Manage IDS Connections

Click to access the Bulk User Provisioning tool in the User and Services application and manage any detained updates.

Note: The number of detained updates are indicated on the button.

Indicates the current synchronization connection status.

Created: The connection has been created. No synchronization have been attempted

Initializing: The synchronization operation is initializing and has not begun to process user updates.

Started: The synchronization operation has begun. User updates are being processed.

Stopped: The synchronization operation has been manually aborted.

Finished: The synchronization operation has completed.

Read only summary of the following:

• Percentage complete: If a synchronization in progress, this field indicates the progress.

• Current synchronization status

• Number of update errors

Click the Edit link to modify a directory server connection.

Click the Remove link to remove a directory server connection.

Click the Sync link to initiate an immediate synchronization operation the directory server. This operation checks for any database changes on the directory server since the previous synchronization and applies the updates to the MiCollab database.

After performing a synchronization, click the Access Detained Updates link to go to the Bulk User Provisioning tool and manage any failed or detained IDS operations.

Note: The Action links are disabled while the system is in the process of enabling or disabling Active Directory Authentication for users.

Select the directory server type: Active Directory, MiVoice 5000 / MiVoice 5000 Manager, Generic LDAP, or ForgeRock Directory Services. The type must be the same for both the Primary and Secondary directory servers.

See Directory server type below.

Enter the FQDN or IPv4 address of the directory server for the IDS connection. By default, the MiCollab system always connects to the primary directory server during a synchronization operation.

Note: This is a mandatory field.

Enter the FQDN or IPv4 address of a secondary/backup directory server for the IDS connection.

The secondary directory server acts as a backup to the primary server whenever the primary is unreachable. The secondary must be a replica of the primary; otherwise, the synchronization will be problematic. On each interval, the connection always attempts to use the primary server followed by the secondary server. This ensures that the connection reverts to the primary server after the issue has been resolved.

Note: This field does not apply to MiVoice 5000 or Generic LDAP integrations.

A set of fields that allow you to schedule synchronizations to occur regularly on a pre-defined time interval.

• Select the interval on a per-minute/hour/day/week/month basis from drop-down menus.

• Set the time of the synchronization in 24-hour format

During a scheduled synchronization, the system checks for any database changes on the directory server since the previous synchronization and applies the updates to the MiCollab database.

Note: To perform a full synchronization, you must check the Re-initialize on the next cycle box.

Daily at midnight

00:00

Check to enable Active Directory authentication of end user passwords. To support Authentication, the Enable synchronization option above must also be enabled.

Note: The 'Enable authentication' check box should not be used for MiVoice 5000 and Generic LDAP.

Check to enable Active Directory Authentication of end user passwords only. If this box is checked the IDS connection will only support authentication and will not perform any user or contact data synchronization.

The 'Authentication Only' check box is not supported for use in a MiVoice Business integration because it disables synchronization and synchronization is the only method for the IDS connection ID and Distinguished Name to be recorded in the database.

Note: If both Active Directory authentication and user or contact data synchronization is required, check the Enable authentication option above and disable this option.

Check to allow user configuration and to create users through AD LDS.

This will cause the authentication to login with the samAccountName only.

Domain

(Domain Name or Connection Name)

For IDS connections that use Active Directory or Generic LDAP, specify the unique domain name used by the directory server. For integrations to Active Directory, the same domain must be used for both the primary and secondary directory server.

For IDS connections to the MiVoice 5000 directory service or MiVoice 5000 Manager (AM4750), specify the name of the connection.

Note: This is a required field.

Distinguished name

(Directory Server Username)

Enter the directory server username (in Distinguished name format) required to access the synchronization account on the directory server.

Example:

• Distinguished Name format – cn=luum, cn= users, dc=ids, dc=com

Global Catalogue ( GC) provides a centralized LDAP user view across all domains. The feature provides one connection point for this information. However, the view is limited to a subset of all user attributes. When this option is in use, it reduces the number of fields that are mapped to the MiCollab user records. When a GC LDAP port is specified, only the following user fields are available for synchronization with MiCollab :

• telephoneNumber (Prime DN)

• ObjectGUID (User ID)

• samAccountName (Login)

• distinguished name (Domain)

• mail (Email)

• sn (Last Name)

• givenName (First Name)

Note: If you specify a port for this field, the IDS connections ignore the LDAP port set above.

Note: This field does not apply to MiVoice 5000 or Generic LDAP integrations.

Select the security method used to connect to the directory server. The following options are available. This setting determines the level of security in the connection between MiCollab and Active Directory:

Unsecured - No encryption.

TLS - Encrypted, LDAP over Transport Layer Security.

SSL - Encrypted, LDAP over Secure Socket Layer.

Upgraded to Secure (LDAP with start TLS)

Secure (LDAPS)

Unsecured means that the passwords that are being authenticated between MiCollab server and the Active Directory server are not encrypted and could be read by "sniffing" traffic between them. Note that in the case of the MiVoice 5000, there is no authentication, so passwords, other than the administrator account to log into the MiVoice 5000 directory are not being transmitted.

Both TLS and SSL are secure and prevent anyone from easily sniffing the traffic between MiCollab and Active Directory.

TLS is the recommended setting.

Secure (LDAPS) is recommended while applying the Microsoft security changes on the Active Directory when the sites must be moved from unsecure to secure LDAP. Secure (LDAPS) should be selected when the default LDAP port  is 636.LDAP over TLS can also use port 389 to establish a secure connection but it still requires a certificate to be added to the domain controllers.

Note: For MiVoice 5000 integrations, this field is disabled and set to Unsecured.

Note: Active Directory supports two methods for establishing an SSL/TLS-protected connection to a DC. The first is to connect a DC on a protected LDAPS port (TCP ports 636 and 3269 in AD DS). The second is to connect to a DC on a regular LDAP port (TCP ports 389 or 3268 in AD DS, and a configuration-specific port in AD LDS), and later sending an LDAP_SERVER_START_TLS_OID extended operation [RFC2830].

Regardless of the means by which an SSL/TLS-protected connection is established, the IDS client performs a bind using the credentials configured against the connection before searching the directory.

Enter the default query string used for filtering LDAP searches.

Note: The Active Directory default setting processes all user accounts and contact records. The MiVoice 5000 default setting processes all internal and external contact records.

Active Directory defaults to

|(ObjectClass=user)(ObjectClass=contact)

MiVoice 5000 directory service and MiVoice 5000 Manager (AM7405) defaults to

|(ObjectClass=peopleRecord)(ObjectClass=contactRecord)

Generic LDAP defaults to (ObjectClass=person)

The Search scope determines the set of directory server data that is applied to MiCollab database during a synchronization event. Select one of the following:

• Sub-tree : include all child objects as well as the base object.

• Object: limit the search to the base object. The maximum number of objects returned is always one.

• One level: limit the search to the immediate children of a base object, but exclude the base object itself.

Note: This field does not apply to MiVoice 5000 integrations.

Enter the maximum page size of the LDAP search. The permitted range is 100 to 1000 records per page.

Note: This field does not apply to MiVoice 5000 integrations.

If the directory server does not hold the target requested by an LDAP search, it will return a referral message that redirects the MiCollab client to another directory server.

Check the box to act on the referral message or clear the box to ignore it.

Note: This field does not apply to MiVoice 5000 integrations.

Enter the distinguished name of the default location used to search objects on the directory server. If there are multiple locations, use semi-colons to separate the entries. For example, to search for objects in the SDS and HR groups, enter: OU=SDS, OU=RandD, DC=mitel, DC=com; OU=HR, DC=mitel, DC=com;

Leave the field blank to begin the search at the domain root container.

Check this box to select this connection for use with an external search database, for example Mitel Metadirectory.

See Configure Access to External Directory for details.

Select the IDS mapping attribute that you want to use to partition the directory.

See Partition the Corporate Directory for details.

Organizational unit or Attribute.

Default is Organizational unit.

Enable reverse lookup resolves number to name at call-to or call-from an external number.

Note: Lookup/Reverse lookup is not supported if conference call is between external users.

Check to enable LDAP reverse lookup function.

Before performing the external reverse lookup, MiCollab Client server will replace the two parameters, that is publicLinePrefix and internationDialingPrefix from the searched string. If any of the prefix is found, then the best match is found otherwise an exact match happens.

Unchecked for Active Directory.

Checked for Generic LDAP server type.

Dial Digit Count is enabled when the Enable Reverse lookup parameter is checked.

The configuration parameters, publicLinePrefix and internationDialingPrefix will not work with Dial Digit Count. If any one of the parameter is configured then the dial digit count setting will get disabled. Prefix settings will override the dial digit count setting.

It is used to strip as many digits as configured before lookup.

Enter the number of leading digits to be removed in the LDAP search.

Note: Removing leading digits count field is applicable only for reverse lookup functionality and NOT for external search.

When synchronization occurs the system automatically sends all operations to the detained updates queue.

Use this option if you want to preview the synchronization updates in the detained updates queue. From the queue, you can view, apply, modify, or cancel (delete) the updates as required. See Resolving Detained and Failed Updates for instructions.

By default, this box is checked and the default attribute mappings are applied to a new connection. Note that you can set the default settings (see Set Default IDS Attribute Mappings).

Note: In case of ForgeRock Directory Services, the Use Default Attribute Mappings box should be unchecked.

To use custom settings, clear the check box and enter the required attributes. See Set Default IDS Attribute Mappings for a description of the attribute fields.