LDAPv3 Synchronization Configuration

The LDAPv3 synchronization configuration procedure includes the following steps:

Step 1 Add CUCM directory user and assign administrator access rights in the LDAPv3 directory (depends on LDAPv3 directory server).

Step 2 Activate the Cisco DirSync service.

Step 3 Configure the LDAPv3 system.

Step 4 Configure the LDAPv3 directory.

The synchronization is performed by a feature service called Cisco DirSync. DirSync has to be activated on the publisher server.

The Cisco DirSync service has some configurable service parameters that you can configure from the following CUCM Administration location: System > Service Parameters. Choose the Cisco DirSync service from the appropriate server. The service parameters include the maximum number of synchronization agreements, hosts (directory servers), and several timers.

Navigate to System > LDAPv3 > LDAPv3 System to configure the LDAPv3 server type (Microsoft Active Directory or other) and the LDAPv3 attribute that should be mapped to the CUCM user ID. Check the Enable Synchronizing from LDAP Server check box, as shown in Figure 6-16.

Figure 6-16 LDAPv3 System Configuration

Figure 6-16 LDAPv3 System Configuration

The LDAPv3 directory configuration is configured once per synchronization agreement (session). Navigate to System > LDAPv3 > LDAPv3 Directory and click Add New to add a new synchronization agreement. A warning will display indicating that all existing end users who are not found in the LDAPv3 directory will be deleted. The LDAPv3 directory will overwrite the CUCM user database. Figure 6-17 shows the LDAPv3 directory configuration.

Figure 6-17 LDAPv3 Directory Configuration

Configure search base for this synchronization agreement

Configure Unified CM directory user (as configured in LDAP)

Configure Unified CM directory user (as configured in LDAP)

Configure LDAP server(s)

Configure synchronization schedule

Configure user filed mappings

Configure LDAP server(s)

Configure synchronization schedule

Configure user filed mappings

Navigate to User Management > End User and check the LDAPv3 sync status to verify LDAPv3 synchronization. Synchronized users are marked Active. Inactive users were configured in CUCM, but not in LDAPv3. Inactive users will be deleted after a 24-hour period. Microsoft refers to this 24-hour period as tombstoning. Tombstoning ensures that misconfigurations do not immediately impact users. Users can no longer be added or deleted from the CUCM database. Users can be synchronized only from the LDAPv3 server.

Click an active user to view that user's configuration page. Username, personal, and organizational settings cannot be modified; however, password, PIN, digest credentials, and PC association can be changed.

LDAPv3 Authentication

When LDAPv3 authentication is enabled, CUCM performs the following tasks:

■ End-user passwords are authenticated against the corporate directory.

■ End-user passwords are managed in LDAPv3, not in CUCM.

■ End-user passwords are stored only in LDAPv3.

Application users are still authenticated against the CUCM database. Application-user passwords are stored only in the CUCM database.

End-user PINs and other CUCM user settings are configured and stored in CUCM only.

Personal and organizational user settings such as phone number, manager, first, middle, and last name are either managed and stored in LDAPv3 and replicated to CUCM (LDAPv3 synchronization) or managed and stored in CUCM only. (LDAPv3 synchronization is not used.)

In Figure 6-18, LDAPv3 authentication is enabled. End users are authenticated against the LDAPv3 directory, whereas application users are authenticated against the CUCM database. Extension Mobility, Attendant Console, Cisco Agent Desktop, and Cisco Unified Manager Assistant are examples of applications that require a PIN to be entered from the end user. The PIN is authenticated against the CUCM database, not against the LDAPv3 server.

It is best practice to configure CUCM to query a Microsoft Active Directory (AD) Global Catalog (GC) server for faster response times. Configure the LDAPv3 server information in the LDAPv3 Authentication page to point to the IP address or hostname of a domain controller that has the Global Catalog role enabled, and configure the LDAPv3 port as 3268. This will enable queries against a Microsoft Global Catalog server.

The use of Global Catalog for authentication becomes more efficient if the users belong to multiple Microsoft AD domains. It allows CUCM to authenticate users immediately without having to follow referrals. Point CUCM to a Global Catalog server and set the LDAPv3 user search base to the top of the root domain.

Microsoft AD forests that encompass multiple trees require additional considerations. A single LDAPv3 search base cannot cover multiple namespaces. CUCM must use a different mechanism to authenticate users across discontiguous namespaces.

Figure 6-18 LDAPv3 Authentication Overview

CUCM Server

Corporate Directory (Microsoft AD, Netscape/iPlanet)

User Data Synchronization

Corporate Directory (Microsoft AD, Netscape/iPlanet)

Embedded DB Database

Figure 6-18 LDAPv3 Authentication Overview

CUCM Server

User Data Synchronization

End users: password (includes CUCM Administrators with MLA)

Application Users (ac, jtapi, CCMAdministrator, ...)

End Users: PIN (EM Login)

End users: password (includes CUCM Administrators with MLA)

Application Users (ac, jtapi, CCMAdministrator, ...)

End Users: PIN (EM Login)

To support synchronization with an AD forest that has multiple trees, you must use the UserPrincipalName (UPN) attribute as the user ID within CUCM. The CUCM LDAPv3 authentication configuration page does not allow the LDAPv3 Search Base field when the User ID field uses the UPN. The LDAPv3 configuration page will display the note "LDAPv3 user search base is formed using userid information."

The user search base is derived from the UPN suffix of each user, as shown in Figure 6-19. In this example, a Microsoft AD forest consists of two trees: avvid.info and vse.lab. Because the same username may appear in both trees, CUCM has been configured to use the UPN to uniquely identify users in its database during the synchronization and authentication processes.

A user named John Doe exists in both the avvid.info tree and the vse.lab tree. Figure 6-19 and the steps that follow illustrate the authentication process for the first user, whose UPN is [email protected]

Figure 6-19 LDAPv3 Authentication When Using Microsoft AD with Multiple Domains or Trees

Search: jdoe Base: dc=avvid, dc=info

CUCM

John Doe (avvid.info)

John Doe (vse.lab)

John Doe (avvid.info)

John Doe (vse.lab)

Active Directory Global Catalog Server

Active Directory Global Catalog Server

1. The user authenticates to CUCM via HTTPS with its username (which corresponds to the UPN) and password.

2. CUCM performs an LDAPv3 query against a Microsoft AD Global Catalog server. The username is specified in the UPN (information before the @ sign). The LDAPv3 search base is derived from the UPN suffix (information after the @ sign). In Figure 6-19, the username is jdoe, and the LDAPv3 search base is "dc=avvid, dc=info".

Microsoft AD identifies the correct Distinguished Name corresponding to the username in the tree specified by the LDAPv3 query. In this case, "cn=jdoe, ou=Users, dc=avvid, dc=info".

3. Microsoft Active Directory responds via LDAPv3 to CUCM with the full Distinguished Name for this user.

4. CUCM attempts an LDAPv3 bind with the Distinguished Name provided and the password initially entered by the user. The authentication process then continues as in the standard case.

Support for LDAPv3 authentication with Microsoft AD forests containing multiple trees relies exclusively on the approach just described. Therefore, support is limited to deployments where the UPN suffix of a user corresponds to the root domain of the tree where the user resides. If the UPN suffix is disjointed from the actual namespace of the tree, it is not possible to authenticate CUCM users against the entire Microsoft Active Directory forest. (It is, however, still possible to use a different attribute as the user ID and limit the integration to a single tree within the forest.)

CUCM

LDAPv3 Authentication Configuration

The LDAPv3 synchronization configuration procedure includes the following steps:

Step 1 Add the CUCM directory user and assign administrator access rights in the LDAPv3 directory.

Step 2 Configure LDAPv3 authentication. Navigate to System > LDAPv3 > LDAPv3 Authentication to configure the CUCM directory user configured in the LDAPv3 directory, the user search base, and the LDAPv3 server(s). Check the Use LDAP Authentication for End Users check box, as shown in Figure 6-20.

Figure 6-20 LDAPv3 Authentication When Using Microsoft AD

Configure CUCM directory user (as configured in LDAP)

Figure 6-20 LDAPv3 Authentication When Using Microsoft AD

Configure CUCM directory user (as configured in LDAP)

Living Will Forms Print

Configure LDAP server(s) Configure search base for LDAP authentication

Configure LDAP server(s) Configure search base for LDAP authentication

Was this article helpful?

+1 0

Post a comment