Configuring Active Directory Synchronization - Basic (LDAP)

Owned by Kiss, Mate
May 24, 2022
6 min read

In small or medium-sized Verba deployments, usually only a few Active Directory Synchronization Profiles are configured. When the only requirement is synchronizing the recorded users, even one profile is enough.

In the case of these basic setups, AD users separated by security groups based on the purpose of the users in Verba. These users then synchronized into Verba by Active Directory Synchronization Profiles tied to these groups.

The disadvantage of this kind of setup is, that in case of many different user setting combinations in the Verba side, lof of security groups would be required because of the combination of the settings (E.g: Voice recorded, IM recorded, Voice and IM Recorded, etc.). In cases like this, see Configuring Active Directory Synchronization - Advanced.

Synchronization Profile Sequence

The Sequence setting of the AD Synchronization Profiles determines the executon order of the profiles. It starts from the smallest one. In case of using a basic setup of AD Synchronization Profiles, this setting is important when a user is member of multiple synchronized AD security groups. Once a user gets syncronized by the first profile based on the sequence, it won't be modified any more by the subsequent profiles.

Configuring AD Synchronization for Recorded Users

Step 1 - Go to the Users \ Active Directory Synchronization menu.

Step 2 - Click on the Add New Active Directory Profile link in the upper right corner.

Step 3 - Provide a Description.

Step 4 - Provide the address of a domain controller at the LDAP Host setting.

Step 5 - Provide an AD user at the LDAP User Distinguished Name or Domain User Name setting. Provide its password in the LDAP Password field.

Step 6 - Click on the Fetch button next to the LDAP User Search Base in order to check the connection. If the connection is working, it will offer some options for the LDAP User Search Base setting.

Select (or provide) the appropriate LDAP User Search Base. This should be the base domain (E.g.: DC=CONTOSO,DC=COM), or in case of large domains with ten thousands of users, in order to avoid searching through the whole AD, provide the path to an OU which contains the users to be synchronized (E.g.: OU=Call Center,OU=London,DC=CONTOSO,DC=COM).

Step 7 - Configure the LDAP Search Filter setting for the users to be synchronized. The recommended way is copying the example configuration  that can be found right beneath the setting, then replacing the example part (CN=Verba_Group,DC=yourdomain,DC=com) with the distinguished name of the security group to be synchronized. Make sure there are no spaces before of after the LDAP filter in the text box!

Disabled users in Active Directory

There are cases when it is required for disabled users to be removed from Verba, it can be achieved by using the Syntax Filter (!(userAccountControl:1.2.840.113556.1.4.803:=2))

The synchronization can be tested by the Test Connection button on the bottom. If the test fails, or users listed are not correct, then check the LDAP Search Filter setting.

 

Step 8a (non-SfB) - Configure the phone number and/or SIP URI mapping(s) under the Phone Numbers section.

Step 1 - Click on the  icon in order to add a new mapping.

Step 2 - Provide the LDAP attribute of the AD users to be synchronized into Verba as recorded extension (phone number or SIP URI).

Step 3 - If the whole phone number or SIP URI has to be synchronized, then provide the "(.*)" regex value in the Pattern to Match text box.

Step 4 - If no number or SIP URI transformation needed, then provide "$1" in the Conversion Rule text box.

Step 5 - Repeat the steps if multiple phone numbers and/or SIP URIs have to be synchronized.

Finding the distinguished name of a security group

The Active Directory Synchronization Profile configuration page offers a tool for searching for objects in the AD. Type in the name of the group at the Search Entry setting, click Search, then it will provide the full distinguished name of the group.

In the Active Directory, the distingushed name of a security group can be found by opening its properties, then navigating to the Attribute Editor tab. The Attribute Editor tab will be shown only, if the Advanced Features setting is turned on in the View menu.

Number and SIP URI conversion

There are cases when only a portion of the phone number or SIP URI is needed, or it has to be built from multiple elements.

If a portion of the phone number has to be cut down, modify the Pattern to Match value, so the part within brakets will match only the required part of the number. For example, lets say all the numbers in the AD starts with 001, but it's not required for the recording. In this case, the "001(.*)" pattern can be used.

In other cases, the value found in the AD LDAP attribute is not enough, so we have to extend it. Lets say the SIP URIs are not stored in the AD, but the sAMAccountName is the same as the first part of the SIP URI. In this case, extend the Conversion Rule setting with the SIP domain part: $1@contoso.com

Step 8b (Sfb/Lync) - Load the predefined mapping preset for Sfb/lync under the Phone Numbers section. Select Lync at the Mapping Preset setting, then click Load. The mapping settings will load automatically.

 

Removing the ext= part, and synchronizing the short extension

In some cases, the short extension number is stored within the msRTCSIP-Line LDAP attribute, right after the long number. In order to avoid synchronizing the short number together with the long number, change the Pattern to Match value at the second mapping to "^[tT][eE][lL]:(.*);ext=.*$".

If the short extension also required, then add a new mapping preset by clicking on the icon, set the LDAP Attribute to msRTCSIP-Line, set the Pattern to Match to "^[tT][eE][lL]:.*;ext=(.*)$" and the Conversion Rule to "$1".

The phone number and/or SIP URI synchronization can be tested also by the Test Connection button on the bottom. If the numbers and/or SIP URIs are not showing up, or they are in a wrong format, then check the mappings.

Step 9 - Click on the New Users' Properties tab on the top.

Step 10 - Set the recording setting of the synchronized users under the Recording Settings section.

Step 11 - Click Save.

Configuring AD Synchronization for Supervisors or other users

Step 1 - Complete the steps 1-7 from the Configuring AD Synchronization for Recorded Users section in order to set the basic settings of the AD Synchronization profile.

Step 2 - Click on the New Users' Properties tab on the top.

Step 3 - Tick the role(s) that is required for the synchronized users under the Available Roles section.

Step 4 - Click Save.