Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Operator » Operator 2.2 and Connect 8.2 LDAP; talking to each other, but don't agree (LDAP integration glitches)
  •  
blswjames

Messages: 77
Karma: 0
Send a private message to this user
The Kerio Operator 2.2 release is awesome! Provisioning profiles and the added LDAP provisioning changed my world. However, when it comes to provisioning LDAP search against a Kerio Connect system, there are some glitches...

The setup we are using is Kerio Operator 2.2.0, Kerio Connect 8.2.1, and Snom 821 phones with the 8.7.4.8 beta firmware. Both Connect and Operator are pulling user accounts from the same Open Directory master. However, Operator is now provisioning the phones to use Connect as the LDAP directory source.


1) User extensions are not dial-able
Internal dialing should use direct extensions, but the LDAP queries get full numbers since that is how they are stored in the GAL for proper reason. While it does give you the ability to override the LDAP field that represents the phone number that should be dialed, the ultimate source for these values is Open Directory, which only offers 4 choices, (work, home, mobile, or pager.) We opted to use 'pager', since it was the least likely used field, and went through every contact in the system and set their 4-digit extension as their pager number. However, now the company address book is polluted with misleading pager numbers just so the supposedly intelligent phone system can manage to dial numbers stupidly.


2) Checking the box "Filter out contacts without phone numbers" filters out all records instead
I've also seen posts from others during the beta period that mentioned this. Our expectation is that it only shows contacts that have a value put in the LDAP directory field that corresponds to the one designated as the Phone Number in the box below it. (In our case, it needs to be set to "pager", since that is how we are working around the issue described above.) Examination of the dial string seems like it should work as the boolean expressions and field designations all seem correct, but it just comes back with no results. Unchecking the box, however, does show all public contacts as expected, except that requires everyone to scroll through a lot of bogus contacts and resources, such as conference rooms, making the directory feature more of a nuisance rather than a helpful tool. (Also, it's made even more confusing since the conference room resources in the list don't have any way to add a phone number to them, and people keep trying to use them to call the conference room.)


3) Personal contacts
(This one is more of an enhancement request.) Since provisioning is set at a global level, each phone has to share a single LDAP user account in order to perform LDAP queries. This is fine for public contacts, but wouldn't it be even better if you could somehow dynamically provision the phone's LDAP settings with the specific Kerio Connect user account so that it could pull personal contacts in addition to public ones?


So far, that is all that I have found from this version that seems in any way misbehaved. Overall, very good work on this release!

Thanks

-james
  •  
Filip Jenicek (Kerio)

Messages: 1094
Karma: 80
Send a private message to this user
Hi James,

thank you for the feedback.

Why don't you configure the phones to use the Open Directory instead of Connect? The problem with LDAP implementation in Connect is that it is not complete and some more complex queries are not supported. One of them is the "Filter empty contacts" option.

I might be repeating my self, but the directory feature is pretty simple. All it actually does is, that it provisions phones with the LDAP configuration. Contact lookup, etc. is then done by the phone.

You can even use template overrides to provision phones with a customized LDAP configuration in case the default doesn't suit you. Moreover, you can override the templates to distribute different ldap user accounts. I admit, that it is not user-friendly, but it is possible.

Regarding pt. 3, we will take it into consideration.

Thank you,
Filip
  •  
blswjames

Messages: 77
Karma: 0
Send a private message to this user
Awesome, Filip. Sound advise as usual. I suppose that the only reason we would rather use Connect over OD is if we could have pt. 3.

Thanks!

-james
  •  
blswjames

Messages: 77
Karma: 0
Send a private message to this user
Thanks! I got it to work, but in order to correctly auto-provision Open Directory settings on a Snom phone does require overriding the default provisioning template in KO. Fortunately, that is also a feature given to us in the 2.2 release!
  •  
blswjames

Messages: 77
Karma: 0
Send a private message to this user
Also, I discovered that it is certainly possible to use template overrides in order to deliver per-user LDAP configurations. (Pt 3 above) However, this would require having some sort of server-side variable that KO could plug in the dynamic provisioning override template that provides the <current user>'s username and password in the appropriate fields.

Specifically, it would need to grab the user/pass from whatever user account was assigned to the extension that is assigned to the phone. (Assuming that both Kerio Operator and Kerio Connect are getting user accounts from the same source, such as AD or OD.)

Is there such a variable by chance?

The override would look something like this:

ldap_server&: connect.domain.org
ldap_port&: 389
ldap_base&: fn=public,fn=ContactRoot
ldap_username&: {CURRENT_USER_UNAME}<_at_>domain.org
ldap_password&: {CURRENT_USER_PASS}
...

  •  
Filip Jenicek (Kerio)

Messages: 1094
Karma: 80
Send a private message to this user
Hi,

interesting, what did you have to override to make LDAP work on the snom phones?

Regarding variables, please take a look at file refguide from the provisioning documentation. It is available in the Software Archives.

The user's password is not there, because we don't know it. All we store in Operator is some kind of a hash. If a user is imported from LDAP, then we know nothing about his password. You can access other variables such as "$LINES[0]['USERNAME']", etc.

I think you will have to use a php switch statement and hardcode the passwords Sad.

Filip
  •  
blswjames

Messages: 77
Karma: 0
Send a private message to this user
Good news, everyone!

I discovered that it IS, in fact, possible to use Kerio Operator to push out personalized directories using Kerio Connect as the LDAP source, with no hardcoding of usernames or passwords required!

The secret is to use the $LINES[0]['USER_EMAIL'] variable and a few simple template overrides. The '0' index will target the first SIP identity on the phone, meaning that we will provision LDAP access for whatever user is applied to that identity. So, if you are fine with that, and you are fine with users accessing the web interface on their phones, then this solution can work for you. (Remember, you can provision read-only permissions on basically every field on a Snom, so anything you are afraid of the users changing can be easily locked.)

1) First set up LDAP connection to Kerio Connect using the configuration wizard. Keep all the defaults the wizard sets, except for the search base field, use 'fn=ContactRoot'.

2) Then, edit the LDAP section in the template override with the following changes:
ldap_base: cn={$LINES[0]['USER_EMAIL']},{$DIRECTORY_SEARCH_BASE}
ldap_username: {$LINES[0]['USER_EMAIL']}
ldap_password!:


Note the '!' following 'ldap_password', this will set the field to allow read-write by the user so they can set their password using the phone's web interface. Also, '!' as opposed to '$' tells the phone to keep the user's setting instead of the provisioned setting, meaning the user supplied value should stick around after reboot. The only issue I've had with this is that if you had previously set a fixed provisioned password, you need to unset it first. (Factory resetting the phone is the easiest way, then let the auto provisioning do its thing.)

Once you have that field in a R/W state, you can share documentation with your users walking them through adding their password to that field using the Snom web interface.

While, it's not the prettiest way one might imagine this working, it does get the job done. Users' address books are now synced with their phones! Hooray 21st Century computing!

[Updated on: Mon, 18 November 2013 19:52]

  •  
blswjames

Messages: 77
Karma: 0
Send a private message to this user
Oh, in order to get OpenDirectory working from the phone, certain things need to be different than what the configuration wizard tries to do. For example, the format of the user name for authenticating requires DN format rather than the email address. A few other things needed to be moved around as well. Since Filip's advice helped me to get a decent integration with Kerio Connect working, I no longer need the OpenDirectory configuration. But here is what I had set in the LDAP section of the override template in order to get a "company directory" like feature working from an Apple OpenDirectory server:

ldap_server: {$DIRECTORY_HOSTNAME}
ldap_port: {$DIRECTORY_PORT}
ldap_base: {$DIRECTORY_SEARCH_BASE}
ldap_username: {$DIRECTORY_USERNAME}
ldap_password!: {$DIRECTORY_PASSWORD}
ldap_search_filter: (&(Pager=*)(|(givenname=%)(cn=%)(sn=%)))
ldap_number_filter: (|(Pager=%)(&(apple-phonecontacts=PhoneContact:%)(cn=*)))
ldap_name_attributes: {$DIRECTORY_COMMON_NAME} {$DIRECTORY_LAST_NAME} {$DIRECTORY_FIRST_NAME}
ldap_number_attributes: {$DIRECTORY_NUMBER_ATTRIBUTES}
ldap_display_name: %{$DIRECTORY_FIRST_NAME} %{$DIRECTORY_LAST_NAME}
ldap_sort_results: on
perform_initial_query_in_ldap_state: on
dkey_directory: keyevent F_DIRECTORY_SEARCH


The main fields that I had to override are ldap_search_filter, ldap_number_filter, and ldap_name_attributes. Also, I should point out that this particular override is configured for using the "pager" field for the ipPhone extension so that they dialed an extension rather than the full number. (We went through and set everyone's extension on the pager field in OD.)

The "Directory User Name" value i set in the LDAP configuration screen looks like this:
uid=phoneuser,cn=users,dc=od,dc=domain,dc=com


At least that is how I managed to get it to work. While I believe that the KC setup is better for us going forward, it would be nice to know if anyone else has been able to figure out a way to add a 5th phone type to OD such as "ipPhone"? There doesn't seem to be a way to do that without some sort of schema extension.

[Updated on: Wed, 20 November 2013 01:32]

  •  
blswjames

Messages: 77
Karma: 0
Send a private message to this user
Quote:
The problem with LDAP implementation in Connect is that it is not complete and some more complex queries are not supported. One of them is the "Filter empty contacts" option.

Ok, now I'm back to this. So, just to make sure I understand the situation, the following LDAP query syntax should be correct, right?

name_filter: (&(telephoneNumber=*)(|(givenName=%)(sn=%)(cn=%)))
number_filter: (|(telephoneNumber=%)(mobile=%)(ipPhone=%))

If so, then what it sounds like you're saying is that something in Kerio Connect is unable to handle the '&' operand? Or is it because it can't deal with more than two levels of nesting? Or is it the '*' that it doesn't like?

I guess I'm still hoping to figure out a way to cheat and get K Connect to do what I want with another template override, whether it involves simplifying the query or some other trick...

Thanks again!

  •  
Filip Jenicek (Kerio)

Messages: 1094
Karma: 80
Send a private message to this user
Hi,

once again - nice work!

Now I understand why you had to use template overrides. I hope that you know that you are not limitted to the wizzard, but you can also change the fields directly in the dialog. Unfortunately, the filter fields are generated and cannot be changed the way you need.

blswjames wrote on Wed, 20 November 2013 01:31

If so, then what it sounds like you're saying is that something in Kerio Connect is unable to handle the '&' operand? Or is it because it can't deal with more than two levels of nesting? Or is it the '*' that it doesn't like?
It's been some time since I last experienced with it, so I might not be 100% right. The LDAP implementation in Connect designed to be used in address books in desktop email clients. These programs usually lookup contacts by names and email addresses. Connect can not filter by phone numbers or any other fields. To debug ldap queries I used JXplorer.

Best
Filip
  •  
blswjames

Messages: 77
Karma: 0
Send a private message to this user
Filip,

It would appear that you are 100% correct: ldap query bug


Previous Topic: Change default messages
Next Topic: Strange intermittent audio issue after recent upgrade
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Aug 17 11:32:02 CEST 2017

Total time taken to generate the page: 0.00500 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.