Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
The LDAPv3 synchronization configuration procedure includes the following steps:
Step 1 Add CUCM directory user and assign administrator access rights in the
LDAPv3 directory (depends on LDAPv3 directory server).
Step 2 Activate the Cisco DirSync service.
Step 3 Configure the LDAPv3 system.
Step 4 Configure the LDAPv3 directory.
The synchronization is performed by a feature service called Cisco DirSync. DirSync has
to be activated on the publisher server.
The Cisco DirSync service has some configurable service parameters that you can configure
from the following CUCM Administration location: System > Service Parameters. Choose
the Cisco DirSync service from the appropriate server. The service parameters include the
maximum number of synchronization agreements, hosts (directory servers), and several
timers.
Navigate to System > LDAPv3 > LDAPv3 System to configure the LDAPv3 server type
(Microsoft Active Directory or other) and the LDAPv3 attribute that should be mapped to
the CUCM user ID. Check the Enable Synchronizing from LDAP Server check box, as
shown in Figure 6-16.
Figure 6-16 LDAPv3 System Configuration
LDAPv3 Synchronization Configuration 133
The LDAPv3 directory configuration is configured once per synchronization agreement
(session). Navigate to System > LDAPv3 > LDAPv3 Directory and click Add New to add
a new synchronization agreement. A warning will display indicating that all existing end
users who are not found in the LDAPv3 directory will be deleted. The LDAPv3 directory
will overwrite the CUCM user database. Figure 6-17 shows the LDAPv3 directory
configuration.
Figure 6-17 LDAPv3 Directory Configuration
Navigate to User Management > End User and check the LDAPv3 sync status to verify
LDAPv3 synchronization. Synchronized users are marked Active. Inactive users were
configured in CUCM, but not in LDAPv3. Inactive users will be deleted after a 24-hour
period. Microsoft refers to this 24-hour period as tombstoning. Tombstoning ensures that
misconfigurations do not immediately impact users. Users can no longer be added or
deleted from the CUCM database. Users can be synchronized only from the LDAPv3
server.
Click an active user to view that user’s configuration page. Username, personal, and organizational
settings cannot be modified; however, password, PIN, digest credentials, and PC
association can be changed.
Configure Unified CM directory
user (as configured in LDAP)
Configure LDAP server(s)
Configure user filed mappings
Configure synchronization schedule
Configure search base for
this synchronization agreement
134 Chapter 6: Managing User Accounts
LDAPv3 Authentication
When LDAPv3 authentication is enabled, CUCM performs the following tasks:
■ End-user passwords are authenticated against the corporate directory.
■ End-user passwords are managed in LDAPv3, not in CUCM.
■ End-user passwords are stored only in LDAPv3.
Application users are still authenticated against the CUCM database. Application-user
passwords are stored only in the CUCM database.
End-user PINs and other CUCM user settings are configured and stored in CUCM only.
Personal and organizational user settings such as phone number, manager, first, middle, and
last name are either managed and stored in LDAPv3 and replicated to CUCM (LDAPv3
synchronization) or managed and stored in CUCM only. (LDAPv3 synchronization is not
used.)
In Figure 6-18, LDAPv3 authentication is enabled. End users are authenticated against
the LDAPv3 directory, whereas application users are authenticated against the CUCM
database. Extension Mobility, Attendant Console, Cisco Agent Desktop, and Cisco Unified
Manager Assistant are examples of applications that require a PIN to be entered from the
end user. The PIN is authenticated against the CUCM database, not against the LDAPv3
server.
It is best practice to configure CUCM to query a Microsoft Active Directory (AD) Global
Catalog (GC) server for faster response times. Configure the LDAPv3 server information
in the LDAPv3 Authentication page to point to the IP address or hostname of a domain
controller that has the Global Catalog role enabled, and configure the LDAPv3 port as
3268. This will enable queries against a Microsoft Global Catalog server.
The use of Global Catalog for authentication becomes more efficient if the users belong
to multiple Microsoft AD domains. It allows CUCM to authenticate users immediately
without having to follow referrals. Point CUCM to a Global Catalog server and set the
LDAPv3 user search base to the top of the root domain.
Microsoft AD forests that encompass multiple trees require additional considerations. A
single LDAPv3 search base cannot cover multiple namespaces. CUCM must use a different
mechanism to authenticate users across discontiguous namespaces.
LDAPv3 Synchronization Configuration 135
Figure 6-18 LDAPv3 Authentication Overview
To support synchronization with an AD forest that has multiple trees, you must use the
UserPrincipalName (UPN) attribute as the user ID within CUCM. The CUCM LDAPv3
authentication configuration page does not allow the LDAPv3 Search Base field when the
User ID field uses the UPN. The LDAPv3 configuration page will display the note
“LDAPv3 user search base is formed using userid information.”
The user search base is derived from the UPN suffix of each user, as shown in Figure 6-19.
In this example, a Microsoft AD forest consists of two trees: avvid.info and vse.lab. Because
the same username may appear in both trees, CUCM has been configured to use the UPN
to uniquely identify users in its database during the synchronization and authentication processes.
A user named John Doe exists in both the avvid.info tree and the vse.lab tree. Figure 6-19
and the steps that follow illustrate the authentication process for the first user, whose UPN
is jdoe@avvid.info.
DirSync
DB
WWW
Corporate
Directory
(Microsoft AD,
Netscape/iPlanet)
User Data
Synchronization
CUCM Server
Embedded
Database
IMS
IPMA
IPCC
Express
Attendant
Console
Password
Authentication
Password
Authentication
End users: password
(includes CUCM
Administrators with MLA)
Application Users
(ac, jtapi, CCMAdministrator, ...)
End Users: PIN
(EM Login)
PIN
Authentication
136 Chapter 6: Managing User Accounts
Figure 6-19 LDAPv3 Authentication When Using Microsoft AD with Multiple Domains or Trees
1. The user authenticates to CUCM via HTTPS with its username (which corresponds to
the UPN) and password.
2. CUCM performs an LDAPv3 query against a Microsoft AD Global Catalog server. The
username is specified in the UPN (information before the @ sign). The LDAPv3 search
base is derived from the UPN suffix (information after the @ sign). In Figure 6-19, the
username is jdoe, and the LDAPv3 search base is “dc=avvid, dc=info”.
Microsoft AD identifies the correct Distinguished Name corresponding to the
username in the tree specified by the LDAPv3 query. In this case, “cn=jdoe, ou=Users,
dc=avvid, dc=info”.
3. Microsoft Active Directory responds via LDAPv3 to CUCM with the full
Distinguished Name for this user.
4. CUCM attempts an LDAPv3 bind with the Distinguished Name provided and the
password initially entered by the user. The authentication process then continues as in
the standard case.
Support for LDAPv3 authentication with Microsoft AD forests containing multiple trees
relies exclusively on the approach just described. Therefore, support is limited to deployments
where the UPN suffix of a user corresponds to the root domain of the tree where the
user resides. If the UPN suffix is disjointed from the actual namespace of the tree, it is not
possible to authenticate CUCM users against the entire Microsoft Active Directory forest. (It
is, however, still possible to use a different attribute as the user ID and limit the integration
to a single tree within the forest.)
dc=avvid, dc=info
avvid.info
ou=Users ou=other
bfoo jdoe
dc=vse, dc=lab
vse.lab
ou=Users ou=other
jsmith jdoe jbrown
John Doe
(avvid.info)
M
CUCM Active Directory
Global Catalog
Server
Response: full DN
John Doe
(vse.lab)
jdoe@vse.lab
********
jdoe@avvid.info
********
1
3
Search: jdoe
Base: dc=avvid, dc=info
Bind: full DN + ********
2
4
5
LDAPv3 Synchronization Configuration 137
LDAPv3 Authentication Configuration
The LDAPv3 synchronization configuration procedure includes the following steps:
Step 1 Add the CUCM directory user and assign administrator access rights in
the LDAPv3 directory.
Step 2 Configure LDAPv3 authentication. Navigate to System > LDAPv3 >
LDAPv3 Authentication to configure the CUCM directory user
configured in the LDAPv3 directory, the user search base, and the
LDAPv3 server(s). Check the Use LDAP Authentication for End Users
check box, as shown in Figure 6-20.
No comments:
Post a Comment