52.2. LDAP tables

52.2.1. User table

This table allows the LDAP administrator to handle the LDAP accounts and the user's data auto-publication.

Use the d user command to display the parameters of the users; the d user: ? command shows the meaning of all parameters.

[21:29:02] ABILIS_CPX:d user

------------------------+-------------+----------------------------------------
USER             PWD ACT|CTIP CLUS    |CHAT LDAP PPP FTP HTTP MAIL IAX SIP VO
------------------------+-------------+----------------------------------------
admin            *** YES #    #        YES  YES  YES YES YES  NO   NO  NO  NO
guest                NO  #    #        NO   NO   NO  NO  NO   NO   NO  NO  NO

To allow an user to access LDAP, the LDAP parameter must be set to YES.

[21:29:04] ABILIS_CPX:s user:admin act:yes ldap:yes

COMMAND EXECUTED

[21:31:07] ABILIS_CPX:s user:guest act:yes ldap:yes

COMMAND EXECUTED

[21:32:02] ABILIS_CPX:d user

------------------------+-------------+----------------------------------------
USER             PWD ACT|CTIP CLUS    |CHAT LDAP PPP FTP HTTP MAIL IAX SIP VO
------------------------+-------------+----------------------------------------
admin            *** YES #    #        YES  YES  YES YES YES  NO   NO  NO  NO
guest                YES #    #        NO   YES  NO  NO  NO   NO   NO  NO  NO

In the example the LDAP account for the user admin and the user guest (anonymous) was activated.

Type the following command to create a new user with LDAP account.

[21:31:12] ABILIS_CPX:a user:test act:yes pwd:test ldap:yes

COMMAND EXECUTED

[21:34:18] ABILIS:d user

------------------------+-------------+----------------------------------------
USER             PWD ACT|CTIP CLUS    |CHAT LDAP PPP FTP HTTP MAIL IAX SIP VO
------------------------+-------------+----------------------------------------
admin            *** YES #    #        YES  YES  YES YES YES  NO   NO  NO  NO
guest                YES #    #        NO   YES  NO  NO  NO   NO   NO  NO  NO
test             *** YES #    #        NO   YES  NO  NO  NO   NO   NO  NO  NO

Type the following command to view user test's details:

[21:34:20] ABILIS_CPX:d user:test

Parameter:          | Value:
--------------------+----------------------------------------------------------
USER:                 test
REAL-NAME:            test
ID:                   5             <Read Only>
PWD:                  ***
ACT:                  YES
GROUP:                
CTIP:                 #
CLUS:                 #
ADDRBOOK-SYNC:        SYS           
ADDRBOOK-NUMBER:      AUTO          
ADDRBOOK-OUTDIAL:     NONE          
ADDRBOOK-PUB-ENABLED: SYS           
OPC-ROLE:             USER
OPC-VIEW:             *
OPC-HIDE-NUMBERS:     NO
OPC-MONITOR:          NONE
OPC-PRIVACY:          NO
CHAT:                 NO    
CHAT-USER:            SYS
CHAT-PWD:             SYS
LDAP:                 YES   
LDAP-OWN-ADDRBOOK:    NO            
-------------------------------------------------------------------------------
[Note]Note

This command displays only the parameters related to enabled drivers; if you want to see all the user parameters type the d usere:<ldap_user> command.

Meaning of the most important parameters:

LDAP

Enables/disables the LDAP account for the user [NO, YES], the default is NO.

LDAP-OWN-ADDRBOOK

Enable/disable user's personal address book [NO, YES], the default is NO. This parameter acts only if LDAP parameter is enabled.

ADDRBOOK-SYNC

ADDRBOOK-SYNC: Select in which Address Book(s) the user must be entered and kept synchronised [SYS, NO, LDAP, ABILIS, ALL] If 'SYS', the Address Book(s) the user must be entered and kept synchronised is inherited from the ADDRBOOK-SYNC parameter in CtiSys resource.

ADDRBOOK-NUMBER

Determine which is the Address Book user phone number [NONE, AUTO, CTIP, CLUS, CTISIP, CTIIAX] If 'AUTO' the first valid number is used between the ones assigned to CTIP, CTICLUS, CTISIP and CTIIAX interfaces.

  • CTIP, the phone number is provided by the LDAP-NUM parameter of the CTI port specified in CTIP user parameter.

  • CLUS, the phone number is provided by the LDAP-NUM parameter of the Cluster specified in CLUS user parameter.

  • CTISIP, the phone number is provided by the SIP-LDAP-NUM user parameter (if the SIP account is active).

  • CTIIAX, the phone number is provided by the IAX-LDAP-NUM user parameter (if the IAX account is active).

ADDRBOOK-OUTDIAL

Out-dial prefix number. NONE or SYS or max 8 digits [0..9]. If SYS, the out-dial prefix value is inherited from the OUTDIAL-DIGIT parameter in CtiSys resource.

ADDRBOOK-PUB-ENABLED

Enable the user to add/delete/update 'public' contacts of Abilis Address Book [SYS, NO, YES] If 'SYS', the user's rights on 'public' contacts are inherited from the ADDRBOOK-PUB-PROTECTED parameter in CtiSys resource. If 'YES' or 'NO', the user is allowed or not to add/delete/update 'public' contacts, regardless of the value of ADDRBOOK-PUB-PROTECTED parameter in CtiSys resource.

52.2.2. Rights table

The LDAP tree is composed of a root (that is configurable via the parameter root) and its branches. One branch is reserved to the address books.

There are two kinds of address books:

  • Main

    The address book is accessible from any allowed user via a LDAP right table.

  • Personal

    The address book contains the contacts that are accessible only by the related account. A LDAP account may enable the personal address book via the user parameter LDAP-OWN-ADDRBOOK.

There are three main address books that are automatically created:

  • SYSTEM

    It will contain all (and only) the synchronized contacts which information is gathered by the user table and the CTI and CLUSTER resources. Currently the synchronized attributes are the common name and the telephone number.

  • CONTACTS

    It's intended to contain the contacts for internal usage in a company.

  • PUBLISHED

    It's intended to contain the contacts for external use, i.e. provided to the third part companies.

Figure 52.1. An example of LDAP tree

An example of LDAP tree

To display the rights of the address books use the following command.

[21:41:10] ABILIS_CPX:d ldap rights

-------------------------------------------------------------------------------
ID: ADDRESSBOOK:
       USER:                            GRANTS:
-------------------------------------------------------------------------------
  1 contacts
       admin                            rwcd
       anonymous                        ----
-------------------------------------------------------------------------------
  2 published
       admin                            rwcd
       anonymous                        r---
-------------------------------------------------------------------------------
  3 system
       admin                            rw--
       anonymous                        ----
-------------------------------------------------------------------------------

Where the "rwcd" chars mean:

  • r - right to access the address book and read contacts

  • w - right to modify the contacts in the address book

  • c - right to create new contacts in the address book

  • d - right to delete contacts in the address book

In the system address book the creation and the deletion of contacts is never allowed because it's internally auto-synchronized.

The rights of Admin and Anonymous on default address books are explicit (note that by default the anonymous has access only to published), other users have implicit rights.

New users with LDAP parameter enabled have the "r" right in all the main address books (also the new ones) and the its personal AddressBook (LDAP-OWN-ADDRBOOK enabled).

If a different behaviour is needed for a user, an explicit entry is added. In example to remove the visibility of system address book to the user "test" use the following command:

[21:41:00] ABILIS_CPX:a ldap rights id:3 user:test grants:

COMMAND EXECUTED

[21:41:10] ABILIS:d ldap rights

-------------------------------------------------------------------------------
ID: ADDRESSBOOK:
       USER:                            GRANTS:
-------------------------------------------------------------------------------
  1 contacts
       admin                            rwcd
       anonymous                        ----
-------------------------------------------------------------------------------
  2 published
       admin                            rwcd
       anonymous                        r---
-------------------------------------------------------------------------------
  3 system
       admin                            rw--
       anonymous                        ----
       test                             ----
-------------------------------------------------------------------------------

52.2.3. Account table

The account table is used when LDAP acts as a client of remote servers. The list of account on such servers is available in such table. The value in the account may be used by LDAP-REM-ACCOUNT parameter in CTISYS table.

Use the d ldap account user command to display the account table parameters; the d ldap account ? command shows the meaning of all parameters.

In this example a new account is created. Its name is cpx-test and such string is used in LDAP-REM-ACCOUNT in ctisys resource to identify such account.

[17:29:06] ABILIS_CPX:a ldap account:cpx-test

COMMAND EXECUTED

[17:31:43] ABILIS_CPX:s ldap account:cpx-test host:80.80.80.80

COMMAND EXECUTED

[17:31:59] ABILIS_CPX:s ldap account:cpx-test user:jack pwd:mypassword


[17:32:58] ABILIS_CPX:d ldap account

--------+------------------+----------------------------------+----------------
ID:     |[DESCR:]
ENABLED:|ACCOUNT:
        |HOST:
        |PORT:             |USER:                             |PWD:
--------+------------------+----------------------------------+----------------
0        cpx-test
YES      80.80.80.80
         DFT (389)          jack                               ***
--------+------------------+----------------------------------+----------------


[17:34:48] ABILIS_CPX:s p ctisys ADDRBOOK-SOURCE:ldap-remote LDAP-REM-ACCOUNT:cpx-test

COMMAND EXECUTED

[17:34:48] ABILIS_CPX:s p ctisys LDAP-SEARCH-BASE-DN:dc=foo,dc=bar

COMMAND EXECUTED

[17:35:18] ABILIS_CPX:d p ctisys

RES:CtiSys --------------------------------------------------------------------
Run    DESCR:CTI_System_general_properties
       ...
       - Address Book ---------------------------------------------------------
       ADDRBOOK-SOURCE:LDAP-REMOTE         ADDRBOOK-SYNC:NO
       LDAP-SEARCH-BASE-DN:dc=foo,dc=bar
       LDAP-REM-ACCOUNT:cpx-test
       LDAP-REM-OUTDIAL:0

Meaning of the most parameters:

ENABLED

Enable/disable this entry [NO, YES]

DESCR

Entry description. Max 70 chars. Spaces require double quotes (E.g. "str1 str2").

ACCOUNT

LDAP Account name. Max 16 ASCII chars. Spaces require double quotes (E.g. "My Account").

HOST

IP address of the remote LDAP host [1-126.x.x.x, 127.0.0.1, 128-223.x.x.x] or FQDN host name of max 64 characters in the range ['0'..'9', 'a'..'z', '-', '.' ]. FQDN name is forced to lower case.

PORT

TCP port of the remote LDAP host [1..65535, DFT], where 'DFT' value corresponds to 'ldap(389)' protocol port.

USER

Username of the account on the remote server. Max 32 ASCII chars. Spaces require double quotes (E.g. "My user").

PWD

Password of the account on the remote server. Max 32 ASCII chars. Space not allowed.

52.2.4. Referral table

The account table is used when LDAP acts as a server and as a client. The list of referral on such servers is available in such table. When a remote LDAP client asks for a base-dn specified in such table, then Abilis relay the request to another LDAP server providing itself the answer if CHAIN parameter is set to true.

Use the d ldap referral user command to display the referral table parameters; the d ldap referral ? command shows the meaning of all parameters.

In this example a new referral entry is created.

[17:29:06] ABILIS_CPX:a ldap referral id:0 base-dn:dc=test,dc=it account:cpx-test

COMMAND EXECUTED

[17:48:59] ABILIS_CPX:d ldap referral

- Not Saved (SAVE CONF), Not Refreshed (INIT) ---------------------------------
--------+-------------------------------------+--------------------------------
ID:     |[DESCR:]
ENABLED:|BASE-DN:
        |ACCOUNT:                             |CHAIN
--------+-------------------------------------+--------------------------------
0        dc=test,dc=it
NO       cpx-test (Not Present)                NO
--------+-------------------------------------+--------------------------------

Meaning of the most parameters:

ENABLED

Enable/disable this entry [NO, YES].

DESCR

Entry description. Max 70 chars. Spaces require double quotes (E.g. "str1 str2").

BASE-DN

LDAP Base-DN. Max 64 alphanumeric, '=' and ',' characters. Spaces require double quotes (E.g. "dc=addr book,dc=net").

ACCOUNT

LDAP Account name. Max 16 ASCII characters. Spaces require double quotes (E.g. "My Account").

CHAIN

Enable/Disable the chaining [NO, YES]. Chaining uses a client session to resolve the request to an external server.