Page History
Internal_display_only |
---|
Panel | ||||
---|---|---|---|---|
In this section:
|
The
Spacevars | ||
---|---|---|
|
This example configuration describes how to create and configure a Active directory profile using the following basic steps:
Table of Contents | ||
---|---|---|
|
an AD profile.
You can perform these steps Though these steps can be performed from either the EMA or from the CLI, the . The description below is limited to CLI.
Setting up the local Certificate Authority (CA)
For local Certificate Authority (CA), add the root certificate of your AD server at the end of the file /etc/ssl/certs/ ca-certificates.crt
. Follow the procedure below if the AD certificate is generated with Subject the subject as domain name.
Update the primary IP as domain name in the domain controller in the postgress postgres database.
Login Log in to postgess postgres database using the below following command:
Code Block title Log in to the postgres database psql ssdb
Update the domain name in the database. Disable the TLS flag and enable it to reflect in the cache. Add your domain name and
ipIP address in
/etc/hosts
, where domain_controller_id=’<domaincontrollername>’.
’<yourdomainname>’Code Block title Update domain name update domain_controller set primaryip=
where domain_controller_id=’<domaincontrollername>’
'<yourdomainname>'
1. Configuring to Sync Data from Remote Server
Enter the following commands to create a Create an AD profile to sync the data from the Remote server
language | none |
---|
. Perform these steps from either the EMA or from the CLI. Refer to Ad Profile - CLI and Profiles - Ad Profile, for details.
2. Fetch data from Remote Server
Perform the following steps to fetch the data from the remote server.
2.1 Creating Domain Controller
Configure Transparency of "all" Headers.
Code Block language none set global servers domainController ADSERVER1<controller> description WESTFORLOCATION<description> userName ribbon\\testuser<user_name> password asdbasdb<password> primaryIPprimaryAddress 10.23NN.45NN.66NN ldapQueryCriteria cn=* searchScope CN=Users,dc=ribbon,dc=com
Info title Note When defining
userName
andpassword
in the above command, prepend special characters with a backslash ( \ ).Info title Note You can configure the remote port The remote port can be configured in the Domain Controller, but the LDAP does not use it. It not for LDAP. LDAP uses the standard ports port 389 for simple authentication, and port 636 for TLS.
Configure the ACL rule and management interface static route for the domain controller’s IP. This Doing so ensures that the mgmt.interface is used to send the LDAP query, and the packets from the AD server is are allowed reach to the application.
The command example below creates the static route and ACL rule where the domain controller IP is 10.23.45.66 and the management gateway IP is 10.54.51.1.
Code Block language none system mgmtStaticRoute 10.23.45.66 32 10.54.51.1 mgmtGroup mgmtIntf1 preference <1..99> commit set addressContext default ipAccessControlList rule test precedence <1.. 65535> mgmtIpInterfaceGroup mgmtGroup sourceIpAddress 10.23.45.66 sourceAddressPrefixLength 32 state enabled commit
Configure the flexible AD attributes. For each attribute there is an ad AD attribute identifier. This ad The AD attribute identifier is used as reference in all other entities.
Code Block language none set profiles adAttributeMapProfile DEFAULT_AD_ATTRIBUTE_PROFILE adAttributeList adAttribute1 adAttributeName cn commit set profiles adAttributeMapProfile DEFAULT_AD_ATTRIBUTE_PROFILE adAttributeList adAttribute2 adAttributeName telephoneNumber commit set profiles adAttributeMapProfile DEFAULT_AD_ATTRIBUTE_PROFILE adAttributeList adAttribute3 adAttributeName mobile commit set profiles adAttributeMapProfile DEFAULT_AD_ATTRIBUTE_PROFILE adAttributeList adAttribute4 adAttributeName unixHomeDirectoryNumber commit
In the above example,
adAttribute1
refers to 'cn' in all other entities likedmpm criteria, dmPm Rule and call parameter filter profile
. Similarly,adAttribute2
refers to telephoneNumber, and so on.If any change is done in this profile and the data has already successfully synced before the modification, then it is recommended to perform a sync either using manual sync command, or else wait till until the syncInterval timer to kick in commence and sync the data. Until sync is not performed, you cannot use the new modified data can’t be used and as it can cause call failures.
2.2 Configure AD profile
This entity allows the user you to configure data like such as sync state, delayed sync, sync interval and the remote servers list from which the data needs to be is fetched.
Code Block language none % set profiles adProfile DEFAULT_AD_PROFILE sync enable syncInterval 1440 delayedSync 2019-03-07T23:59:00 adServerList 1 dcServer ADSERVER1
In the above example, the configuration performs the first sync at 7th March 2019 23:59. And the next sync is scheduled at 8th March 2019 23:59. And it It fetches the data from the active directory AD server ADSERVER1. A maximum of 32 servers are allowed to be associated with the ad AD profile.
Info title Note Manual Sync does not change any of the delayedSync or syncInterval logic. Sync Interval kicks in commences only after a successful sync due to following a delayed sync.
If delayedSync fails to sync for some reason, then SBX the SBC retries the sync operation after 1 minute of the failure. To stop the syncing operation, disable the sync parameter in ad the AD profile.
IFmultiple If multiple servers are configured that needs to , they must be synced data from and if . If any of the server fails due to some reasonservers fail, the SBC stop the syncing operation and set sets the ad AD sync status as failed. New data are is stored locally only after all the servers are synced successfully.
View the sync status by executing the command:
Code Block language none % show table system adSyncStatus AD SYNC MODULE AD SYNC NAME STATUS AD TIME STAMP ------------------------------------------------ Ad Server syncInProgress 2019-03-06:16:48:32 Ad Server syncInProgress 2019-03-06:16:48:32
The above status indicates that , currently the sync operation is in progress.
Info title Note There can be are four types of sync status namely :
- neverDone : This status indicates Indicates that data has never been synced.
- syncInProgress: This status indicates Indicates that currently sync is in progress.
- syncCompleted: This status indicates Indicates that sync has successfully completed.
- syncFailed: This status indicates Indicates that sync operation has failed.
The AD time stamp displays the timestamp time stamp of the last successful sync operation.
View the alarm raised when there is any issue with syncing data from the remote server.
Code Block language none % show status alarms currentStatus
Info title Note If the adSyncStatus command output shows syncFailed as status, check the alarms that is alarm raised. Alarm The alarm will show the standard LDAP error code and its respective error string. If the debug log level is set to 'info', then additional data can be found which will help is logged, which helps to narrow down the issue.
3. Using
Syncedsynced data
Duringduring call processing
Once data is successfully synced, the application can use it during call processing. To use the synced data for SBX’s the SBC call routing logic various entities needs to be configured, you must configure various parameters.
3.1 Configure Call Parameter Filter Profile(CPFP)
- This entity is configured to build a condition using various call parameters to query the local database. For e.g. if example, a user wants to fetch the data where the called party number is equal to the telephoneNumber ad AD attribute value. Let’s assume If the above AD ATTRIBUTE MAP PROFILE is configured. So , the CPFP entity is configured as:
Code Block | ||
---|---|---|
| ||
set profiles callParameterFilterProfile POCTEST callParameterFilterProfileData 1 adAttributes adAttribute2 operation = adCpe calledNumber |
The adAttribute2 refers to telephoneNumber as configured in the ad AD attribute map profile. The operation is equal to Call Parameter Element (CPE) type, which is the called number which to fetch the row where the telephoneNumber ad AD attribute value is equal to the called number.
Create You can create multiple such conditions. If multiple conditions are configured, then it is treated as an “AND” operation.
Code Block |
---|
set profiles callParameterFilterProfile POCTEST callParameterFilterProfileData 1 adAttributes adAttribute2 operation = adCpe calledNumber set profiles callParameterFilterProfile POCTEST callParameterFilterProfileData2 adAttributes adAttribute3 operation =/= adCpe callingNumber |
In the example above, The the application fetchs fetches the data where the telephone Number number (adAttribute2 refers to telephoneNumber
in our the example configuration) is equal to called Number AND mobile the called number, and the mobile (adAttribute3 refers to mobile
in our the example configuration) is not equal to the calling Numbernumber.
3.1 Call Parameter Filter Group Profile (CPFPG)
This entity groups the multiple CPFP entities. Among multiple CPFP entities, the ‘OR’ operation is applied. Which means if If any one of the CPFP data fetch is successful, that data is used for the call.
Code Block |
---|
set profiles callParamFilterGroupProfile POCCPFPG1 callParamFilterGroupProfileData 0 callParamFilterProfile POCTEST commit |
4. Apply DM PM criteria
This entity is a precondition to apply the DM PM sub-rule. If a DM PM criteria is successful then the DM PM sub-rule is processed.
Code Block | ||
---|---|---|
| ||
set profiles digitParameterHandling dmPmCriteria POCDMPMCRI1 criteriaType parameter parameterType adAttribute4 parameterPresenceCheck exists commit |
This rule checks for unixHomeDirectoryNumber (adAttribute4 refers to unixHomeDirectoryNumber in our the example configuration) presence in the data that is fetched due to CPFP.
5. Apply DM PM Rule
The DM PM rule allows the SBC to modify various CPE value using other parameters which also includes the AD attribute values as well.
Code Block | ||
---|---|---|
| ||
set profiles digitParameterHandling dmPmRule POCDMPMRULE1 subRule 0 criteria POCDMPMCRI1 ruleType digit digitManipulation numberType calledNumber digitStringManipulation numberOfDigits 10 startDigitPosition 0 replacement digitString adAttribute2 numberOfDigits 10 startDigitPosition 0 |
This dm pm DM PM sub-rule will first check checks if the dm pm DM PM criteria (POCDMPMCRI1) is successful. If it is successful, and if so then it will manipulate the SBC manipulates the called number with the content of telephoneNumber (adAttribute2 refers to telephoneNumber in our the example configuration) as configured.
6. Apply Number Translation Criteria
This Number Translation Criteria criteria binds all the entities to form the trigger criteria.
Code Block |
---|
set profiles digitParameterHandling numberTranslationCriteria POCNTC1 trunkGroup TG_SIPART_IAD TITAS Sonus_NULL Sonus_NULL lookupType AD callParameterFilterGroupProfile POCCPFPG1 outDmRule POCDMPMRULE1 inDmRule POCINDMRULE1 commit |
The above criteria triggers when the ingress trunk group is TG_SIPART_IAD and the gateway is TITAS. The SBC perform the POCINDMRULE1 dm pm DM PM rule and fetches the data based on the conditions set in the CPFPG (POCCPFPG1), and after fetching it applies the DM PM rule POCDMPMRULE1.
7. Create
Active Directory ServiceAD Service
When the service state is enabled, the SBC checks for the trigger criteria match configured in POCNTC1. If the trigger criteria matches, the SBC fetches the corresponding data is fetched from the local Database database and used uses it for further call processing.
Code Block |
---|
set global servers adService POCADSERV1 priority 1 criteria triggerCriteria POCNTC1 commit set global servers adService POCADSERV1 flags active enable commit |