Alcatel-Lucent Extended

Communication Server
Active directory synchronization :
installation and administration

September, 2009

TC1312

Alcatel-Lucent Office Offer - All Rights Reserved Alcatel-Lucent 2009

INTRODUCTION ............................................................................................................................3
FEATURE LIST...............................................................................................................................3
PRE-REQUISITE .............................................................................................................................3
ECS ..............................................................................................................................................3
Windows server .........................................................................................................................4
INSTALLATION .............................................................................................................................4
ACTIVATION AND CONFIGURATION........................................................................................4
Service description........................................................................................................................4
Configuration................................................................................................................................5
How-to retrieve the link account information in the windows server...........................................6
Synchronization ............................................................................................................................9
Deactivated account ......................................................................................................................9
USER CONNECTION .....................................................................................................................9
Login management......................................................................................................................10
Restrictions .................................................................................................................................10
LOGS .............................................................................................................................................11
KNOWN BUGS .............................................................................................................................11

All Rights Reserved Alcatel-Lucent 2009 Page 3

INTRODUCTION
This document intended to the ECS administrator explains how-to install and administrate the active
directory synchronization module on the Extended communication server.

FEATURE LIST
This module provides the interoperability between Active Directorys Microsoft domains and
ECS LDAP directory. It is used to import users from Active Directory to LDAP.

Administration features
- Synchronization of users account with a Windows active directory server. All users are
imported from active directory. Thus the ECS administrator does not need to create the ECS
users account.
- Automatic daily synchronization
- Possibility to work in mixed mode with some users created in the ECS directory only
- Exclusion of some accounts from the synchronization
- Visibility of deactivated accounts in active directory

Users features
- All ECS services are available for the ESC users (Virtual desktop, Email, FTP, mobility,
FAX )
- The users passwords management is deactivated in the ECS. The passwords are managed in
active directory

PRE-REQUISITE
ECS
Applicable ECS releases : 4.0, 4.0.1, 4.1

Pre-required patches :
- P-5665 : Make ldap restart synchronous
- P-6008 : Closing patch of Service pack 2 (Installation reference : S-0002)
- P-5870 : Add the hidden domain name capability for the mail system
- P-5680 : Technical improvements in the directory
- P-6321 : Directory fix with external POP account logins containing -
- P-6238 : New feature : Add control on user,superadmin and root passwords
- P-6525 : replace LDAP ldbm backend by berkley DB

Please consult the ECS support web site for more information regarding the pre-requisites.

All Rights Reserved Alcatel-Lucent 2009 Page 3

CAUTION : The pre-required patch P-6525 will request to reboot the server. This reboot after
P-6525 or P-6218 installation is absolutely mandatory. The administrator should inform all users
before installing this patch.

Windows server
The windows server must be used as primary domain controller. The supported release of
windows server are :
- Microsoft Windows 2000 standard server (either on other versions)
- Microsoft Windows 2003 standard server (either on other versions)
- Microsoft Windows 2008 standard server (either on other versions)
Note : Windows 2008 standard server doesnt support encrypted connection due too a Microsoft
issue. Microsoft provide a hot fix KB957072 http://support.microsoft.com/kb/957072/.

The windows server must meet the following requirements :

- Link account authorized to browse the Active directory
- Link account with a valid password
- Active directory domain name
- Active directory search base
- Firewall configuration to allow the ldap and/or ldaps service access.

INSTALLATION
The Active directory synchronization moddule is delivered as a patch available on the update server.
Patch reference : P-6218
Installation procedure :
1- Check the pre-required patches are installed
2- Go to the menu Appliance / Update / Update from the web / Manual update then enter the
reference: P-6218

CAUTION : The pre-required patch P-6525 will request to reboot the server. This reboot after
P-6525 or P-6218 installation is absolutely mandatory.

ACTIVATION AND CONFIGURATION

Service description

See below a sample of network architecture allowing the implementation of the synchronization
service.

All Rights Reserved Alcatel-Lucent 2009 Page 3

 Fig. 1

Configuration

Once the patch is installed, go to the menu Directory > Synchronization with an external directory
(Active Directory) to configure the module. (See fig. 2 below).
Fill the form available in the Configuration tab then click on OK :
- IP address or name of the external directory
- DN of the link account : This field corresponds to the DN of the link account; this account
must enable the information contained in the directory to be read. Example of DN: cn=link
link,cn=Users,dc=domain,dc=loc
- Link account password

All Rights Reserved Alcatel-Lucent 2009 Page 3

 - Directory domain : This field represents the domain to which the external directory belongs.
It is automatically completed from the link account DN, but can be modified.
- Base in the directory : This field is used to specify the sub-tree of the directory you want to
synchronize. For example dc=domain,dc=loc
- Retrieval group : During the synchronization, the users and groups created will not be added
directly to your servers directory base. They will all belong to a group whose name is
defined in this field.
- Automatic synchronization time : This selection list is used to select the time when the
automatic synchronization will be executed each day.
- Secure connection with the Active Directory server: When enabled, this option is used to
encrypt all information exchanges between the Active Directory and the server. To do this,
you can import the public part of the authority certificate used on the Active Directory in
ASCII(Base64) format. This option can be used without importing the authority certificate.

Fig. 2

This operation generates a ldap (port 389) or ldaps (port 636) connection to the active directory
server depending on the use of a secure connection or not. If the parameters sent by the ECS are
corrects, the active directory server will return the users list.
At this stage, the administrator can exclude some users from the synchronization (See exclusion tab).

Note : In case of ldaps synchronization to the active directory server, the ECS will ask to superadmin
to authenticate again.

How-to retrieve the link account information in the windows server

All Rights Reserved Alcatel-Lucent 2009 Page 3

The link account is a active directory user with admin rights. It must be created in the windows
server with the active directory users and computers administrative tool. See below an example of
link account link link created in the group Domain Admin.

The DN of the link account has the following form :

cn=name,cn=Users,dc=domain,dc=domain_extension.
Example with an active directory domain named domain.loc : cn=link
link,cn=Users,dc=domain,dc=loc

The base from which the synchronization will be done has the following form :
dc=domain,dc=domain_extension
Example with an active directory domain named domain.loc : dc=domain,dc=loc

This information can be retrieved from the active directory server with an ldap browser. Here is an
example of use of the ldap browser from the windows server :
1- Start / Run /ldp.exe
2- Connection : Enter the information to connect in LDAP to the server (See screenshot below)

3- Bind : Authenticate as an existing user in the active directory domain (See screenshot below)

All Rights Reserved Alcatel-Lucent 2009 Page 3

 4- Search the users in the database (See screenshot below)

See below the result of the search example :

All Rights Reserved Alcatel-Lucent 2009 Page 3

Important note : If the connection from the ECS to active directory connection doesnt work, it is
recommended to perform some connection tests from a ldap browser installed on a client PC. The
connection from the ECS will not work while the connection from the LDAP browser does not
work. In this case, the installator will have to check the windows server configuration and
parameters.

Synchronization

Once the users list is retrieved from the active directory server, the administrator can pass the service
status to on in order to activate the service.
Then click on the Synchronize button at the bottom of th frame in order to launch the fisrt
synchronization.
This operation will retrieve the users information from active directory and create the users in the
ECS base group. The retrieved information are :
- User login
- User first name
- User last name
- Phone number
- Mobile phone number
- Email addresses

Once the first synchronization is done, you can activate the daily synchronization process which will
repeat the operation described above.

Deactivated account

This list presents the user accounts that have been deleted or deactivated in the external directory.
They have been deactivated on the server. They will be active again if the account is reactivated or
recreated in the external directory. They are available in this interface so that they can be deleted by
the administrator.

USER CONNECTION
The user authenticates to the ECS services by using his usual active directory login/password. The
first time, The ECS forwards the authentication request to the active directory server and save locally
the encrypted password if the user is successfully authenticated. The following requests will be
answered directly by the ECS until the users password is changed. In this case, we go back to the
first time case.

All Rights Reserved Alcatel-Lucent 2009 Page 3

Login management

The ECS policy for authorized characters in login is much more restrictive than in active directory as
the authorized characters are [a..z],[0..9],[-],[_]!. An automatic conversion of special characters
between active directory and ECS directory login when the user is created in the ECS directory. The
administrator will see in the ECS directory that some special characters are converted because not
authorized in the ECS policy.
Here are the conversion rules :

Special characters @
Replacement characters a aeiouyAEIOUYaeiouAEIOUaeiouyAEIOUaeiouAEIOUaA oOscCanoANO

The \ (backslash) character is removed (replaced with nothing).

The ASCII characters are handled as follows (see http://www.table-ascii.com/ for the ASCII table):

Passwords management
The following restrictions must be applied to the passwords management.
The policy of Active Directory must be compliant with the policy of the ECS.
Be careful to update your Active Directory policies on passwords to [ a-z A-Z 0-9 _ / \ & ~ " # '
{ } ( ) [ ] < > ` @ = ? ; : ! + . , % $ * - ] !).

Restrictions

The number of users which can be imported cannot exceed the maximum number of users licensed.

The personal information for those users does not allow anymore changing the password and phones
information.

All Rights Reserved Alcatel-Lucent 2009 Page 3

LOGS
The system logs regarding this service are available in Control panel / system logs tab System in
the file /var/log/syslog

KNOWN BUGS

All Rights Reserved Alcatel-Lucent 2009 Page 3

 www.alcatel-lucent.com

All Rights Reserved Alcatel-Lucent 2009 Page 3