Adding and Editing AD/LDAP Synchronizers

The LDAP Path Assistant can make it easier to formulate the LDAP URL for a synchronizer, provided that the synchronizer is connecting to an Active Directory server. The Assistant may not work with other kinds of LDAP servers.

To use the assistant, enter the fully qualified domain name (FQDN) of the domain controller in the Assistant. The Assistant will then create an LDAP URL with the format ldap://<domain-controller-name>/<DC= separated top level domain controller name components>

NOTE: The path assistant is only intended to assist you in the creation of LDAP URL. Path assistant may not always work depending on how your LDAP server is configured.

For example:

Domain controller name: test-controller.mitel.com
Resulting LDAP path: ldap://test-controller/DC=mitel,DC=com

The Search context is an LDAP path relative to the absolute path specified in the LDAP path field. Together, the values you configure for the LDAP path and Search context fields determine which LDAP object is the starting point for the search query. For example, if you use the following hierarchy in your LDAP database:

XYZ Company

-> New York Branch

-> Sales Department

-> US Sales

-> Eastern US

and you want to synchronize all accounts from the Eastern US Organizational Unit, you would specify the LDAP fields as follows:

LDAP path: ldap://ldap.example.com/DC=example,DC=com
Search context: OU=NewYork Branch, OU=Sales Department, OU=US Sales, OU=Eastern US

If your search should begin at the root object (for example, the XYZ Company object), you can leave the Search context blank.

Connection Settings: Allow MiCollab Client to connect to the AD/LDAP directory and import information. Add or edit the following Connection Settings:

Description: (Required) Type a short description for the AD/LDAP synchronizer. This field has a maximum length of 64 characters.
Domain name: (Required) Type the domain name for the AD/LDAP synchronizer. The value can be any unique value. This field has a maximum length of 128 alphanumeric characters, and supports dashes, and periods.
Show LDAP Path Assistant: Click Show LDAP Path Assistant, enter the fully qualified domain name (FQDN) of the domain controller, and then click Generate Path. The LDAP path field is populated. Click Hide LDAP Path Assistant.

NOTE: The LDAP Path Assistant is only intended to assist you in the creation of the LDAP URL. Depending on how your LDAP server is configured, it may not always work.

LDAP path: (Required) Type the full LDAP path of the synchronizer will use when connecting to the directory server. This field has a maximum length of 255 characters. Example: ldap://directory.mitel.com/DC=mitel,DC=com

Server supports paging results: Clear this setting if the LDAP server does not support paging results extension (refer to IETF rfc 2696). Windows Server® 2003 Active Directory and ApacheDSTM servers do support paging results.
Do not import disabled accounts from AD: This setting is applicable only when connecting to an Active Directory server. DO NOT check this for other kinds of LDAP servers. If checked, MiCollab Client will not import disabled accounts from Active Directory. To find out if an account is disabled or not, on ActiveDir server, open the "Active Directory Users and Computers" tool, navigate to the account, right-click on the account, and select Properties. Under the Account tab -> Account Options, the "Account is disabled" field will show the account status.

Search context: (Optional) This field points to the LDAP object on the sub-tree where the search query is run. If you complete this field, the value MUST be relative to the initial context specified by the LDAP path parameter. If you leave this field blank, then the query search is performed on the LDAP root object pointed to by the "LDAP path" parameter. This field has a maximum length of 255 characters. Example: (ou=Sales).
User query: (Optional) If specified, this field should be a valid LDAP query string, which is used to selectively query for and import user accounts. If your leave this field blank, the query string (|(objectClass=person)(objectClass=user)) is used. This field has a maximum length of 255 characters.
Username: (Optional) Type the username for the directory server. The username can be an LDAP distinguished name. Example: CN=Administrator,OU=engineering,DC=directory,DC=mitel,DC=com. If the directory server is Active Directory, it can be the qualified Active Directory username. Example: engineering\jsmith.

NOTE: The specified user must have privileges to read information relevant to all accounts that expect to be synced into MiCollab Client.

Password: (Optional) Type the password for the directory server.
Default feature profile: (Required for Account AD/LDAP Synchronizers only. This field is not displayed for external server AD/LDAP Synchronizers) Select the feature profile you want to apply to the accounts created by the synchronizer. By default, the Default Feature Profile is selected.

NOTE: The Default Feature Profile does not include any features. To assign features to users when you create accounts during the initial synchronization, you must first create a Feature Profile that includes the features you want to use, and then you can select it here. Refer to the Licensed Features and Synchronization topic before selecting a Feature Profile.

Timestamp: MiCollab Client Service uses the modification timestamp on LDAP objects to optimize processing. This is mainly used for display picture importing and MiCollab Client tries to import only those display pictures which have changed on the LDAP server since the last time MiCollab Client did a successful sync.
- Timestamp attribute: This is the attribute name of the LDAP field which contains the modification timestamp. In case of Active Directory, the attribute is whenChanged. If your LDAP server has some other attribute name, specify that instead.

NOTE: If this attribute is left blank, MiCollab Client Service will try to import display pictures for all eligible accounts, regardless of when they were modified. While a blank timestamp attribute is not a recommended configuration for regular use (because display picture import can consume substantial cpu/ memory), it can be used to force a re-import of all display pictures if required for troubleshooting, error recovery, etc. To do this, blank out the timestamp attribute and perform a sync. After the sync, set the timestamp attribute back to its original value and sync again.

Timestamp syntax: The format of the timestamp value contained in the timestamp attribute. For Active Directory, this is X680 format. Some older LDAP servers may use the X208 format.

Field Mappings specify how AD/LDAP database fields are mapped to MiCollab Client account fields when the information is synchronized.

If required, edit the default values in the Account Information field. The table below defines the field mappings from AD/LDAP objects to MiCollab Client accounts. Based on the fixed label and description provided for each field, determine if you need to edit the default values. To edit a field, delete the existing value and type a new value in the text box.

Field	Default Value	Description
Directory key	objectGUID	This is the unique key that identifies the account in the directory. If the directory object does not have a value for this field, it is not imported.
PBX node	facsimileTelephoneNumber	Identifies the PBX node, or switch, that the user’s phone is configured on. If the directory object does not have a value for this field, it is not imported.
First name	givenName	The user’s first name. This field can be blank.
Middle name	initials	The user’s middle name. This field can be blank.
Last name	sn	The user’s last name. This field can be blank.
Login ID	sAMAccountName	The login ID that the MiCollab Client Desktop Client uses to authenticate with the MiCollab Client Service. This field can be blank.
Desk phone extension	ipPhone	The user’s desk phone extension. This field can be blank.
Soft phone extension	otherIpPhone	The user’s soft phone extension. This field can be blank.
Company name	company	The user’s company name. This field can be blank.
Address	streetAddress	The user’s street address. This field can be blank.
City	l	The user’s city. This field can be blank.
State/Province	st	The user’s state. This field can be blank.
ZIP/Postal code	postalCode	The user’s ZIP/postal code. This field can be blank.
Display picture	jpegPhoto	The user’s display picture. This field can be blank.

Add, Edit, or Delete Phone Numbers, E-mail Addresses, and Instant Message (IM) Addresses from the existing tables.
Do one of the following:

If you are adding a new AD/LDAP synchronizer, click Done.
If you are editing an existing synchronizer, click Save.

Adding and Editing AD/LDAP Synchronizers

To add an AD/LDAP Synchronizer: