Enswitch can push data about people and telephones to an LDAP server. Handsets can then access the LDAP server to search for people, and to fill in the names of numbers they call. Please note that:
- This is advanced configuration. The person configuring this must be familiar with LDAP. Configuring the LDAP server is outside the scope of Enswitch support.
- Unless you're very familiar with LDAP, it's best to dedicate the LDAP server to Enswitch use. Enswitch will create and delete LDAP entries as it sees fit. Sharing an LDAP server without careful ACL design may result in severe data loss.
To configure LDAP integration:
- Install and configure an LDAP server. The "389" LDAP server is suggested.
- In the Enswitch system configuration menu, set the "LDAP host", "LDAP username", "LDAP password", and "LDAP base" configuration settings. The host may optionally contain a colon followed by a port number. The user must have access to create and delete entries anywhere under the chosen base.
- By default, most LDAP servers allow anonymous access. To protect customers' privacy, it's a good idea to limit access to authenticated telephone lines, and to allow them to only access data within their own customer. How to do this depends on the LDAP server. For the 389 server, an example LDIF file can be found in /opt/enswitch/current/samples/ldap/setup_example.ldif. This file will need copied to another location, edited to set the correct base, then run using "ldapmodify -x -D 'cn=Directory Manager' -w '<password>' -f <file>" or similar.
- Run "enswitch sync_ldap" to push existing Enswitch people and telephone lines to the LDAP server. This should only need run once. Future updates will be pushed by the Enswitch API layer as they happen.
- Test lookups using a SIP handset, ldapsearch, or similar. The authentication used should be that of an Enswitch telephone line, with the username in the format "cn=<telephone line>,ou=<customer ID>,<base>". The customer ID is the numerical ID of the customer, not the customer name. If the Enswitch customer is set to share data with its parent, then the ID should be that of the parent. This applies recursively. If in doubt, use ldapsearch as "cn=Directory Manager" or similar to find the correct customer ID for the telephone line.
- Test that users cannot access data in other customers.
- Test that users without authentication cannot access customer data.