LDAP Sync. A tool for the C3000 Exchange 5.5/2000/2003 Integration with synchronised user administration in Microsoft Directory (ADAM/ADS)

LDAP Sync A tool for the C3000 Exchange 5.5/2000/2003 Integration with synchronised user administration in Microsoft Directory (ADAM/ADS) Version 4.2 Date: 01.09.2005 AyavaTenovis 2005

CONTENTS 1 INTRODUCTION... 3 1.1 C3000, Microsoft ADS and schema extension... 3 1.2 Reasons which prevent schema extension... 4 1.3 Microsoft ADAM (Active Directory Application Mode)... 5 1.4 C3000 LDAP Sync... 6 2 INSTALLATION... 7 2.1 Installing Microsoft ADAM... 7 2.1.1 Installing the ADAM server... 7 2.1.2 C3000 schema extension in the ADAM directory... 18 2.1.3 C3000 configuration for access to ADAM... 21 2.1.4 C3000 system administrator in the ADAM directory... 22 2.1.5 Change password via LDAP... 23 2.1.6 C3000 user in ADAM... 24 2.2 Installing C3000 LDAP Sync... 27 3 CONFIGURATION... 30 3.1 C3000 LDAP Sync configuration and settings... 30 3.1.1 General General settings... 31 3.1.2 Source LDAP server settings... 34 3.1.3 Destination settings... 37 3.1.4 Default settings... 42 3.2 Differences between MSX 2000/ 2003 and MSX 5.5 synchronizations with ADAM... 46 3.3 Synchronizing ADS MSX 2000/ 2003 in ADS ADS MSX 2000/ 2003... 47 2

1 Introduction 1.1 C3000, Microsoft ADS and schema extension From Windows 2000 Server, domain user administration is based on the X.500 compliant ADS (Active Directory Service). The company s organisational structure is depicted in the so-called directory schema, starting with the company name down to the individual user s permissions. The schema specified by Microsoft when the ADS is installed with its corresponding attributes for user permissions can be extended to include objects for other applications, in accordance with the ITU X.500 standard. It should explicitly be noted that an X.500 directory has been especially conceived for extension, with the aim of avoiding redundant data management across different systems. The X.500 standard guarantees that no conflicts can arise. If Exchange 2000/2003 is used, the directory schema is extended to include the corresponding Exchange objects. This extension is imperative for running an Exchange 2000/2003 server. The C3000 unified messaging system extends the directory schema by approximately 70 attributes necessary for the unified messaging system s user administration. From a technical point of view, direct schema extension of the existing ADS is the simplest and optimum solution. Server Exchange 2000/2003 Server C3000 X.500 Schema enhancement ADS X.500 Standard schema ADS (DC) Server Exchange X.500 Schema enhancement 3

1.2 Reasons which prevent schema extension For corporate, structural and organisational reasons, situations often arise where this schema extension cannot be carried out at the central directory. This could be for the following reasons: - The central ADS domain controller is not under the territorial power of the business unit which introduces the UMS system (parent company abroad, strict division of IT and telecommunications departments). - The central ADS domain controller is run by an external service provider (outsourcing), which does not permit any extension of the schema (contractual problems). In most cases these scenarios mean that redundant data management and maintenance is necessary. The C3000 system can also be run without a directory or with a separate ADS or Novell NDS directory. However, the use of an additional ADS directory on the C3000 Server proves to be a problem as the installation of ADS requires Windows 2000/2003 Server to be configured as the domain controller and for a DNS server to be installed too. The server can therefore not become a member of the customer domain because it is a DC itself. This is understandably not wanted in most cases. The question or task is: How can the following points be reconciled with each other: 1. No schema extension of the central ADS directory 2. No C3000 server as domain controller with DNS server 3. No redundant user administration 4

1.3 Microsoft ADAM (Active Directory Application Mode) With Windows 2003 Server, Microsoft supplies the ADS directory as an independently installable service. This version of the ADS is called ADAM (Active Directory Application Mode). ADAM is not executed as an operating system service and therefore does not have to be made available on a domain controller. In addition, for this reason several ADAM instances can be simultaneously executed on a single server and each instance can be configured independently of the others. Apart from these differences, ADS and ADAM are identical. The ADAM directory can be installed locally on the C3000 server and be extended by the relevant attributes with the C3000 schema extension. Server Exchange 2000/2003 Server ADS X.500 Standard schema C3000 X.500 Schema enhancement ADS X.500 Standard schema Exchange X.500 Schema enhancement ADAM Server ADS (DC) Server 5

1.4 C3000 LDAP Sync The previous step solves problems 1 and 2. However, it would now be necessary to maintain the administrative user data in two places and item 3 would therefore not be fulfilled. Tenovis has developed an additional C3000 component to solve this problem, the C3000 LDAP Sync. The C3000 LDAP Sync is a Windows service which enables objects and attributes from one X.500 directory to be synchronised in another. The linking possibilities are not limited to ADS and ADAM. Other X.500 conform directories can also be used, e.g. Novell NDS, Netscape can also be used. In addition, the LDAP Sync enables attributes from the source directory to be assigned to any other attributes in the target directory. The contents of the attributes can also be extended and added to. Example creating user extension number for UMS Fax Voice: Take the last four digits of the user phone number from the central ADS, place a 9 in front of these and then place the new number in the ADAM directory as the UMS Fax Voice number. It is also possible to define operations when an ADS user is imported into the UMS ADAM directory or activated as a UMS user. Example import and activation of UMS users: All users with the organisational abbreviation PK49 with Hamburg location are imported into the ADAM directory as active C3000 UMS users. The synchronisation interval LDAP Sync can be adjusted to the requirements. It is possible to import users from the ADS from several containers and several C3000 LDAP Syncs can be run in parallel on one computer in order to collate data from various directories. LDAP Sync Server read only access Exchange 2000/2003 Server write/ read access write/ read access ADS X.500 Standard schema C3000 X.500 Schema enhancement ADS X.500 Standard schema Exchange X.500 Schema enhancement ADAM Server ADS (DC) Server All three problems are solved by using C3000 LDAP Sync. The C3000 system can now be run without schema extension of the central ADS and nevertheless without redundant data maintenance. 6

2 Installation The following explains how the C3000 LDAP Sync and ADAM server are installed in individual steps. It starts with installation of the ADAM server as installation and setup of the LDAP Sync does not make sense without prior ADAM server installation. 2.1 Installing Microsoft ADAM The Microsoft ADAM server can only be installed on a Windows 2003 server or Windows XP, it is not possible to install it under Windows 2000. 2.1.1 Installing the ADAM server The following steps must be completed to install ADAM: 1. Execute the adamsetup.exe file in the ADAM directory. 2. Click on Next 3. Agree to the licence terms and click on Next 4. Select ADAM and ADAM administration tools and then click on Next 5. Select Install a unique instance and click on Next 7

6. Issue the instance name. The instance name will be the name displayed for the ADAM service later and then click on Next. 7. Enter the LDAP port number and SSL port number. It is advisable to use the default standard ports (LDAP = 389, SSL = 636). A different LDAP port is only necessary if an ADS has already been installed on the server, as this uses the same port. 8. Select Yes, create and application directory partition and enter the name of the directory partition (example: DC=UMS). Click on Next 8

9. Specify the paths for the data files and the data recovery files. Click on Next 10. Select the Windows account under which the ADAM server is to be run and the users or group who are to have initial administrative rights (permissions) on the ADAM server. Then click on Next. 9

11. Select MS-User.ldf and MS-InetOrgPerson.ldf from the list of available standard LDIF files by adding the two files on the left to the right. The LDIF files contain schema extension for Windows user administration under ADAM. Click on Next. 12. After further confirmation with Next the setup starts and installs the ADAM server. After the installation has been completed the ADAM server can be found under Service Management. This is started immediately after installation. An administrator user must be set up so that C3000 can log on via LDAP. A new container is created for this user for improved clarity. The administration tool ADAM-adsiedit installed is used to administrate the ADAM Directory. 1. Call up the ADAM-adsiedit program. 2. Right-click (i.e. click with right-hand mouse button) on ADAM-adsi Editor in the left-hand window. 3. Select Connect to from the context menu. 4. Assign a connection name (Example C3000 ) 10

5. Select the Distinguished Name (DN) or Naming Context: radio button 6. Enter the partition name assigned during installation (Example: DC=UMS) 7. Click OK. 11

The connection is setup and the partition displayed. Now create the new container for our user. Please complete the following steps to create a new container: 1. Right-click on the previously connected partition name. 2. Select New and Object" from the context menu 3. Select Container. 4. Assign a name for the new container (example: Users) 5. Click on Finish 12

The administrator user for C3000 is now created in the new container. Please now complete the following steps: 1. Right-click on the previously created container. 2. Select New and Object" in the context menu 3. Select User. 4. Assign a name for the new user (example: Administrator). 5. Click on Finish During registration, C3000 checks all users against the IDENT this corresponds to the attribute userprincipalname in ADS. When creating an ADAM user, this attribute is not completed automatically, it is therefore necessary for the administrator user to do this manually. Please now complete the following steps: 1. Use the mouse to select the user created in the container on the right-hand side in ADAMadsiedit 2. Right click and select Properties 3. Select the userprinzipalname attribute from the list and double-click on the attribute with the left mouse button. 4. Enter the name (Example: Administrator) and click twice on OK 13

In the next step the user must be assigned to the group of directory administrators (CN=Administrators, CN=Roles, DC=UMS). To do this, please complete the following steps: 1. On the left side in ADAM-adsiedit, click on the container CN=Roles 2. Use the mouse to select the group of administrators (CN = Administrators) on the right-hand side in ADAM-adsiedit 3. Right click and select Properties 4. Select the Member attribute from the list and double-click on the attribute with the left mouse button. 5. Click on Add ADAM account 14

6. Enter the administrator user created with their full distinguished name (DN). (Example: CN=Administrator, CN=Users, DC=UMS) and click three times on OK to close all windows. The administrator user now needs a password. Assign this by completing the following steps: 1. Use the mouse to select the user created in the container on the right-hand side in ADAMadsiedit 2. Use the left mouse button to select Reset password in the context menu. 3. Enter an appropriate password and click on OK. Setup of the ADAM server with an C3000 administrator user is now completed. The C3000 server will now be able to successfully log on. Logging on via the C3000 WebAdmin will not work yet, further configuration steps are necessary for this. These are described in detail in the following chapter. 15

Use the LDP tool supplied to check whether it is possible to successfully log on with the administrator account setup in the ADAM server directory. Please now complete the following steps: 1. Open a Windows command line and start the tool. 2. Select the Connect item under Connection. 3. Enter the ADAM server name and port name and click on OK. The successful connect is shown with a similar output as in the screen shot. 4. Select the Bind item under Connection. 5. Enter the administrator user created and their password. In the LDP, the last line of the output shows whether the logon was successful. 16

6. In the LDP menu, select View and then select the Tree item there. 7. Select the ADAM partition created (example: DC=UMS) 8. You can now navigate through the ADAM directory on the left-hand side of the LDP. 17

2.1.2 C3000 schema extension in the ADAM directory You cannot use the normal C3000 setup for ADS schema extension in order to extend the ADAM server with the C3000 attributes. An alternative installation script and the LDIF files required are supplied with the LDAP Sync installation. Complete the following steps to install these: 1. Open a Windows command line and go to the installation directory of the LDAP Sync. 2. There, in the directory \Tools\AdamConfig\AdamSchemaExtensions, is the batch file AdamConfig.cmd 3. Execute the AdamConfig.cmd batch file. The schema extension is completed after the batch file has been successfully run. 18

Alternatively, if problems occur, you can also install the individual LDIF files manually. This is explained again in detail in the following. For normal schema extension in an active directory, the extension is undertaken with the following lines. ldifde -i -k -f "c3kattributes.ldif" -c "c3kdomain" "customerdomain" ldifde -i -k -f "c3kclasses.ldif" -c "<c3kdomain>" "customerdomain" ldifde -i -k -f "c3kschema.ldif" -c "<c3kdomain>" "customerdomain" Where customerdomain is replaced with the directory s root. For ADAM this would mean: ldifde -i -k -f "c3kattributes.ldif" -c "<c3kdomain>" "DC=UMS" ldifde -i -k -f "c3kclasses.ldif" -c "<c3kdomain>" " DC=UMS " ldifde -i -k -f "c3kschema.ldif" -c "<c3kdomain>" " DC=UMS " By adding the parameter c, all occurrences of <c3kdomain> in the given ldif files are replaced with DC=UMS. However, if you e.g. look at the c3kattributes.ldif file, the first thing you see is the line dn: CN=gender, CN=Schema, CN=Configuration, <c3kdomain> which therefore leads to the object CN=gender, CN=Schema, CN=Configuration, DC=UMS. If you now use ADAM-ADSI Edit to view the configuration database you will find that the path is incorrect 19

This means the correct syntax for this example is ldifde -i -k -f "c3kattributes.ldif" -c "<c3kdomain>" " CN={24CA2A55-BAD7-4425-B232-3F2B8A1B341C}" -s w2003dc ldifde -i -k -f "c3kclasses.ldif" -c "<c3kdomain>" " CN={24CA2A55-BAD7-4425-B232-3F2B8A1B341C}" -s w2003dc ldifde -i -k -f "c3kschema.ldif" -c "<c3kdomain>" " CN={24CA2A55-BAD7-4425-B232-3F2B8A1B341C}" -s w2003dc the parameter s w2004dc is necessary, as otherwise the program tries to create the schema update in the Active directory. After the update the ADAM-ADSI Edit must be used to update the schema. The new attributes should now be in a user object. 20

2.1.3 C3000 configuration for access to ADAM C3000 normally retrieves the basis for an LDAP access from the attribute defaultnamingcontext, which is returned to an active directory during a connect. If this value is not available, the first entry under namingcontexts is used. The feedback from a normal active directory server is shown below: Compared to this, the feedback from an ADAM directory is: It is noticeable that there is no defaultnamingcontext value. The first entry under namingcontexts refers to the configuration partition and not the required DC=UMS. Therefore, in the registry of the C3000 server, under: hklm\software\com:on\c3000 Server\Config The LDAPBASE character string must be set with the value DC=UMS. The registry key is automatically set with execution of the AdamConfig.cmd batch file. Please check whether this is correctly entered in the registry. 21

2.1.4 C3000 system administrator in the ADAM directory In order to be able to log on to the Web Interface, administrator@ums must be activated for C3000 and have the system admin right. This can be setup again using the ADAM-ADSI Edit. To do this, open the administrator with a double click and set the attribute comonc3kactivated# to True. Then set the comonc3krightssys attribute to the values shown below. The administrator@ums can now log on via the web interface! 22

2.1.5 Change password via LDAP In the default configuration it is not possible to change a user s password using an LDAP command. The directory s configuration prohibits password modification operations via unsecured links. This must be switched on so that a change can be made via the userpassword attribute. To do this, use the command line in the ADAM directory to call up the dsmgmt tool. You have to be logged in as somebody who is a member in the administrator s role. Now the commands displayed in the screenshot: NOTE: In the directory \LDAPSync\Tools\AdamConfig\AllowUnsecuredPasswordChange there is a cmd script with which this dsmgmt command is automatically executed. 23

2.1.6 C3000 user in ADAM For users from the ADAM directory to be able to log on via the web interface they must be permitted to read their attributes using LDAP and to possibly even write them. To do this, when created, each user becomes a member of the role (group) CN=Users, CN=Roles; DC=UMS. You can use the dsacls tool to check which permissions are currently assigned. 24

dsacls \\w2003dc\ou=c3000 User, DC=UMS is used to have the permissions for the object OU=C3000 User, DC=UMS displayed on the server w2003dc. In this example all users are created there. You can see that only the administrators have full permissions. Next the user role is given the permission to view objects in this organization unit. 25

This does not yet mean that the actual attributes (like comonc3kactivated) can be read. This permission is the next to be given. Important! For security reasons users have read rights only. However, this would also enable them to read out the PINs of other users via LDAP!! Further action is possibly required. 26

2.2 Installing C3000 LDAP Sync Before installing the Sync, please check your requirements. By selecting LDAP Sync Binaries you select basic modules of the LDAP Sync to be installed. These must always be selected for the initial installation. It is then possible to choose between three different versions of the Sync: Setup LDAP Sync Version Special features MSX200x MSX200xADS MSX5.5 Synchronization of an Exchange 2000/ 2003 ADS directory in an ADAM directory (See Chapter 3.2 for details) Synchronization of an Exchange 2000/ 2003 ADS directory in an ADS directory (See Chapter 3.3 for details) Synchronization of an Exchange 5.5 directory in an ADAM directory (See Chapter 3.2 for details) None Unlike the ADAM, to create a user in the ADS the attributes cn, samaccountname and userprinzipalname must be completed. In Exchange 5.5, the unique designator for a mail user is in the othermailbox attributes and not in the mailnickname, as is the case for Exchange 2000 / 2003 ADS. The following tools are supplied with the LDAP Sync. C3000 Manager Tool for configuring the LDAP Sync. The manager only has to be installed if the LDAP Sync is installed on a computer which does not yet have one. This is always installed at the same time as a C3000 installation. TTrace From Version 4.0, the LDAP Sync also logs its output in the Tenovis Trace Tool (TTrace). If a TTrace server has not been installed, it can be installed with this option. ADAM configuration batch files After selection and installation the directory \LDAPSync\Tools\ADAMconfig\ contains the LDIF files for extending the ADAM schema to include the C3000 attributes. To do this, please execute the \LDAPSync\Tools\ADAMconfig\AdamSchemaExtensions\AdamConfig.cmd batch file. Further, the batch file doallow.cmd can be found under \LDAPSync\Tools\AdamConfig\AllowUnsecuredPasswordChange\. Execute this batch file to set in ADAM that the user password can be changed via an unsecured link. This is required to be able to set the password in ADAM via LDAPSync. See also Chapter 2.1 Installing ADAM. LDP Tool (3 rd party) LDP is a simple Microsoft tool to enable access to an LDAP server. LDP is used in various places in these instructions as an aid during installation and configuration in order to determine the required information from the LDAP Server (ADS/ ADAM). ADAM (3 rd Party) With this option, the ADAM installation (English version) files are copied into the installation directory of the LDAP Sync. 27

Please complete the following steps to install the LDAP Sync: 1. Call up the Setup.exe 2. Select the language for the setup. 3. For the initial installation select the LDAP Sync Binaries. 4. Select the LDAP Sync version you require Setup LDAP Sync Sync feature options 5. Select the required tools and if necessary the documentation. Setup LDAP Sync 2 - Tools 28

6. Click on Next 7. Select the installation path. Setup LDAP Sync path details 8. Watch whether the setup is completed without any error messages. 9. Click on Quit. Installation of the LDAP Sync is now finished. 29

3 Configuration 3.1 C3000 LDAP Sync configuration and settings The standard C3000 LDAP Sync is completely configured using the C3000 Manager. The individual settings are explained in detail in the following. NOTE: If special customer requirements for synchronization of the directory (special conditions or particular attribute mapping) are not covered by the standard configuration options, it is possible to perform individual customer modifications to the synchronization script. If this is required, please contact the technical support department of Tenovis Comergo. LDAP Sync Configuration C3000 Manager Monitor 30

3.1.1 General General settings The following parameters can be configured in Manager under the General tab. Parameter Type Value range Description Pause Integer 0 999999 Interval between two synchronization runs in seconds Log Level Manager OFF, ERROR, WARN, INFO, DEBUG Set the log level for log output in the C3000 Manager Max Log Messages Integer 1 999 Maximum number of log outputs (messages) in the C3000 Manager. Do not choose too high a value as all Manager log outputs are written in the registry. Main Logging Facilities String C3kmgr, ttrace Setting whether the log should be output into TTrace, the C3000 Manager or both. Sync Mode String changed, all Setting whether a synchronization run should only synchronize changed users or all users. The feature reads the uschanged attribute out of the ADS to identify which users have been changed. The feature does not work for Exchange 5.5. All users are always synchronized here. Activity Log File Path String <File path> or Empty Path to the file in which the activities log file is to be written. This log contains a subset of the trace log. All operations on the X.500 objects are logged here (search, find, transfer, delete). No activity log is written if the field is left empty. Trace Log File Path String <File path> or Empty Path to the file in which the trace log file is to be written. This log contains all log outputs of the LDAP Sync. No trace log is written if the field is left empty. 31

Replace names with values at String <Attribute name> Details of the C3000 LDAP attribute names which are to be filled with values from the source LDAP. The values from the source LDAP are given under the Defaults General tab with the corresponding prefix and suffix signs. All c3k fields can be used. Those which cannot be found under Defaults General must be entered using the registry. The fields to be checked for the substitution are limited for performance reasons. Replace Prefix String Example: -#-- Details of the clear, unique prefix which marks the start of an attribute name from the source LDAP in the C3000 default fields. e.g. Enter -#--Company--#- -#-- facsimiletelephonenumber--#- in the Fax sender identifier (comonc3kfax3senderinfo) Replace Suffix String Example: --#- Details of the suffix which marks the end of an attribute name from the source LDAP in the C3000 default fields. Pause between two sync objects Pause between two object checks Integer 0 99 Integer 0 99 Pause between the synchronization of individual sync objects (users) in seconds Pause between two validity checks of individual sync objects (users) in seconds 32

NOTE: All C3000 Manager fields can only contain a maximum of 1023 characters. LDAP Sync Configuration C3000 Manager General 33

3.1.2 Source LDAP server settings Depending on the Sync version selected, the source LDAP server can be an ADS Exchange 2000 / 2003 server or an Exchange 5.5 server. The various Sync versions are dealt with in detail in Chapter 3.2 3.4. The following parameters must be set for the source LDAP server. Parameter Type Value range Description SourceLDAP Host String <IP_Address> IP address or computer name of the source or LDAP server <ComputerNa me> Port Integer <LDAP_Port> Port number of the source LDAP server User String <LDAP_Attribu te> Administrator users with read rights to the source LDAP. Authentification Option Boolea n In Windows 2000/ 2003 must be given in the form name@domain, in Windows NT in the form domain\name 0, 1 The parameter specifies whether the LDAP sync authorizes itself encrypted or unencrypted at the source LDAP server. 0 = unencrypted 1= encrypted Default for ADS as source LDAP is with encryption. In an ADAM server the default is without encryption. Base Container String <LDAP_Attribu te> Details of the source container in the source LDAP, which contains the C3000 users to be synchronized Example: CN=Hamburg, DC=exchange, DC=internal User Containers String <LDAP_Attribu te> Details of one or several source user containers. If several containers are given they must be separated with a comma. Example: CN=UsersHamburg, CN=UsersBerlin In the standard ADS/Exchange 2000/2003 the users are in the container CN=Users. In the standard NT/Exchange 5.5 the users are under CN=Recipients 34

Parameter Type Value range Description Base filter String <operator> Details of the filter rule to be used to synchronize users from the source LDAP in the target LDAP. As a default, the entry is that all users belonging to the person object class and for whom the fax number contains a value are synchronized. NOTE: In the settings of the target LDAP, the fax number check can be used to further filter the import quantity. Example: (&(objectclass=person)(facsimiletelephonenum ber=*)) Notation of the rule is in accordance with RFC1558 (Polish notation) Attribute name used as destination id String <LDAP_Attribu te> Details of the attribute from the source LDAP server which contains the clear, unique identifier for the target LDAP server. In the ADS Exchange 2000/ 2003 this is always the mailnickname attribute in the default In the NT Exchange 5.5 this is always the other Mailbox attribute in the default After synchronisation of the first initials, the clear, unique identifier is used to determine whether the user already exists in the target LDAP. Attributes to sync String <LDAP_Attribu te> List of the LDAP attributes from the source LDAP, which are to be synchronized one to one. The individual attributes must be separated by a comma. 35

LDAP Sync Configuration C3000 Manager Source 36

3.1.3 Destination settings The target / destination LDAP server can be an ADAM server or an Exchange ADS server, depending on the Sync version selected. The various Sync versions are dealt with in detail in Chapter 3.2 3.4. The following parameters must be set for the target LDAP server. Parameter Type Value range Description String <IP_Address> or <ComputerNa me> Destination LDAP Host IP address or computer name of the source LDAP server Port Integer <LDAP_Port> Port number of the source LDAP server User String <LDAP_Attribu te> Administrator users with read rights to the source LDAP. In Windows 2000/ 2003 to be given in the form name@domain, in Windows NT in the form domain\name Authentification Option Boolea n 0, 1 The parameter specifies whether the LDAP sync authenticates itself encrypted or unencrypted at the source LDAP server. 0 = unencrypted 1= encrypted Default for ADS as source LDAP is always with encryption. In an ADAM server the default is without encryption. User Container String <LDAP_Attribu te> Details of the destination container in the target LDAP, which holds the C3000 users to be synchronized. Information given in the form of the full distinguished name Example: CN=C3000Users, CN=Users, DC=UMS User Group String <LDAP_Attribu te> Details of the user group in which the users are to be entered in the target LDAP. Information given in the form of the full distinguished name Example: CN=Users, CN=Rules, DC=UMS It is necessary to enter the user in a permissions group if the users are to log onto the C3000 system through WebAdmin. 37

Parameter Type Value range Description Check Filter String <Operator> Details of the filter rule to be used to synchronize users from the source LDAP in the target LDAP. The default entry is that all users who belong to the user ObjectClass and for whom the attribute comonc3kactivated=true, are classified as valid users. The following parameter specifies how invalid users are to be handled. Example: (&(objectclass=user) (comonc3kactivated=true)) Notation of the rule is in accordance with RFC1558 (Polish notation) Invalid object handling String Delete, deactivate The drop down box is used to set how objects (users) which have been classified as invalid by the validity check are to be handled. The users can be completely deleted or deactivated in the target LDAP (comonc3kactivated=false). Attribute Name Fax Number String <LDAP_Attribu te> Details of the attribute which contains the fax number in the source LDAP. In the standard this is the facsimiletelephonenumber in Exchange 5.5/2000/2003 Based on this field, the C3000 attribute comonc3kextension" is filled in the target LDAP according to the given conditions in the base number, interconnection and No. of extension digits fields. If no attribute is given the following three checks of the fax number are not performed and no value is written in comonc3kextension Base Number (Fax) Integer No restriction Details of the fax base number. Check is carried out on whether this is contained in the given fax number attribute in the source LDAP. If this is not the case the user is classified as being invalid. The check is of the pure numerical part of the fax number attribute. All special characters (e.g. / +) are removed from the string for the check. After this adjustment the value is checked from the left. 38

Interconnection (Fax) No of extension digits (Fax) Integer 9999 Integer 1-6 Details of the fax tie line or interconnection. The tie line number is placed in front of the determined direct dial (extension) number (No of extension digits (Fax)) and is then imported into the target directory. This number then gives the unique C3000 fax direct dial (extension) number in the C3000 system Details of the number of fax direct dial (extension) digits. The number of fax extension digits is also used to check the user s validity. If the determined extension is too long or too short the user is classified as being invalid. The value of the fax direct dial / extension number is determined by removing the base number from the right. In the target LDAP attribute comonc3kexentsion the tie line number plus the valid fax extension number is entered as the C3000 fax number of LDAP Sync. Attribute Name Voice Number String <LDAP_Attribu te> Details of the attribute which contains the voice number in the source LDAP. In the standard this is the TelephoneNumber in Exchange 5.5/2000/2003 Base Number (Voice) Integer No restriction Details of the voice base number. Check is carried out on whether this is contained in the given voice number attribute in the source LDAP. If this is not the case the user is classified as being invalid. The check is of the pure numerical part of the voice number attribute. All special characters (e.g. / +) are removed from the string for the check. After this adjustment the value is checked from the left. 39

Parameter Type Value range Description Integer 9999 Details of the voice tie line / interconnection. Interconnection (Voice) The tie line number is placed in front of the determined direct dial / extension number (No of extension digits (voice)) and is then imported into the target directory. This number then gives the unique C3000 voice mail extension in the C3000 system No of extension digits (voice) Integer 1-6 Details of the number of voice direct dial / extension digits. The number of voice extension digits is also used to check the user s validity. If the determined extension is too long or too short the user is classified as being invalid. The value of the voice direct dial / extension number is determined by removing the base number from the right. In the target LDAP attribute comonc3kexentsion the tie line number plus the valid fax (voice mail?) extension number is imported as the C3000 voice mail number of LDAP Sync. 40

LDAP Sync Configuration C3000 Manager target LDAP 41

3.1.4 Default settings The default fields of the LDAP Sync can be used to pre-assign the C3000 attributes in the target LDAP server with appropriate default values when creating a user object for the first time. The default values can consist of static values or can be filled with attributes from the source LDAP. It is also possible to mix static values with source LDAP attributes. The source LDAP attributes must be labelled with the attribute prefix and suffix to be defined under the General configuration tab (example: -#--Company--#-). All parameters that contain source LDAP attributes must be entered in the field Replace attribute names with values for. This improves the synchronization performance. It prevents all default fields having to be worked through. The following fields are available: Designation LDAP attribute Default setting Paper Info <comonc3kpaperinfo> Account <comonc3account> Fax Sender Info <comonc3kfax3senderinfo> -#--Company--#- -#-- facsimiletelephonenumber--#- Location <comonc3klocation> C3000 Rights <comonc3krightsservices> MSX;FAX3;VOICE;SMS; System Rights <comonc3krights> C3000Rights:c3000UserRole/; IVRRights://; C3000 Voice Config <comonc3kvoiceconfig> PIN <comonc3kpin> MAPI Message Store <comonc3ktuimessagelog> MAPI Host <comonc3ktuimessagehost> User ID Message Account <comonc3ktuimailboxname> -#--comonc3kmsxailsystemid--#- 42

LDAP Sync Configuration C3000 Manager Defaults - general LDAP Sync Configuration C3000 Manager Defaults - rights 43

LDAP Sync Configuration C3000 Manager Defaults Phone and TUI 44

Special case of routing rules The C3000 attribute for the C3000 routing rules <comonc3kroutingrule> cannot be pre-assigned using the Manager, as the contents of this attribute exceeds the C3000 Manager s maximum input length. The value must be entered directly in the registry. The comonc3kroutingrule key must be created under HKEY_LOCAL_MACHINE/HARDWARE/SOFTWARE/COM:ON/C3000 LDAP Sync/Config and filled with the relevant contents. LDAP Sync Registry Entries Manager 45

3.2 Differences between MSX 2000/ 2003 and MSX 5.5 synchronizations with ADAM Synchronization of an Exchange 2000/2003 ADS with an ADAM server will probably be the most used case. The LDAP Sync MSX 200x differs from the LDAP SynExchange 5.5 with respect to the following items. Feature Details of the LDAP User Exchange 2000/2003 name@domain Exchange 5.5 domain\name Explanation usnchanged attribute Can be used Cannot be used The usnchanged attribute is a 64 bit integer, which is indexed when changes are made to users. This enables the quantity of changed users to be inquired in Exchange 2000/ 2003. Synchronization check of all users is avoided. Exchange 5.5 also has this attribute, but it cannot be read out via the OLE interface used. Setting objects to be synchronized Available in the C3000 Manager Not available in the C3000 Manager This setting is not available in Exchange 5.5 Sync due to the usnchanged information. Attribute name of the mailnickname othermailbox unique identifier for the target LDAP object ObjectClass Person, User Person Exchange 5.5 only knows the Person object class, Exchange 2000/ 2003 also accepts User as an object class. 46

3.3 Synchronizing ADS MSX 2000/ 2003 in ADS ADS MSX 2000/ 2003 In certain situations it may be necessary to use an ADS server on C3000 LDAP Directory instead of an ADAM server. In this case an extra adapted sync is supplied. Unlike the ADAM server, when a user is created in the ADS it is absolutely necessary to complete the following two fields: samaccountname userprincipalname C3000 LDAP Sync MSX200x ADS takes this into account and completes the relevant attributes each time a user is created. There are no mandatory fields (apart from CN) if a user is created in ADAM. 47