UCServer user management in Microsoft Active Directory – permissions and schema extension
July 2021
This article explains how to use the UCServer user management in Microsoft Active Directory, but not to give the UCServer global write permissions for the Active Directory.
The article also shows how different ProCall versions and Active Directory schema extensions can be combined.
Once a schema extension is installed, it cannot be undone!
For which AD fields are write permissions required?
This article explains which read or write permissions the UCServer needs depending on any schema extension it may have.
Basically, a distinction must be made between whether the estos schema extension is in use and whether write access to the AD standard attributes is granted.
Overview UCServer access
The following overview shows the configuration options for the UCServer access rights to the Active Directory:
Overview chart
Configuration of Write Access for standard attributes in UCServer
Write access to AD standard attributes can be enabled (default) or disabled in the UCServer administration as follows:
General – User database – LDAP phone number attributes – Advanced
Example screenshot
Notes on the schema reference and a detailed overview of the attributes can be found in the Documentation of the current ProCall version.
Delegate write permissions for the extensionName and proxyAddresses attributes
Intervention in the Microsoft Active Directory configuration should only be performed by experienced personnel.
To change the write permissions for the attributes extensionName and proxyAddresses, they cannot be changed via the user interface without extensive configuration adjustments to Microsoft Active Directory. Therefore, you must explicitly enable write access to these attributes of the Microsoft Active Directory user object (Grant account write access to specific attributes on Active Directory User object).
The following article describes how these attributes can be made visible in the user interface: https://serverfault.com/questions/151919/grant-account-write-access-to-specific-attributes-on-active-directory-user-objec/797516
Without schema extension
If no schema extension is used, the user accessing the AD via the UCServer needs write permission to extensionName and proxyAddresses.
When using the extensionName attribute, performance may be affected because the extensionName attribute is only a field in which a full-text search must be performed for each query.
Combination of schema extension with different ProCall versions
AD – PCE6 – PCE4
Is it possible to integrate an Active Directory into a ProCall Enterprise 6 installation that runs with the schema extension from ProCall Enterprise 4?
Answer: No.
This is not possible because the UCServer of ProCall Enterprise 6 uses some new fields that were not available in previous versions.
AD – PCE5 – PCE4
Is it possible to integrate Active Directory into a ProCall Enterprise 5 installation that runs with the schema extension from ProCall Enterprise 4?
Answer: Not recommended.
This would be possible in principle, as no new fields have been added in the update of ProCall Enterprise from version 4 to 5. estos explicitly recommends to perform the schema extension of estos ProCall Enterprise 5 in order to eliminate possible sources of error.
AD – PCE5 – PCE6
Is it possible to integrate Active Directory into a ProCall Enterprise 5 installation that runs with the schema extension from ProCall Enterprise 6?
Answer: Not recommended.
In principle, this would be possible, since in the schema extension of ProCall Enterprise only fields were added when the version was changed. This scenario is not recommended by estos and is not supported.
AD – PCE same version
Is it possible to use Active Directory with two or more UCServers of the same version in parallel?
Answer: Yes.
This is basically possible. It is important here that there are two separate ProCall Enterprise installations and that there is no overlap, e.g. in the case of overlapping authorizations at user/group level. However, a ProCall user can only be logged on and active on one server.