Introduction
If LDAP is properly configured, the phone performs a lookup on the LDAP server for any entries with a telephoneNumber attribute set each time you start entering a number or name on the phone keypad.
If you type in digits then the phone displays all entries where the telephoneNumber begins with the same number entered so far. If you are typing in a name then the phone displays all entries where the displayName (or whatever name filter is set) begins with what has been entered so far. (This is not case-sensitive.)
Use the up and down arrows of the button 
to scroll through results and dial a highlighted entry by pressing 
.
Usage
There are two ways to perform a LDAP search on your phone:
- Simply start a search against LDAP by pressing a number. All corresponding entries will be shown accordingly to your query setup. Default edit mode is numeric.
- Allocate the Directory Search function to one of the function keys. To do so take the following steps:
- Navigate to the "Function Keys" Web User Interface page
- Choose the value "Key Event" in the "Type" field
- Choose the value "LDAP Directory" in the "Number" field and press "Save".
Configuration
The internal LDAP client can be configured at the LDAP Section of your phone's Web User Interface (WUI). In your snom phone you will see something like the following screenshot,
For more details and comprehension see examples 1 to 6:
Since version V10.1.27.0 two additional LDAP settings are available: LDAP Name Filter During Call and LDAP Number Filter During Call. These filter rules are taken during call, for example when dialing or for looking up an incoming call.
Example Configuration
You can use the below settings as a starting point and adjust the filter and display attributes according to your needs.
- LDAP name filter
(&(telephoneNumber=*)(sn=%)) --> Example 1 - LDAP number filter
(&(telephoneNumber=%)(sn=*)) --> Example 2 - LDAP Name Filter During Call
(&(telephoneNumber=*)(sn=%)) --> Example 1 - LDAP Number Filter During Call
(&(telephoneNumber=%)(sn=*)) --> Example 2 - Server Address
[IP address or domain]. Examples: 192.168.1.100, ldap.uno.edu, ldap.company.com - Port
[blank or specified LDAP port] - Base
DC=domain,DC=com --> Example 3 - Username
Admin - Password
PASSWORD - Max.Hits
50 - LDAP Name Attributes
cn sn displayName --> Example 4 - LDAP Number Atrributes
Mobile telephoneNumber ipPhone --> Example 5 - LDAP display Name
%displayName --> Example 6 - Countrycode
+49 - Areacode
030
Make also sure, that the Number Display Style is set accordingly to return either name, number or both.
Migrating settings for LDAP from an older version to version >= V10.1.27.0
Very often no special migration steps are necessary, the LDAP filter will still work. Still this section describes how the old settings in conjunction worked, and how that can be adjusted in the filter rules. Now additional filter rules are available, and the full notation of substring filters can be used.
Please note that the setting partial lookup was only taken into account for searches during call, meaning displaying the name of a caller, direct dial, or in connected state. To adjust the settings (if necessary) please use the new settings ldap_number_filter_during_call and ldap_search_filter_during_call. The described filter syntax can of course also be used for the old settings ldap_number_filter and ldap_search_filter. They are used in cases if the search takes place via the LDAP directory.
- Partial Lookup off meant, that all filter rules where interpreted as equality filter. This meant that a filter like this:
cn=*% was interpreted as cn=%
This means that if you want to have the same effect as partial lookup = off, you need to change the filter rules to attributeName=%
- Partial Lookup on meant, that all filter rules where interpreted as substring any filter. This meant that a filter like this:
cn=*% would have been interpreted as cn=*%*.
If you want to have the same effect as partial lookup = on, you need to change the filter rules to attributeName=*%*
- Old behavior: Partial Lookup with a number like 4 meant, that all filter rules where interpreted as substring final. This meant that a filter like this:
cn=*%, but also cn=%* or cn=*%* would have been interpreted as final. The search string would be limited to 4 characters.
New behavior: If you want to have the same effect, you need to write a filter rule like cn=*%. A limitation to the characters is no longer possible this way. In most cases throwing away some search string characters is not wanted. Every additional character only narrows the search. If the new search request is now too narrow, it might be necessary to set an area-code or country-code. Also the full support of LDAP substrings of RFC2254 can be used to solve the problem.
- Support of substring filters, less-or-equal filters, greater-or-equal filters, approximate filters RFC2254
Now very complex filters can be build. The limitation to only apply one kind of substring filter (initial/any/final) is no longer necessary.
Example: telephoneNumber=123*456*789 : Must start with 123, must contain 456, and must end with 789
- If this setting was switched on, any substring filter was interpreted as initial.
cn=*%, but also cn=%* or cn=*%* where all interpreted as cn=%*
This now changed, the % placeholder will be replaced with the * and consecutive stars will be removed. In most old filter rules this will lead to the same result.
The new approach will keep some explicit characters inside the search string, like cn=*456% would lead to cn=*456* (any), or cn=456%* would lead to cn=456*
Example 1: LDAP name filter
Here you have to specify your search criteria for name look ups.
- When you type in this field :(&(telephoneNumber=*)(sn=%))
The result of your search will be all LDAP records which have the “telephoneNumber” field set AND the (“sn”-->surname) field is equal the entered search string.
- When you type in this field : (|(cn=%)(sn=%))
The result of your search will be all LDAP records which have the (“cn”-->CommonName) OR (“sn”-->Surname) field is equal the entered search string.
- When you type in this field: (!(cn=%))
The result of your search will be all LDAP records which do NOT have the “cn” field with the entered search string.
- Additional filter options as of version 10.1.27.0:
- When you type (cn=John*) the result represents a substring filter with a subInitial component of “John” and no subAny or subFinal components. Everything starting with John will be matched.
- When you type (cn=*John*) the result represents a substring filter with a single subAny component of “John” and no subInitial or subFinal components. Anything which contains John will be matched.
- When you type (cn=*John*Doe*) the result represents a substring filter with two subAny components of “John” and “Doe” and no subInitial or subFinal components. Anything which contains John and Doe will be matched.
- When you type (cn=*Doe) the string represents a substring filter with a subFinal component of “Doe” and no subInitial or subAny elements. Anything ending with Doe will be matched.
- Additionally the greater or equal, less or equal and approximate filters are supported as of version 10.1.27.0. What is returned is dependent on the server implementation. If you enter (cn>=Doe), it could result in a numeric or lexicographic comparison, and the subsequent result. Likewise <=.
- The approximate filter is also implementation dependent. When you type (cn~=John) the return type could be Jon and John.
Example 2: LDAP number filter
Here you have to specify your search criteria for number look ups.
- When you type in this field for example:(|(telephoneNumber=%)(Mobile=%)(ipPhone=%))
the result of your search will be all LDAP records which have the “telephoneNumber” OR “Mobile” OR “ipPhone” field equal to the entered prefix.
- When you type in this field: (&(telephoneNumber=%)(sn=*))
the result of your search will be all LDAP records which have the “sn” field set AND the “telephoneNumber” field equal to the entered prefix.
- Additionally as of version 10.1.27.0 the greater or equal, less or equal and approximate filters are supported. What is returned is dependent on the server implementation. When you type (telephoneNumber >= 5) , it could result in a numeric or lexicographic comparison, and the subsequent result. Likewise <=.
See more filter documentation here: https://ldap.com/ldap-filters/
Example 3: LDAP Base
Here are some examples of what you cound enter for the ldap_base setting
o=UNIVERSITY OF NEW ORLEANS,c=US
o=SFU,c=CA
dc=telesec,dc=de
Example 4: LDAP name attributes
The LDAP name attributes setting can be used to specify the “name” attributes of each record which are to be returned in the LDAP search results.
- When you type in this field for example:cn sn displayName
this requires to specify “cn”-->commonName means Full name of the user, “sn”-->Surname, last name or family name and “displayName” fields for each LDAP record.
See the following screenshot example of an Active Directory:
Further Examples:
- cn sn displayName
Requires “cn”, “sn” and “displayName” fields for each LDAP record. - givenName
Requires “givenName” field for each LDAP record.
Note: Only givenName is being accepted as name attribute but not its abbreviation gn! |
- vorName nachName
Requires “vorName” and “nachName” fields for each LDAP record.
Example 5: LDAP number attributes
The LDAP number attributes setting can be used to specify the “number” attributes of each record which are to be returned in the LDAP search results.
- When you type in this field for example:Mobile telephoneNumber ipPhone
this requires to specify “Mobile”, “telephoneNumber” and “ipPhone” fields for each LDAP record.
See this screenshot example of an Active Directory:
Further examples:
- Mobile telephoneNumber ipPhone
Requires “Mobile”, “telephoneNumber” and “ipPhone” fields for each LDAP record. - Home Private Office
Requires “Home”, “Private” and “Office” fields for each LDAP record.
Example 6: LDAP display name
This setting specifies the format in which the “name, e.g. here Mike Black” of each returned search result is to be displayed on the snom phone.
- When you type in this field for example:%sn, %givenName
the displayed returned result should be “Black, John”
- When you type in this field for example:%cn
the displayed returned result should be “Mike Black”.
- When you type in this field for example:%givenName
the displayed returned result should be “Mike Black"
- When you type in this field for example:%givenName - %sn
the displayed returned result should be “Mike - Black"
Common attributes
Most common attributes used to configure LDAP lookup in your phone with:
| Abbrevation | Name | Description | Example |
|---|
| gn | givenName | Firstname also called Christian name | John |
| sn | surname | Surname, last name or family name | Doe |
| cn | commonName | LDAP attribute being made up from givenName joined to SN | John Doe |
| - | displayName | When using this property, be sure you understand which field you are configuring. DisplayName can be confused with CN or description. | John Doe |
| - | company | Company or organisation name | snom Technology |
| o | organizationName | Organization name or even organizational name | Germany |
| ou | organizationalUnitName | Usually department or any sub entity of larger entity | Documentation |
| DC | DC | Domain Component | snom com |
| DN | distinguishedName | unique identifier for each entry | cn=John Doe,ou=Documentation,dc=snom,dc=com |
| - | telephoneNumber | Office phone number | +493012345678 |
| mobile | mobileTelephoneNumber | Mobile or cellular phone number | +4917212993833 |
| homePhone | homeTelephoneNumber | Home Phone number | +492088190292 |
Troubleshooting
A good method to troubleshoot problems with LDAP implementation is to do a PCAP trace while performing a lookup. By tracing the search requests you can check if the phone connects and authenticates correctly and determine which requests are being sent from phone to LDAP server.
Below you can see an example of a successful LDAP lookup:
