Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
The Cisco Directory Synchronization (DirSync) process is used to synchronize a number
of user attributes. The process can be scheduled to run at different intervals or performed
manually. Users are provisioned on the corporate directory and replicated to the CUCM
LDAPv3 database when directory synchronization is used.
LDAPv3 synchronization disallows end-user additions or deletions from CUCM
Administration. End users are added and deleted only in the LDAPv3 directory.
Users and their pertinent personal and organizational data are replicated from LDAPv3 to
CUCM. Most replicated user parameters are read-only in CUCM Administration. User
passwords and CUCM settings must be configured from CUCM Administration.
CUCM authenticates user credentials against a corporate LDAPv3 directory when using
LDAPv3 authentication. End-user passwords are not stored in the CUCM database.
CUCM user data (associated devices, username, password, PIN, and so on) is stored in the
CUCM database. To avoid duplication of effort in the management of user accounts,
combine LDAPv3 authentication with LDAPv3 synchronization. LDAPv3 synchronization
will force the user authentication request to be processed against the LDAPv3 server.
NOTE Application users are not affected by LDAPv3 integration. They are always
configured from CUCM Administration, and their data is always stored in the CUCM
configuration database.
128 Chapter 6: Managing User Accounts
Synchronization Agreements
LDAPv3 synchronization is performed in one of the following ways:
■ Full synchronization is used with Microsoft Active Directory 2000 and 2003. All
records are replicated from the LDAPv3 directory to the CUCM database. Full synchronization
can cause considerable load in large deployments. Synchronization events
should be carefully planned in large deployments.
■ Incremental synchronization is a method used with all supported directory servers
other than Microsoft Active Directory. Only changes are propagated to the CUCM
database with the incremental synchronization mechanism. The incremental
synchronization method requires fewer resources than the full synchronization
method.
Synchronization agreements are pointers to a domain or subdomain within an LDAPv3
structure. Synchronization agreements have to use the same synchronization method.
Synchronization agreements between Microsoft Active Directory and other LDAPv3
servers on the same CUCM cluster are not supported.
One LDAPv3 username attribute (sAMAccountName, uid, mail, or telphoneNumber) has
to be mapped to the User ID field of a user in CUCM. This identifier must be unique across
all users.
Synchronization between a corporate LDAPv3 directory and CUCM eliminates the need to
reconfigure users who already exist in the LDAPv3 directory.
Figure 6-14 illustrates the authentication of users against the CUCM database and user
lookups from the Cisco IP Phone.
Table 6-3 shows the differences between end users and application users in the CUCM user
database.
Table 6-3 Directory Synchronization Parameters
End Users Application Users
Associated with a person Associated with an application
Interactive logins Noninteractive logins
User features and administrator logins Application authorization
Included in user directory Not included in user directory
Synchronized from LDAPv3 server No LDAPv3 synchronization
LDAPv3 Synchronization 129
Figure 6-14 LDAPv3 Synchronization
The sn attribute in the LDAPv3 server must be populated with data; otherwise, the record
will not be imported. If the primary attribute used during import of end-user accounts
matches any application user in the CUCM database, the user is skipped.
CUCM database fields provide a choice of directory attributes, but you can choose only a
single mapping for each synchronization agreement.
Synchronization Search Base
A synchronization agreement specifies a search base. A search base is an area of the
directory that is used for synchronization. The synchronization agreement specifies a
position in the directory tree where CUCM begins its search. The search level has access to
all levels lower in the tree, but not to higher levels in the tree.
DirSync
DB
WWW
Authentication
Authentication
Identity Management
System (IMS) Library
Web
Service
CUCM User Options,
Extension Mobility,
CUCM Administrators
IP Phone
User
Lookup
User
Lookup
Directories
Button
HTTPS HTTP
Corporate
Directory
(Microsoft AD,
Netscape/iPlanet)
User Data
Synchronization
LDAP(S)
CUCM Server
Embedded
Database
IMS
130 Chapter 6: Managing User Accounts
Users should be organized in a structure in the LDAPv3 directory. The existing structure
can be used to control the user groups that were imported. A single synchronization
agreement can specify the root of the domain, and all users of the domain are synchronized.
The search base does not normally point to the domain root.
In Figure 6-15, two synchronization agreements are represented. One synchronization
agreement specifies User Search Base 1 and imports users jsmith, jdoe, and jbloggs. These
users are in separate organizational unit (OU) containers under the Site 1 Users organizational
unit. User Search Base 2 represents a second synchronization agreement and imports
users jjones, bfoo, and tbrown. The CCMDirMgr account is not imported because it does
not reside within one of the two specified user search bases.
Figure 6-15 User Search Base
CUCM performs a bind to the LDAPv3 directory using the LDAPv3 Manager Distinguished
Name in the LDAPv3 directory configuration. The account used for the LDAPv3
Manager Distinguished Name must be available in the LDAPv3 directory for CUCM to
log in. It is recommended that you create a specific account with the permission to read
all user objects within the subtree that was specified by the user search base.
It is possible to control the import of accounts by limiting read permissions of the LDAPv3
Manager Distinguished Name account. For example, if the account is restricted to have read
access to ou=Eng but not to ou=Mktg, only the accounts located under the Eng OU will be
synchronized.
Synchronization agreements can specify multiple directory servers for redundancy purposes.
dc=vse, dc=lab
ou=Site 1 Users ou=Site 2 Users
jsmith jdoe jbloggs
ou=Eng ou=Mktg jjones bfoo tbrown
ou=Service Accts
CCM Dir Mgr
No Synchronization
Agreement for
Service Accounts
CCM Dir Mgr is
not imported
User Search
Base 1
User Search
Base 2
LDAPv3 Synchronization 131
Each synchronization agreement is configured with a synchronization start time and a
period configured in hours, days, weeks, or months. A synchronization agreement can be
configured to run only once.
The synchronization process is as follows:
1. At the beginning of the synchronization process, all existing CUCM end-user accounts
are deactivated.
2. If there were any differences in the LDAPv3 server, LDAPv3 user accounts that exist
in the CUCM user database are reactivated, and their settings are updated.
3. LDAPv3 user accounts that exist in LDAPv3 only are added to the CUCM database
and activated.
4. Deactivated accounts are purged from the CUCM database after 24 hours.
Synchronization Best Practices
The account that CUCM uses to read the LDAPv3 directory should be configured in the
following way:
■ Create a dedicated account used only for synchronization. Set LDAPv3 server
permissions for this account to read all user objects located below the user search bases
specified in the synchronization agreements.
■ The password of the account should be set to never expire.
Synchronization times should be configured during intervals when there are no office hours.
All overhead and management processes are scheduled during off-hours to minimize the
CPU load overhead incurred as a result of synchronization. Call-processing impact should
be limited during business hours.
Different start times should be set to reduce the load on the servers when multiple
synchronization agreements are configured.
Avoid a single point of failure by configuring at least two LDAPv3 servers, and use IP
addresses rather than hostnames to eliminate DNS reliance.
The connection between the CUCM publisher server and the directory server can be
secured by enabling Secure LDAPv3 (sLDAPv3) on CUCM and the LDAPv3 server.
sLDAPv3 enables LDAPv3 to be sent over a Secure Sockets Layer (SSL) encryption at
128-bit-level encryption.
No comments:
Post a Comment