Active Directory connector

Hint

Watch our video tutorial: Connectors.

Click New connector and select Active Directory to include it in the system. Existing connectors can be modified with Edit.

Welcome

This assistant helps with the configuration of a connector in a few simple steps. Click Next to get to the next step.

Name and description

Regardless of the type of connector to be created, you should provide it with a unique name and a brief description that will make it possible to distinguish it from other connectors later on. Leave the description empty if the data source is to be shown automatically in the connector list.

Click Next to get to the next step.

Access to the Active Directory

Please specify the following options for how access is to be permitted to the Active Directory.

Authentication

  • Automatic login with the XPhone Connect Server service account (is indicated in the Server Manager)

  • Login with the following data (user name, password)

Entry point for access to the Active Directory:

  • Use domains in which the XPhone Connect Server is located

  • Use automatically identified Global Catalog Server

  • Use domains entered manually

  • Use domain controller entered manually (host name or IP address)

  • Use Global Catalog Server entered manually (host name or IP address or domain)

Foreign domains without trust

In the case of foreign domains without trust (e.g. when the XPhone Connect Server is not in a domain), the login credentials must be provided for the domain. And usually one of the two last options (special domain controller, Global Catalog Server) also needs to be provided.

Important

In this case, the integrated Windows login can not work for the users! So, it is necessary to remove the Integrated Windows login option in the login types. Otherwise, the connector will not set up any users as it is unable to resolve the Windows SID!

Trusted domains

With trusted domains, security groups can contain members from all domains with whom bi-directional trust is in place. Example:

Domäne FQDN OU Benutzer Gruppen
----------------------------------------------------------------------------------------------------
main company.de munich u_one, u_two, u_xp g_all, g_all_trusted
sub sub.company.de hamburg u_three, u_four g_hamburg
foreign foreign.com newyork u_five, u_six g_all, g_newyork
Gruppenzugehörigkeiten:
-----------------------
sub\g_hamburg = { u_three, u_four }
foreign\g_newyork = { u_five }
foreign\g_all = { u_five, u_six }
main\g_all = { u_one, u_two }
main\g_all_trusted = { g_all, sub\g_hamburg, foreign\g_newyork, foreign\u_six }
Domänenstruktur:
----------------
1. Domäne "sub.company.de" gehört zur Gesamtstruktur "company.de" und hat dadurch automatisch eine bidirektionale, transitive Vertrauensstellung mit "company.de"
2. Domäne "foreign.com" hat eine nicht transitive, bi-direktionale Vertrauensstellung mit "company.de"
3. Entscheidend bei den Vertrauensstellungen ist die Bi-Direktionalität!
Einbindung des XPhone Connect Server in die Domänenstruktur:
------------------------------------------------------------
1. XPhone Connect Server Rechner befindet sich in Domäne "main"
2. XPhone Connect Server Dienst läuft unter dem User-Account main\u_xp
AD-Konnektor auf Sicherheitsgruppe... liefert diese Benutzer:
-----------------------------------------------------------------------
main\g_all main\u_one, main\u_two
main\g_all_trusted main\u_one, main\u_two, sub\u_three, sub\u_four, foreign\u_five, foreign\u_six
foreign\g_all foreign\u_five, foreign\u_six

Select data origin

Hint

The connector supports both encrypted and unencrypted communication. See Examples.

Selecting filters is always recommended so that not all elements present in the Active Directory are transferred.

In principle, two types of filters are available:

  • Determining all users present in a certain security group of the Active Directory: Member of a security group

    Here you can display the current structure of the Active Directory and select a security group in the field on the right by clicking the connector1 button. This is the recommended method.

  • Result of an Active Directory search for all users starting from a specified organisational unit in the Active Directory: Result of a search

    In the Base DN field, enter a DN specifying the starting point of the search in the Active Directory. You can display the current structure of the Active Directory by clicking the connector1 button and select a base DN in the field on the right.

    In the Filter conditions for user search field, you can enter filter conditions. The syntax is structured in accordance with RFC2254. You can select any field or object class contained in Active Directory. Examples:

    • (objectClass=*) shows all objects.

    • (objectClass=person) shows only persons.

    • (phoneNumber=089*) shows all telephone numbers starting with 089.

    Recursive search activates the recursive search in the Active Directory. This also takes those users into account that belong to this selection group because they are members of another group. Searches in security groups are always recursive, whether the option is activated or not.

    You can test the filter by clicking Test search. The search returns the users that the filter has found in Active Directory. If you do not get the desired result, change the filter criteria accordingly.

The AD connector either supports LDAP or GC. To configure it, it is sufficient to edit the path for the security group or the base DN accordingly. This string is parsed when saving the database and the corresponding entries are generated from it for the connector.

Example

  • From the AD search, e.g. this string was generated:

    LDAP://company.c4b.de/CN=XPhoneUser,OU=Users,OU=Munich,DC=company,DC=c4b,DC=de
    
  • Changing to GC:

    GC://company.c4b.de/CN=XPhoneUser,OU=Users,OU=Munich,DC=company,DC=c4b,DC=de
    
    oder
    
    GC://CN=XPhoneUser,OU=Users,OU=Munich,DC=company,DC=c4b,DC=de
    
  • Using a different domain controller (also with a different port):

    LDAP://1.2.3.4:5678/CN=XPhoneUser,OU=Users,OU=Munich,DC=company,DC=c4b,DC=de
    
  • To establish an encrypted connection, add the port for the encrypted connection. For AD access this is port 636 for Global Catalog Server (GC) port 3269 is used.

    • AD search:

      LDAP://company.c4b.de:636/CN=XPhoneUser,OU=Users,OU=Munich,DC=company,DC=c4b,DC=de
      
    • GC search:

      GC://company.c4b.de:3269/CN=XPhoneUser,OU=Users,OU=Munich,DC=company,DC=c4b,DC=de
      

Hover the mouse over the information symbol connector2 next to the entry field to view examples for the following fields.

From this, the connector generates in the XPhone Connect Server (configurable):

  • Users with last name, first name and login information for Windows login or integrated XPhone Connect Server login, if selected.

  • Lines containing the telephone number of the Active Directory as line address that are assigned to the user as main line.

The following information from the Active Directory is analysed:

  • Last name and first name of the user

  • Telephone number of the user

  • Organisational units

  • Windows login information

Hint

Active Directory users are entered as users in the XPhone Connect Server. The Active Directory fields sAMAccountName, givenName, objectSID, displayName, sn und objectGuid are evaluated. If data are missing from these fields, the user cannot be created on the XPhone Connect Server.

connector3

Alternative for using a text connector with Active Directory data

Hover the mouse over the information symbol connector2 next to the entry field.

You can then download a PowerShell script to create the entry file for a text connector with data from your Active Directory.

Click Next to get to the next step.

Select target

In this window, you can specify in which location or configuration group the users are to be created in the XPhone Connect Server. To view the configuration groups, click the + symbol for the corresponding location to expand the tree.

Click Next to get to the next step.

Additional information:

User Management - Sites and configuration groups can be created here.

Scheduling

If you activate this check box, you can enter in this window that the connector should run in a scheduled manner on certain day, in certain periods and intervals.

Hint

If you specify a day, this only relates to that day, not to the next day. Example: If you specify that a connector should run every Monday from 2200 - 0600, this means that it runs every Monday from 0600 and from 2200 - 0000. It does not mean that it runs from 2200 on Monday to 0600 on Tuesday.

Click Next to get to the next step.

Login types

Integrated Windows login and/or XPhone Connect Server login can be enabled for XPhone Connect Client users (see chapter Creating / managing users). You can have the login types determined by the connector instead of maintaining these options manually for individual users or locations.

If you select the Enable integrated Windows login for users check box, Windows login is enabled for users in the XPhone Connect Server, with objectSID (AD connector) identifying the user to the Windows system. That means that a user cannot be created if the Windows login name could not be authenticated to the domain. This can be the case if the login name does not exist in the domain, the server is located in a different domain to the user to be created and not trust settings are made, or if the server was not added to a domain.

If the Enable XPhone Connect Server login for users check box is ticked, the connector uses the value in sAMAcountname (AD connector) or account (text connector) as user name.

Hint

The XPhone Connect Server login is required if you want to use XPhone Connect mobile.

You can limit these options to Newly created users. This means that changes to these options in the XPhone ConnectServer will not be reset when the connector is executed again. If you do not activate this option the login type is re-specified every time the connector is executed and changes made manually in the XPhone Connect Server are discarded.

Click Next to get to the next step.

Login names and passwords

You also have the opportunity for the XPhone Connect Server login to adopt the Windows login name as the XPhone Connect Server login name and assign a password (the same one for all users) or even adopt the Windows login name as the password.

By default, the connector only sets the login name when setting up a user and does not change it for later runs. You can change this specification, e.g. to set the login name as Name.Surname@Serverdomain for all users and use this address for the Federation with external systems such as Skype for Business.

Important

If the login names for existing users are changed, it is no longer possible for them to log in to the XPhone Connect Mobile app and the user must log in again with the new data. The integrated Windows login is not available in the app!

Furthermore, you have the option to have a random password generated, which will be sent to the user by mail. Please note, if you use this option, that settings at E-mail gateway are necessary.

connector4

Click Next to get to the next step.

Options

If you maintain the employees’ phone lines and extensions in the Active Directory, the connector can read this information and assign it to users in the XPhone Connect Server or create it again.

If the Create lines based on user telephone numbers check box is activated, all lines are created again based on the users’ telephone number. To do this, select how the lines are to be generated based on the users’ telephone number:

  • regardless of whether a corresponding line is available in a telephone system.

  • only if a corresponding line is available in a telephone system.

  • under consideration of advanced settings for line generation.

If the checkbox in front of Assign existing lines to users based on their phone numbers is activated, the connector assigns lines in the XPhone Connect Server to the users that have the value stored under telephoneNumber (Active Directory) or cnocompany (csv) as the line address. These lines must already have been created in XPhone Connect Server before the connector is executed so that the assignment can occur.

When a line is created, it must be assigned a dialing parameter set and a telephone system. This is the telephone system to which the line is physically connected.

Attention

It is not possible for the telephone system to be determined automatically if multiple telephone systems are configured in the XPhone Connect Server (multi-telephone system operation) and the telephone systems all use a dialling parameter set with identical parameters for country code, area code and main phone number. In this case, you need to select under consideration of advanced settings for line creation and select the dialling parameters AND telephone systems to be considered.

Activate the additional option only once when creating the user again, if you do not want later manual changes in the XPhone Connect Server to be reset when executing the connector again.

If you want to delete lines that are no longer entered as telephone numbers for the users, activate the corresponding check box Delete lines that are no longer entered in users as telephone numbers.

Deactivate the option Enable moving of users created by the connector, if you want to move users manually later to other locations and if you do not want that they are moved back to their original location when the connector is executed again. This only affects users created by the connector, and not manually created users.

Hint

Data sets created by a connector are marked by the connector during creation (objectSid or ID). These markings are visible to other connectors.

Example:

A user is a member of the Development security group and the Accounting security group. Two connectors are set up for the two groups. The user that is in both groups is found by both connectors. In case of such constellations, only one connector should be permitted to move users. If all connectors are permitted to move users and some users are to be moved to different organisational units, this could affect the performance of the server.

Note

Note on using the Active Directory: If the phone numbers are saved in the canonical format in Active Directory, a line with exactly this address is searched for and then assigned to the user. If the Active Directory contains phone numbers in other formats, the connector attempts to convert them to the canonical format using the dialling parameters configured in the XPhone Connect Server. If multiple dialling parameter records were configured in the XPhone Connect Server (multi-telephone system operation, multi-location operation), it may not be able to convert the numbers as they are not unique. In this case, the phone numbers have to be entered in the Active Directory in the canonical format. If you select under consideration of advanced settings for line creation, you can specifically select the dialling parameters AND telephone systems to be considered.

connector5

Click Next to get to the next step.

Advanced settings for creating lines

The Advanced settings page is only shown, if under consideration of advanced settings for line creation was selected.

Specify advanced settings for creating and assigning telephony lines.

  • Dialling parameters to be considered

    Please select the dialling parameters that are to be used for the line search. The dialling parameters are considered in the order provided. Leave the list blank to consider all available dialling parameters in alphabetical order.

    Click on the double arrow pointing the corresponding direction (selected or available) to select or de-select all available dialling parameters. Or highlight a dialling parameter and click on the corresponding single arrow to select or deselect it. You can adjust the order with the up or down arrow.

  • PBX to be considered

    Please select the PBXs which are to be used for the line search. The telephone systems will be considered in the specified order. Leave the list empty to consider all existing telephone systems in alphabetical order.

    Click on the double arrow pointing the corresponding direction (selected or available) to select or de-select all available telephone systems. Or highlight a telephone system and click on the corresponding single arrow to select or deselect it.

  • Settings for line creation

    Make settings here for line creation about how lines are searched, created or moved:

    • Standard search

      A first attempt tries to determine a unique line to the telephone number across all available dialling parameters and telephone systems. A search is conducted using the dialling parameters and telephone systems specified here only if this search is unsuccessful.

    • Using the first line found

      Moving the line found between the telephone systems

    • Only create lines if a corresponding physical line is available in the telephone system

      Continue the search if the verification of a physical line fails

    • Additional flags (optional)

      Additional flags may be necessary in particular cases. Contact your XPhone Connect support on this matter.

Click Next to get to the next step.

Summary

Here you can see a summary of all settings made that are applied when clicking Complete. Clicking Back to the connector list will take you back to the overview.

Rules for data synchronisation

Existing (manually created) users: Users are only changed if they were created by a connector.

The settings for Windows login, XPhone Connect Server login and the default password are only relevant during the creation of a new user. These values are not changed when the connector configuration is changed. The other parameters are replicated in Active Directory if changes are made. Users are identified by their unique ID. This can be the objectSID or ID (AD or text connector), depending on the connector type. This also includes a change of the username in the Active Directory or the text file.

A connector marks users that were copied in to the XPhone Connect Server configuration. If a user was not found after more than three connector runs, the user is deleted in the XPhone Connect Server.

Have you found an mistake on this page?

Please send us a hint about this error by mail to doku@c4b.de. Thank you very much!