User's Manual

ManualsBrandsAvaya ManualsGatewayAvaya B5800 Branch Gateway Manager

171

172

173

174

175

176

177

178

179

180

Avaya Branch Gateway Manager 10.0 Page 172

15-601011 Issue 29r (Friday, November 02, 2012)B5800 Branch Gateway

Usability

· Mergeable: These settings are not mergeable. Changes to these settings will require a reboot of the system.

Configuration Settings

· LDAP Enabled: Default = Off

This option turns LDAP support on or off. The system uses LDAP Version 2. If the server being queried is an LDAP

Version 3 server, support for LDAP Version 2 requests may need to be enabled on that server (all LDAP Version 3

servers support LDAP Version 2 but do not necessarily have it enabled by default).

· User Name: Default = Blank

Enter the user name to authenticate connection with the LDAP database. To determine the domain-name of a particular

Windows 2000 user look on the "Account" tab of the user's properties under "Active Directory Users and Computers".

Note that this means that the user name required is not necessarily the same as the name of the Active Directory

record. There should be a built-in account in Active Directory for anonymous Internet access, with prefix "IUSR_" and

suffix server_name (whatever was chosen at the Windows 2000 installation). Thus, for example, the user name

entered is this field might be: IUSR_CORPSERV@example.com

· Password: Default = Blank

Enter the password to be used to authenticate connection with the LDAP database. Enter the password that has been

configured under Active Directory for the above user. Alternatively an Active Directory object may be made available

for anonymous read access. This is configured on the server as follows:

· In "Active Directory Users and Computers" enable "Advanced Features" under the "View" menu. Open the properties

of the object to be published and select the "Security" tab. Click "Add" and select "ANONYMOUS LOGON", click

"Add", click "OK", click "Advanced" and select "ANONYMOUS LOGON", click "View/Edit", change "Apply onto" to "This

object and all child objects", click "OK", "OK", "OK".

Once this has been done on the server, any record can be made in the User Name field in the System configuration

form (however this field cannot be left blank) and the Password field left blank. Other non-Active Directory LDAP

servers may allow totally anonymous access, in which case neither User Name nor Password need be configured.

· Server IP Address: Default = Blank

Enter the IP address of the server storing the database.

· Server Port: Default = 389

This setting is used to indicate the listening port on the LDAP server.

· Authentication Method: Default = Simple

Select the authentication method to be used.

· Simple: clear text authentication

· Kerberos: Kerberos 4 LDAP and Kerberos 4 DSA encrypted authentication (for future use).

· Resync Interval (secs): Default = 3600 seconds. Range = 1 to 99999 seconds.

The frequency at which the system should resynchronize the directory with the server. This value also affects some

aspects of the internal operation.

· The LDAP search inquiry contains a field specifying a time limit for the search operation and this is set to 1/16th of

the resync interval. So by default a server should terminate a search request if it has not completed within 225

seconds (3600/16).

· The client end will terminate the LDAP operation if the TCP connection has been up for more than 1/8th of the resync

interval (default 450 seconds). This time is also the interval at which a change in state of the "LDAP Enabled"

configuration item is checked.

· Search Base/Search Filter: Default = Blank

These 2 fields are used together to refine the extraction of directory records. Basically the Base specifies the point in

the tree to start searching and the Filter specifies which objects under the base are of interest. The search base is a

distinguished name in string form (as defined in RFC1779).

The Filter deals with the attributes of the objects found under the Base and has its format defined in RFC2254

(except that extensible matching is not supported).

If the Search Filter field is left blank the filter defaults to "(objectClass=*)", this will match all objects under the

Search Base.

The following are some examples applicable to an Active Directory database:

· To get all the user phone numbers in a domain:

Search Base: cn=users,dc=acme,dc=com

Search Filter: (telephonenumber=*)

· To restrict the search to a particular Organizational Unit (eg office) and get cell phone numbers also:

Search Base: ou=holmdel,ou=nj,DC=acme,DC=com

Search Filter: (|(telephonenumber=*)(mobile=*))

· To get the members of distribution list "group1":