wiki:CiscoUCM
Last modified 9 years ago Last modified on 08/18/11 11:36:26

On Thu, 18 Aug 2011, at 11:25 , Schroeder, Lloyd wrote:

After further research it looks like we can only do LDAPv3 with SSL connectivity at this point in time. Maybe in the near future we can utilize another third party solution. I now have a sponsor signed document that I plan on bringing to you today. I need the filter with the people only with the sn and givenName coupled with the telephone number in the filter. Can you please supply this for me? I will be there later on this afternoon with the signed document. I appreciate all your efforts in helping us get the right data that we need.

I will also need to get the SSL Certificate from your LDAP server so that I can upload it to my server side. I pulled out an excerpt from an LDAP document from Cisco.

You can secure the connection between the Cisco Unified Communications Manager server and the LDAP directory server by enabling a Secure Socket Layer (SSL) connection for the LDAP server on Cisco Unified Communications Manager, and uploading the SSL certificate to Cisco Unified Communications Manager. You must upload the LDAP SSL certificate as a directory-trust certificate on Cisco Unified Communications Manager Release 7.x and earlier, and as a tomcat-trust certificate on Cisco Unified Communications Manager Release 8.x and later. After you upload the LDAP SSL certificate, you need to restart the following services on Cisco Unified Communications Manager: • Directory service • Tomcat service Regards, Lloyd Lloyd Schroeder WWT Professional Services UC Engineer lloyd.schroeder@… 907.770.8323 SNR

From: David Bantz david.bantz@… Sent: Wednesday, August 17, 2011 11:25 AM To: Schroeder, Lloyd Cc: Kevin Jacobson; Porter, Daun; Hamlett,Jason; Melinda Shore Subject: Re: [IAM-L] RE: LDAP Integration UAF

  • To re-cap the data on phone numbers in EDIR:

People only: 5847 records All ous (people, departments, resources): 6654 records Note that TelephoneNumber? is multivalued attribute, and some individuals do have more than one phone listed (they have multiple offices...) Also, you MIGHT want to include departments in the pull so that someone could look up a department name as well as an individual's name.

  • To re-cap the discussion of names, our EDIR has name fields;

sn - surname or last name givenName - first name displayName - a single string combining the user's preferred first name (not necessarily givenName) and sn cn - common name, multivalued sn or lastname for some individuals includes suffixes like "jr" or "iii"; that just means a search for jones should match jones*

  • To re-cap our discussion about user authentication to your web application: we would prefer a trusted third party authentication that does not entail revealing users' passwords to your service.

Examples include Domain authentication (using Kerberos tickets), Central Authentication Service or CAS, SAML/Shibboleth. If the service cannot use any of those preferred means, we will revert to credential relay (ldap authentication) via SSL recognizing the additional security risk to users' credentials: Users will provide either their UA Username or their UA ID# as their identifier and their UA Password. You will need to use your service credential to search the directory for that record, retrieve the dn of that record, then bind using that dn and the user's password. On Wed, 17 Aug 2011, at 08:09 , Schroeder, Lloyd wrote:

Hello David, I wanted to send you some information ahead of the meeting so that you can get familiarized with it. Cisco Unified Communications Manager LDAP Integration Cisco’s LDAP synchronization and Authentication provides single logon functionality for end users while making the operation of the real-time IP Communications system independent of the availability of the corporate directory. Synchronization of Unified CM with a corporate LDAP directory (Microsoft Active Directory) allows reuse of user data stored in the LDAP directory and allows the corporate LDAP directory to serve as the central repository for that information. The LDAP authentication feature enables Unified CM to authenticate end user passwords against a corporate LDAP directory instead of using the embedded database. This authentication is accomplished with an LDAPv3 connection established between the IMS module within Unified CM and a corporate directory server

Unified CM has an integrated database for storing user data and a web interface within Unified CM Administration for creating and managing user data in that database. When synchronization is enabled, that local database is still used, but the Unified CM facility to create user accounts becomes disabled. Management of user accounts is then accomplished through the interface of the LDAP directory.

The user account information is imported from the LDAP directory into the database located on the Unified CM publisher server. Information that is imported from the LDAP directory may not be changed by Unified CM. Additional user information specific to the Unified CM implementation is managed by Unified CM and stored only within its local database. For example, device-to-user associations, speed dials, and user PINs are data that are managed by Unified CM, and they do not exist in the corporate LDAP directory. The user data is then propagated from the Unified CM publisher server to the subscribers via the built-in database synchronization.

The authentication function allows configuration of up to three servers for redundancy, and it also supports secure connections to the directory server when you enable LDAP over SSL (SLDAP). It is not possible to enable the authentication functionality without also enabling the synchronization functionality.

When authentication is enabled:

· End user passwords are authenticated against the corporate directory.

· Application user passwords are authenticated against the Unified CM database.

End user PINs are authenticated against the Unified CM database

<image001.png> <image002.png> <image003.png> Please let me know if you have any further questions.. Regards, Lloyd Lloyd Schroeder WWT Professional Services UC Engineer lloyd.schroeder@… 907.770.8323 SNR <image004.jpg> From: David Bantz david.bantz@… Sent: Wednesday, August 10, 2011 3:53 PM To: UA Identity and Access Management Cc: Schroeder, Lloyd; Melinda Shore; Hamlett,Jason; Access Management; Porter, Daun Subject: Re: [IAM-L] RE: LDAP Integration UAF