Provisioning VMRs and devices from Active Directory via LDAP

Pexip Infinity's Virtual Meeting Rooms and device aliases can be bulk-provisioned from directory information contained in a Windows Active Directory LDAP server, or any other LDAP-accessible database.

This means, for example, that you can automatically provide a personal VMR for every employee in an organization. Data such as employee names can be imported from the directory and used to generate a unique name and alias for each VMR, following a pattern such as meet.<username>@example.com. Other VMR settings such as PIN numbers, the layout and theme can also be assigned, depending upon your VMR template configuration.

You can also automatically provision Pexip Infinity with the device aliases that people can use to register their endpoint or Infinity Connect client to a Conferencing Node, and specify how those devices can be authenticated.

Each sync template can be configured to automatically synchronize against its LDAP sync source once per day. This ensures that the Pexip Infinity VMR and device configuration stays in step with all additions and removals that have occurred in the source directory. Many of the VMR / device settings can be tagged as "overridable" which means that if that setting (the VMR PIN number for example) is manually overridden after the VMR or device has been created, a subsequent resynchronization will not reset it back to another value.

If Pexip Infinity has been configured with the details of an SMTP server, you can send an email to the VMR owner whenever a synchronization creates a new VMR or modifies an existing VMR, or to inform a user of the device alias and credentials that they need to use to register their device.

Configuration summary

To provision your Virtual Meeting Rooms or device aliases from an LDAP database you must:

  1. Configure the connection details of an LDAP data source. You must also ensure that Pexip Infinity has trusted CA certificates for the authority that signed the LDAP server’s certificate (if a TLS connection is required).
  2. Configure an LDAP synchronization template that controls what to synchronize — VMRs, device aliases or both — and how individual settings such as the VMR name, dialable alias and PIN numbers are generated, which of those values can be manually overridden, and whether to synchronize automatically against the LDAP data source.

    If required, you can configure multiple synchronization templates that use the same LDAP data source (or different templates that use different LDAP sources). For example, you may want to use a different template for VMR syncing than the template used for device alias syncing if you need to use different LDAP filter criteria for those two user bases.

  3. Configure an SMTP server and construct an email template, if you want to send a provisioning notification email to the VMR owner or intended user of a device alias.
  4. Generate the VMRs and device aliases using your template and LDAP data source. Set the template to sync automatically when you are happy that the template is configured correctly.

These configuration steps are described in more detail in the following sections.

In addition, you can also:

  • View the status of ongoing or completed LDAP template synchronization processes via Status > LDAP sync status.
  • Delete all of the VMRs and devices that have been created from a specific template.

Configuring an LDAP data source

To configure Pexip Infinity with the connection details of an LDAP data source, such as a Windows Active Directory LDAP server:

  1. Go to Utilities > LDAP sync sources.
  2. Select Add LDAP sync source, and then complete the following fields:

    Option Description
    Name The name used to identify this LDAP sync source.
    Description An optional description of the sync source.
    LDAP server address

    The domain name (for DNS SRV lookup), FQDN (for DNS A/AAAA lookup) or IP address of the LDAP server. If using a domain or an FQDN, ensure that it is resolvable over DNS.

    You must also ensure that Pexip Infinity has trusted CA certificates for the authority that signed the LDAP server’s certificate (if a TLS connection is required).

    We strongly recommend that you do not use an IP address. If an IP address is used, and a TLS connection is required, this will only work if the IP address is specified as the common name in the LDAP server's certificate.

    See Troubleshooting LDAP server connections for more information about how the system establishes a connection to the LDAP server and how to troubleshoot connection issues.

    Search global catalog

    Select this option to expand the scope of the search to the entire Active Directory Global Catalog instead of traditional LDAP. Note that this uses ports 3268 (TCP) and 3269 (TLS).

    Allow insecure transport

    By default the system will attempt to establish a secure TLS connection with the LDAP server. Select this option if you want to allow the system to fall back to a TCP connection (using SASL DIGEST-MD5). You cannot specify the LDAP server by IP address if this option is selected.

    LDAP bind username and password

    The username and password of the bind account on the LDAP server. This should be a domain user service account, not the Administrator account.

    LDAP base DN

    The base DN (distinguished name) of the LDAP forest to query (e.g. dc=example,dc=com).

  3. Select Save.

    You can save the sync source details only if Pexip Infinity can successfully contact the specified LDAP server.

Note that all LDAP distinguished names must be entered as per the LDAP standard (RFC 4514). LDAP configuration is case insensitive.

Configuring an LDAP synchronization template

LDAP synchronization templates control what to synchronize — VMRs, device aliases or both — and how individual settings such as the VMR name, dialable alias and PIN numbers are generated, and what to include in provisioning notification emails sent to the VMR or device owner. You must also tell the template which LDAP data source to use.

Many of the VMR and device settings are based on patterns in the template that define how that setting is generated (such as using an email address as the device alias). See Using patterns, variables and filters when provisioning VMRs and devices for more information.

To configure Pexip Infinity with an LDAP synchronization template:

  1. Go to Utilities > LDAP sync templates.
  2. Select Add LDAP sync template, and then complete the following fields:

    Option Description
    Name The name used to identify this synchronization template.
    Description An optional description of the synchronization template.
    LDAP user search DN The DN relative to the LDAP base DN of the sync source to query for user records (e.g. ou=people). If blank, the LDAP base DN is used. In deployments with large user bases, you may want to configure this to optimize the LDAP user queries.
    LDAP user filter

    The LDAP filter used to match user records in the directory.

    Default: (&(objectclass=person)(!(objectclass=computer)))

    For more information, see LDAP search and filter examples.

    LDAP sync source

    Select the LDAP data source to use when syncing records.

    Note that you can select which will open a new window from where you can configure a new sync source.

    Sync VMRs

    Enables VMR synchronization for this template.

    Default: enabled.

    Sync devices

    Enables device alias synchronization for this template.

    Default: disabled.

    Enable automatic daily sync

    Select this option to instruct Pexip Infinity to automatically synchronize this template against its LDAP sync source once per day. This ensures that VMRs and devices are regularly updated, deleted or created as appropriate based on the latest data in the sync source. Therefore, for example, if a user is removed from Active Directory or their account is disabled, their corresponding VMR will be deleted via the next daily sync.

    As template synchronization can result in the automatic creation, modification or deletion of large numbers of VMRs and devices, we recommend that you only enable automatic syncing after you have manually synced at least once and have verified that you are satisfied with your sync template configuration.

    All automatic synchronizations are initiated at 01:00 UTC (this start time cannot be configured). After an initial sync, which can take several minutes in a large organization, an ongoing daily sync is typically much faster as it only processes changes since the previous sync.

    Default: disabled.

    Device settings (shown when Sync devices is selected)
    Device alias pattern

    The pattern for the alias that will be registered by the device and be used by people trying to call the device.

    For more information, see Using patterns, variables and filters when provisioning VMRs and devices.

    Default: {{mail}}

    If a device with the generated alias already exists, that existing device configuration is left unchanged.

    Device tag pattern

    Allow device tag to be manually overridden

    The pattern for the unique identifier used to track usage of the device.

    You can also allow the auto-generated device tag to be manually overridden for each device alias.

    Device description pattern

    Allow device description to be manually overridden

    The pattern to use when generating the optional description of this device alias.

    You can also allow the auto-generated device description to be manually overridden for each device alias.

    Device username pattern

    Allow username to be manually overridden

    The pattern for the device username. Note that you can use the same username for different device aliases (although we recommend you only do this for multiple devices used by the same person).

    Default: {{mail}}

    You can also allow the auto-generated username to be manually overridden for each device alias.

    Device password pattern

    Allow password to be manually overridden

    The pattern to use when generating the password for this device. A password pattern must be specified if a username pattern is configured.

    Example: {{ ("some random string"+(mail|pex_reverse))|pex_hash|pex_tail(16) }}

    You can also allow the auto-generated password to be manually overridden (by the administrator) for each device alias.

    Sync disabled accounts

    Syncs all device aliases, even if the corresponding LDAP account is disabled.

    By default, device aliases are only provisioned if the corresponding LDAP account is enabled in the LDAP directory. If Sync disabled accounts is selected, a device alias will be created for LDAP accounts that are marked as disabled. This may be useful, for example, if you have a disabled machine account in LDAP corresponding to a SIP or H.323 room system — however it is not generally useful for staff accounts because if an employee leaves an organization you usually want their device record to be deleted automatically after their account is disabled in the corporate LDAP directory.

    Default: disabled.

    Device registration settings (shown when Sync devices is selected)
    Enable SIP registration Allows this device alias to register over the SIP protocol.
    Enable H.323 registration Allows this device alias to register over the H.323 protocol.
    Enable Infinity Connect registration (non-SSO) Allows an Infinity Connect client to register using this alias (not using SSO services).
    Enable Infinity Connect registration using SSO Allows an Infinity Connect client to register using this alias, using Single Sign-On (SSO) services such as AD FS to authenticate the registration.
    Allow registration settings to be manually overridden Allows all of the auto-generated device registration settings to be manually overridden for each device.
    VMR settings (shown when Sync VMRs is selected)
    VMR name pattern

    The pattern to use to generate the name of the VMR. You should structure this pattern to generate a unique VMR name.

    For more information, see Using patterns, variables and filters when provisioning VMRs and devices.

    Example: {{givenName}} {{sn}} VMR

    If a VMR with the generated name already exists, that existing VMR configuration is left unchanged.

    VMR description pattern

    Allow VMR description to be manually overridden

    The pattern to use to generate the VMR description. This field is optional.

    Examples: {{givenName}} {{sn}}'s meeting room

    You could use a more advanced pattern such as:

    {{givenName}} {{sn}}'s {%if department %} ({{department}}){% endif %} meeting room

    which will insert "(<department name>)" before "meeting room", but only if a value exists in the LDAP department field.

    You can also allow the auto-generated VMR description to be manually overridden for each VMR.

    Host PIN pattern

    The pattern to use to generate the Host PIN (if required).

    For example, if you want a VMR to keep the same random PIN after every resync you could use a pattern like this:

    {% set pl=6 %}{% set hp=(("an ungu3ssable Pa$$phr4s3" ~mail)|pex_hash|pex_tail(pl)) %}{{hp}}

    where you:

    • set pl to the number of digits required in the PIN (it is set to 6 in this example, but can be from 4-20), and
    • replace "an ungu3ssable Pa$$phr4s3" with your own passphrase string (we recommend at least 14 characters long).

    This will generate a random number that is pl digits long, but it will always generate the same number per VMR (assuming the VMR owner's LDAP mail field remains unchanged). If you want to do a periodic update of all of the PINs associated with VMRs generated from this template, then just change the passphrase string and they will be updated to a new random PIN (assuming Allow PIN settings to be manually overridden is not selected).

    Note that the ~ operator is similar to a + and converts arguments, nulls etc. safely to strings.

    Allow Guests

    Yes: the conference can have two types of participants: Hosts and Guests. You must configure a Host PIN to be used by the Hosts. You can optionally configure a Guest PIN; if you do not configure a Guest PIN, Guests can join without a PIN, but the meeting will not start until the first Host has joined.

    No: all participants have Host privileges.

    Default: No.

    Guest PIN pattern

    The pattern to use to generate the Guest PIN (if required).

    Note that if you set a Host PIN and a Guest PIN for a VMR, those two PINs must be different. Therefore we recommend that you generate Host and Guest PINs of different lengths, or ensure that some aspect of each PIN will be different, for example:

    {% set pl=6 %}{% set hp=(("an ungu3ssable Pa$$phr4s3" ~mail)|pex_hash|pex_tail(pl)) %}{% set gp=(("a different Pa$$phr4s3" ~mail)|pex_hash|pex_tail(pl)) %}{% if hp == gp %}{{("00000000000000000000"~((gp|int)+123))|pex_tail(pl)}}{% else %}{{gp}}{% endif %}

    This works in conjunction with the example above that is used to generate the Host PIN. The pattern includes the recipe used to generate the Host PIN (hp) and uses the same technique to generate a random Guest PIN (gp). It then checks if the Guest PIN accidentally clashes with the Host PIN. If it does clash, the Guest PIN is adjusted (it is incremented by 123 in this example).

    As with the Host PIN pattern, you should:

    • set pl to the number of digits required in the Host and Guest PINs, and
    • replace "an ungu3ssable Pa$$phr4s3" and "a different Pa$$phr4s3" with your own passphrase strings (both strings must be different).
    Allow PIN settings to be manually overridden

    Allows the auto-generated Host and Guest PIN settings to be manually overridden for each VMR.

    Note that this would also preserve the generated PIN value, even if it does not actually get manually overridden.

    Layout

    Show names of participants

    Allow layout settings to be manually overridden

    The layout controls the maximum number of other participants that each participant will see, and how the participants are arranged on the screen. For more information, see Selecting the layout seen by participants.

    Default: Large main speaker and up to 7 other participants (1+7 layout).

    If participant name overlays are enabled, the display name or alias of the participants (the current main speaker and thumbnails) is shown in a text overlay along the bottom of their video image. For more information, see Showing the names of participants as a text overlay.

    You can also allow the type of layout and whether to show names of participants to be manually overridden for each VMR.

    Theme

    Allow theme to be manually overridden

    The theme for use with this VMR. For more information, see Customizing conference images and voice prompts using themes.

    Default: <use Default theme> (the global default theme is used).

    You can also allow the auto-generated theme to be manually overridden for each VMR.

    VMR alias 1 pattern

    The pattern to use to generate the alias (string) that participants can dial to join this VMR. You should structure this pattern to generate a unique alias for the VMR.

    Example: meet.{{givenName|lower}}.{{sn|lower}}@example.com or meet.{{mail}}

    If the generated alias is already assigned to another VMR, that alias is left assigned to that existing VMR.

    Alias 1 description pattern

    The pattern to use to generate a description of the alias. This field is optional.

    Example: The alphanumeric URI alias

    VMR alias 2...8 pattern and descriptions

    You can optionally enter patterns for a further 7 alternative aliases, such as an E.164 alias, to associate with this VMR. (Aliases 5-8 are configured by expanding the Advanced VMR alias options section.)

    Do not use the pex_random_pin() filter to generate numeric aliases as this is likely to generate duplicate aliases. Where possible, it is best to use a phone number, employee ID or other typically unique value as the basis of a numeric alias. If a unique value does not exist, a good fallback is to use a pex_hash() expression such as the following to generate a consistent 6-digit random E164-type alias from a hash of each user's email address: {{ ("my alias passphrase"+(mail|pex_reverse))|pex_hash|pex_tail(6) }}

    Allow aliases to be overridden

    (This option is configured by expanding the Advanced VMR alias options section.)

    Allows aliases and alias descriptions for a VMR to be added, removed or modified in any way. When enabled this means that after the initial creation of a VMR and its aliases, subsequent syncs will not change any of the aliases or their descriptions (including any which were created by VMR alias 1..8 pattern and Description 1..8 pattern even if those patterns are modified in this template).

    Email options

    Send emails
    VMR / device owner's email address
    Address override
    SMTP server

    These email options allow you to send an email to the VMR owner whenever a synchronization creates a new VMR or modifies an existing VMR, or when a synchronization creates a new device alias or modifies an existing device alias.

    The VMR/Device owner's email address defaults to {{mail}}

    See Sending provisioning emails to VMR and device owners for more information about these options.

    Advanced options (shown when Sync VMRs is selected)

    Guests can present

    Allow Guests can present to be manually overridden

    Controls whether the Guests in the conference are allowed to present content.

    • Yes : Guests and Hosts can present into the conference
    • No : only Hosts can present

    Default: Yes

    You can also allow the auto-generated Guests can present setting to be manually overridden for each VMR.

    Enable chat

    Allow enable chat to be manually overridden

    Whether chat messaging is enabled for the conference:

    Default: Use global chat setting.

    You can also allow the auto-generated enable chat setting to be manually overridden for each VMR.

    Maximum inbound call bandwidth (kbps)

    Maximum outbound call bandwidth (kbps)

    Allow maximum bandwidth settings to be manually overridden

    Specifying a maximum inbound call bandwidth will limit the bandwidth of media received by Pexip Infinity from each individual participant dialed in to this VMR. For more information see Restricting call bandwidth.

    Specifying a maximum outbound call bandwidth will limit the bandwidth of media sent from Pexip Infinity to each individual participant dialed in to this VMR. For more information see Restricting call bandwidth.

    You can also allow the auto-generated maximum inbound and outbound call bandwidth to be manually overridden for each VMR.

    Participant limit

    Allow participant limit to be manually overridden

    This optional field allows you to limit the number of participants allowed to join this VMR. For more information see Limiting the number of participants.

    You can also allow the auto-generated participant limit to be manually overridden for each VMR.

    Service tag pattern

    Allow service tag to be manually overridden

    This optional field allows you to assign a unique identifier to this service, which you can then use to track use of the service.

    You can also allow the auto-generated service tag to be manually overridden for each VMR.

    Conference capabilities

    Allow conference capabilities to be manually overridden

    Allows you to limit the media content of the conference. For more information, see Controlling media capability.

    Default: Main video + presentation.

    You can also allow the auto-generated conference capabilities to be manually overridden for each VMR.

  3. Select Save.

    You must save the template before you can use it to generate VMRs.

Allowing generated fields to be manually overridden

Many of the settings can be tagged as "overridable" which means if that setting is manually overridden after the VMR or device has been created, a subsequent resynchronization of that template will not reset it back to another value.

For example, you could configure the template with Allow PIN settings to be manually overridden selected. Then, after generating a VMR with a random Host PIN, the administrator could manually change the PIN to another specific value. This "overridable" setting ensures that the new value is protected and is not reset to another random value when that template is next used to synchronize the VMRs.

If you make a field overridable you do not have to wait for another sync before making your override changes to the relevant field. To make a field modifiable via the template again, you must clear the relevant Allow <field> to be manually overridden template setting and then re-sync with that template. Note that a setting tagged as overridable via one template could still be modified by a different template.

All of the override options are disabled by default.

LDAP search and filter examples

You can configure multiple synchronization templates that all use the same LDAP data source (or different LDAP sources, if required), but that apply different filters to that LDAP source. This means that you could apply different VMR configuration patterns based on different LDAP organizational groups. For example, you could configure the VMRs for all members of the European sales team to have a Guest PIN and a different theme to those VMRs generated for the American accounting department.

If you want to apply different VMR patterns to different types of users, you can use the LDAP user search DN and LDAP user filter template fields to filter the records from the LDAP sync source that are used to generate VMRs via that template.

This section contains some examples that you could use in a Windows Active Directory environment. Note that all LDAP user search and user filter contents are not case sensitive.

Filtering based on group membership

To import users that belong to a specific group, you can filter on the memberOf AD attribute. For example, to only import users who are members of the cn=sales,ou=groups,dc=example,dc=com group, you would set the LDAP user filter on your template to:
(&(objectCategory=person)(objectClass=user) (memberOf=cn=sales,ou=groups,dc=example,dc=com))

You could then configure a second template for the accounting department that uses the same LDAP sync source but with the LDAP user filter set to:
(&(objectCategory=person)(objectClass=user) (memberOf=cn=accounting,ou=groups,dc=example,dc=com))

To only import users who are not a member of the sales group, you would set the LDAP user filter to:
(&(objectCategory=person)(objectClass=user) (!(memberOf=cn=sales,ou=groups,dc=example,dc=com)))

To import users that belong to a specific group and any other group nested within that group, you can use the memberOf:1.2.840.113556.1.4.1941 filter for users. For example, to import users who are members of the cn=sales,ou=groups,dc=example,dc=com group or are members of a group nested within the sales group, you would set the LDAP user filter on your template to:
(&(ObjectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=cn=sales,ou=groups,dc=example,dc=com))

Filtering by LDAP field names

To import only those users who have an email address, you can set the LDAP user filter to:
mail=*

To import all users except for some named individuals, you could use the following LDAP user filter model:
(&(objectCategory=person)(objectClass=user) (!(cn=Alice Parkes))(!(cn=Bob Lee))(!(cn=Carol Jones)))

Filtering by organizational unit (e.g. region/country)

To import users that are located in a specific organizational unit such as a region or country, you can restrict the user search to the appropriate 'ou' objects. For example, to only import users who are based in 'Europe', you would set the LDAP user search DN to:
ou=europe,ou=people
(this is the DN relative to the base DN defined in the LDAP sync source)

Escaping special characters in search/filter strings

If your search/filter strings include the following special characters: ()*\ you must use a single \ to escape those characters.

For example if you have a group cn=group-with-parenthese(s)-in-name,ou=groups,dc=example,dc=com then you would set the memberOf filter to:
(memberOf=CN=group-with-parenthese\(s\)-in-name,ou=groups,dc=example,dc=com))

More information on Active Directory LDAP filtering can be found at http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx.

Generating / syncing VMRs and devices with LDAP

After you have configured a sync source and a template you can generate your VMRs and devices for the first time, or you can synchronize them to any changes that have occurred in the LDAP database since the last time the VMRs and devices were updated.

When synchronizing a template:

  • Pexip Infinity checks all of the VMRs and devices previously created by that template and it updates, deletes or creates new VMRs / devices as appropriate based on the current data in the sync source. Therefore, for example, if a user is removed from Active Directory or their account is disabled, then their corresponding VMR and device alias will be deleted.
  • If a generated VMR name or device alias already exists (either created manually or via a different template), or if a generated alias for a VMR is already assigned to another VMR, those existing VMR properties, VMR-to-alias assignments, or device aliases are not overwritten.

Any configuration changes made to Virtual Meeting Rooms are replicated to all Conferencing Nodes (typically after approximately one minute) and applied to any subsequent conferences in that Virtual Meeting Room. If there are any conferences already in place that use the Virtual Meeting Room, any attempts to join it after the configuration has been replicated may be affected by the new configuration settings.

Changes to device aliases are also replicated to all Conferencing Nodes (again, typically after approximately one minute) and are applied to any subsequent registration requests.

The template synchronization process itself can also take several minutes if you have a large number of VMRs or devices. Therefore you must wait for at least one minute after the entire synchronization process has completed to ensure that all synced data has been replicated to all Conferencing Nodes.

For these reasons, we do not recommend changing Virtual Meeting Room configuration while a conference is in progress as this may lead to an inconsistent user experience.

Automatic synchronization

To automatically synchronize a template on a daily basis:

  1. Go to Utilities > LDAP sync templates.
  2. Select the template you want to use (to open the Change LDAP sync template page).
  3. Select Enable automatic daily sync.
  4. Select Save.

As template synchronization can result in the automatic creation, modification or deletion of large numbers of VMRs and devices, we recommend that you only enable automatic syncing after you have manually synced at least once and have verified that you are satisfied with your sync template configuration.

All automatic synchronizations are initiated at 01:00 UTC (this start time cannot be configured). After an initial sync, which can take several minutes in a large organization, an ongoing daily sync is typically much faster as it only processes changes since the previous sync.

Manual synchronization

To manually generate (for the first time) or synchronize the VMRs and devices in Pexip Infinity with the LDAP data source:

  1. Go to Utilities > LDAP sync templates.
  2. Select the template you want to use (to open the Change LDAP sync template page).

  3. Scroll down to the bottom of the page and select Sync now.
  4. A status page is displayed which shows the progress of the synchronization.

    You can safely navigate away from this page without affecting the synchronization.

  5. For large imports that take a long time to complete, you can monitor the ongoing status of the import at any time via Status > LDAP sync status.

Alternatively, you can sync one or more templates by going to Utilities > LDAP sync templates, selecting the check box next to the templates that you want to use, and then from the Action drop-down menu, select Sync selected LDAP sync templates and then select Go.

Deleting all VMRs and devices associated with a template

You can easily delete all of the VMRs and devices that have been created from a specific template, for example if you have incorrectly specified the template's LDAP user filter.

To delete all VMRS and devices associated with a synchronization template:

  1. Go to Utilities > LDAP sync templates.
  2. Select the template whose associated VMRs and devices you want to delete (to open the Change LDAP sync template page).
  3. Scroll down to the bottom of the page and select Delete all VMRs and devices created from this template.
  4. Confirm that you want to proceed.
  5. The VMRs and devices will be deleted and a status message is displayed confirming the number of VMRs and devices that were deleted.

Deleting a template

If you delete a synchronization template, all of the VMRs and devices associated with that template will also be deleted.