username *
Here you enter the path to the account to be used as a service account. The path is often unique to your particular organization.

Password
Enter the password for your LDAP or AD server. The field will get empty after pressing save.

Use LDAPS-connection
Connect to the server using SSL-based LDAPS-connection (port 636 by default). Make sure you have added any custom CA-certificates to make verification work

Ignore TLS / SSL verification errors
Ignore TLS CA verification.

TLS over regular LDAP port 389 may be used even if LDAPS is not enabled so unless you have added custom CA certificates for verification login may fail.

Disable referral chasing

By default unchecked

Base dn *
Specify where in the tree the initial search for results should begin.

User filter *
Here you choose how users are filtered out and displayed.

By default, the filter allows all users in the LDAP tree to use the systems, so you should change it according to your environment and filter out restricted users.

See more information about filters and examples below

Admin group DN
Specify which group in the tree will have elevated admin rights in the system, which opens up additional settings and functions for the logged-in user.

Superuser group DN
Specify which group in the tree that will give members superuser status (highest). Use this with caution as these users will have full control over the system and should only be assigned to users with high technical knowledge.

Customer attribute
Enter attributes for the customer’s shared key in multi-tenant installations.

Read Only
If this is checked, users will not have access to functions such as changing passwords, e-mails or other information for their users.

Organization membership attribute (only some components)

For automatic mapping of users to the organization tree, specify a comma-separated list of attributes containing different levels of the organization to allow fine-grained call statistics. E.g. topLevelOrganization,secondsLevelOrganization

Username attribute (only some components)

Which attribute to use to generate a username when scheduling meetings. Format: <ldap_fieldname>[/<search>/<replace>] Example: email/example.org/video.example.org to use the content of attribute email but replace example.org with video.example.org. A common use is the email field as-is for Pexip Infinity installations, and email or userPrincipalName with replace string to generate userJid with the correct SIP-domain for Cisco Meeting server

Ldap Filters

To limit access only to users belonging to specific groups you can add a variation of the following filter:

Direct members: (memberOf=cn=group,cn=users,dc=example,dc=org)

Nested membership, if running Active Directory: (memberOf:1.2.840.113556.1.4.1941:=cn=group,cn=users,dc=example,dc=org)

Full example, Active Directory, for users with direct membership of cn=group

(&(|(sAMAccountName=%(user)s)(userPrincipalName=%(user)s))(objectClass=person)(memberOf=cn=group,cn=users,dc=example,dc=org))

Full example, OpenLDAP/Redhat DS, for users with direct membership of cn=group

(&(|(uid=%(user)s)(objectClass=person))(memberOf=cn=group,cn=users,dc=example,dc=org))
Print page

On this page