270 likes | 572 Views
Cisco Unity Connection 7.0 Directory Integration TOI. Manoj Agrawal manoja@cisco.com. Overview . One way synchronization of user data from an LDAP directory. User authentication against LDAP. No schema extensions. All LDAP access is read-only.
E N D
Cisco Unity Connection 7.0 Directory Integration TOI Manoj Agrawal manoja@cisco.com
Overview • One way synchronization of user data from an LDAP directory. • User authentication against LDAP. • No schema extensions. All LDAP access is read-only. • System is functional even when the LDAP server is down. • Active Directory is supported right now. Sun and Netscape in the future.
Synchronization • User information is synchronized using Cisco DirSync. • Same Cisco DirSync that is used by CUCM. • All of the same configuration options. • Service activated from Cisco Unified Serviceability. • Admin pages nearly identical as well. • Passwords are not synchronized. • The list of LDAP attributes that are included in the sync as well as the mapping to CUC user fields is displayed in the LDAP Directory Configuration page.
Synchronization configuration • LDAP attribute for CUC Alias. This is the LDAP attribute that will correspond to the Alias of CUC users. It is a global setting and will apply to all synchronization configs. For AD this is commonly the sAMAccountName. • LDAP Manager Distinguished Name and password. This is an LDAP user that has rights to access the LDAP directory. • LDAP User Search Base. The container within the directory where the users are located. Users in child containers are also synchronized.
Synchronization configuration (cont) • LDAP Server Hostname/IP Address and Port. • Use SSL. This is an option to enable SSL encryption. • Redundant servers. Multiple LDAP servers (for the same directory) can be specified for redundancy. • Multiple sync configurations are allowed.
Synchronization schedule • All syncs are full syncs. Incremental syncs will be available in the future. • Synchronization can happen on regular intervals or it can be a one-time synchronization. • For recurring syncs, the sync interval can be specified in number of hours, days, weeks or months. The min interval is 6 hours. • For recurring syncs, the date and time of the next sync can be specified. • On demand syncs can be initiated at any time as long as a sync is not already in progress.
Authentication • For users that are integrated (synced) with LDAP, web application passwords are authenticated against LDAP. This applies to CUCA, CPCA and IMAP access. • Voice mail passwords (PINs) are always authenticated locally. • If the LDAP server is unavailable, CUCA, CPCA and IMAP access will not be available for users that are integrated with LDAP. However, voice mail access will still be available. • For users that are not integrated with LDAP, all authentication occurs locally.
Authentication configuration • LDAP authentication needs to be enabled and configured in addition to LDAP synchronization. • It can only be enabled if LDAP synchronization is also enabled. • It is not necessary to enable LDAP authentication in order to use LDAP synchronization.
Authentication configuration (cont) • Even though multiple synchronization configurations are allowed, only one authentication configuration covers all LDAP users. This means that there is only one search base for authentication. • If the system is configured with multiple sync configurations, authentication must be configured with a search base that is the parent of the search bases used in the sync configurations. • Use of the Global Catalog server is recommended for AD and is required in a multi-domain forest.
Importing users • Users must be manually imported either via the Import Users page or BAT. Users are not automatically imported from LDAP. (CUCM automatically imports them). • A user template must be selected during the import. • The user’s extension is grabbed from LDAP and displayed on the Import Users page. It can be overridden during the import. • The extension that is displayed on the Import Users page can be processed through a regular expression in order to select only a portion of the string. Using [0-9]{4}$ would only grab the last 4 digits from LDAP. For more information on Java regular expressions, please see http://java.sun.com/docs/books/tutorial/essential/regex/index.html. • The extension regular expression can be modified on the Advanced LDAP Settings page.
More about users • If a user has been imported from LDAP, the user’s page in CUCA will say “Active User imported from LDAP Directory”. • Standalone users (non-LDAP integrated users) can be added to a system that has LDAP enabled. • If the LDAP user object (account) for an LDAP integrated user is deleted from LDAP, after a grace period, the user will be converted to a standalone user. • AXL integrated users can also be added to a system that has LDAP enabled.
User management with BAT • BAT can be used to import LDAP users in bulk. The steps are: • Export “Users from LDAP directory” into a CSV file. • Modify CSV file (update Extensions or remove users). • Create new “Users with Mailbox” using the CSV file. • BAT can also be used to convert existing AXL and standalone users into LDAP integrated users. The steps are: • Export “Users from LDAP directory” into a CSV file. • Modify the CSV file to only include the users you want to convert. • Use BAT to update existing users using the CSV file.
Co-res • Directory integration on a co-res system is handled entirely by CUCM. The feature works exactly like it would on a standalone CUCM system. • All of the configuration occurs in the CUCM admin pages. • User data is synchronized with LDAP and LDAP authentication occurs for all users (other than the default CUC users). • Due to the co-res integration, the CUC side of the product is completely unaware of the fact that the system is integrated to a corporate directory.
Steps to configure and use LDAP • Enable Cisco DirSync. • Select the LDAP server type and LDAP attribute for Alias. • Configure the LDAP synchronization details. • Initiate a manual (on demand) sync. • Configure LDAP authentication. • Import users.
Troubleshooting • Manual syncs can be initiated from the sync configuration page. • Diagnostic trace files from two components are helpful: • Cisco DirSync • Connection CM Database Event Listener (CuCmDbEventListener) • The DirSync diagnostic trace files are saved to the /var/log/active/cm/trace/dirsync/log4j directory. The filename format is dirsyncxxxxx.log. • The CuCmDbEventListener diagnostics trace files are saved to the /var/opt/cisco/connection/log directory. The filename format is diag_CuCmDbEventListener_xxxxxxxx.uc
Troubleshooting cont • DirSync diagnostics can be enabled from Cisco Unified Serviceability. In Trace -> Configuration: • Select Directory Services for the Service Group and click Go. • Then select DirSync for the Service and click Go. • Change the Debug Trace Level to Debug and click Save. • CuCmDbEventListener diagnostics can be enabled from Cisco Unity Connection Serviceability. In Trace -> Micro Traces: • Select CuCmDbEventListener for the Micro Trace and click Go. • Select levels 00, 01, 03 and 04 and then click Save.
More Information • Contacts • Manoj Agrawal (manoja@cisco.com) • Jennifer Bui (jbui@cisco.com) • CUC directory integration (cuc-ldap@cisco.com) • CUCM directory integration (userprefs-team@cisco.com) • Documents • FFS (EDCS-603726) • CUCM 6 Directory Configuration Admin Guide • Unity Connection 7.0 Design Guide: LDAP Directory Integration • (http://zed.cisco.com/confluence/display/CUC/Technical+Marketing)
Q&A Q&A