Ldap-Based Management And Sip Services - AudioCodes Mediant 1000B User Manual

User's Manual
15.3

LDAP-based Management and SIP Services

The device supports the Lightweight Directory Access Protocol (LDAP) application protocol
and can operate with third-party, LDAP-compliant servers such as Microsoft Active
Directory (AD).
You can use LDAP for the following LDAP services:

SIP-related (Control) LDAP Queries: This can be used for routing or manipulation
(e.g., calling name and destination address). The device connects and binds to the
remote LDAP server (IP address or DNS/FQDN) during the service's initialization (at
device start-up) or whenever you change the LDAP server's IP address and port.
Binding to the LDAP server is based on username and password (Bind DN and
Password). Service makes 10 attempts to connect and bind to the remote LDAP
server, with a timeout of 20 seconds between attempts. If connection fails, the service
remains in disconnected state until the LDAP server's IP address or port is changed. If
connection to the LDAP server later fails, the service attempts to reconnect.
For the device to run a search, the path to the directory's subtree, known as the
distinguished name (DN), where the search is to be done must be configured (see
'Configuring LDAP DNs (Base Paths) per LDAP Server' on page 208). The search key
(filter), which defines the exact DN to search, and one or more attributes whose values
must be returned to the device must also be configured. For more information on
configuring these attributes and search filters, see 'Active Directory-based Routing for
Microsoft Lync' on page 219.
The device can store recent LDAP queries and responses in its local cache. The
cache is used for subsequent queries and/or in case of LDAP server failure. For more
information, see 'Configuring the Device's LDAP Cache' on page 212.
If connection with the LDAP server disconnects (broken), the device sends the SNMP
alarm, acLDAPLostConnection. Upon successful reconnection, the alarm clears. If
connection with the LDAP server is disrupted during the search, all search requests
are dropped and an alarm indicating a failed status is sent to client applications.

Management-related LDAP Queries: This is used for authenticating and authorizing
management users (Web and CLI) and is based on the user's login username and
password (credentials) when attempting login to one of the device's management
platforms. When configuring the login username (LDAP Bind DN) and password
(LDAP Password) to send to the LDAP server, you can use templates based on the
dollar ($) sign, which the device replaces with the actual username and password
entered by the user during the login attempt. You can also configure the device to
send the username and password in clear-text format or encrypted using TLS (SSL).
The device connects to the LDAP server (i.e., an LDAP session is created) only when
a login attempt occurs. The LDAP Bind operation establishes the authentication of the
user based on the username-password combination. The server typically checks the
password against the userPassword attribute in the named entry. A successful Bind
operation indicates that the username-password combination is correct; a failed Bind
operation indicates that the username-password combination is incorrect.
Once the user is successfully authenticated, the established LDAP session may be
used for further LDAP queries to determine the user's management access level and
privileges (Operator, Admin, or Security Admin). This is known as the user
authorization stage. To determine the access level, the device searches the LDAP
directory for groups of which the user is a member, for example:
CN=\# Support Dept,OU=R&D
Groups,OU=Groups,OU=APC,OU=Japan,OU=ABC,DC=corp,DC=abc,DC=com
CN=\#AllCellular,OU=Groups,OU=APC,OU=Japan,OU=ABC,DC=corp,DC=a
bc,DC=com
The device then assigns the user the access level configured for that group (in
'Configuring Access Level per Management Groups Attributes' on page 210). The
Version 6.8 203 Mediant 1000B Gateway & SBC
15. Services