1 / 27

Cisco Unity Connection 7.0 Directory Integration TOI

Cisco Unity Connection 7.0 Directory Integration TOI. Manoj Agrawal manoja@cisco.com. Overview . One way synchronization of user data from an LDAP directory. User authentication against LDAP. No schema extensions. All LDAP access is read-only.

bessie
Download Presentation

Cisco Unity Connection 7.0 Directory Integration TOI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cisco Unity Connection 7.0 Directory Integration TOI Manoj Agrawal manoja@cisco.com

  2. Overview • One way synchronization of user data from an LDAP directory. • User authentication against LDAP. • No schema extensions. All LDAP access is read-only. • System is functional even when the LDAP server is down. • Active Directory is supported right now. Sun and Netscape in the future.

  3. LDAP Administration pages

  4. Synchronization • User information is synchronized using Cisco DirSync. • Same Cisco DirSync that is used by CUCM. • All of the same configuration options. • Service activated from Cisco Unified Serviceability. • Admin pages nearly identical as well. • Passwords are not synchronized. • The list of LDAP attributes that are included in the sync as well as the mapping to CUC user fields is displayed in the LDAP Directory Configuration page.

  5. Synchronization configuration • LDAP attribute for CUC Alias. This is the LDAP attribute that will correspond to the Alias of CUC users. It is a global setting and will apply to all synchronization configs. For AD this is commonly the sAMAccountName. • LDAP Manager Distinguished Name and password. This is an LDAP user that has rights to access the LDAP directory. • LDAP User Search Base. The container within the directory where the users are located. Users in child containers are also synchronized.

  6. Synchronization configuration (cont) • LDAP Server Hostname/IP Address and Port. • Use SSL. This is an option to enable SSL encryption. • Redundant servers. Multiple LDAP servers (for the same directory) can be specified for redundancy. • Multiple sync configurations are allowed.

  7. LDAP Setup

  8. LDAP Directory Configuration

  9. Synchronization schedule • All syncs are full syncs. Incremental syncs will be available in the future. • Synchronization can happen on regular intervals or it can be a one-time synchronization. • For recurring syncs, the sync interval can be specified in number of hours, days, weeks or months. The min interval is 6 hours. • For recurring syncs, the date and time of the next sync can be specified. • On demand syncs can be initiated at any time as long as a sync is not already in progress.

  10. Authentication • For users that are integrated (synced) with LDAP, web application passwords are authenticated against LDAP. This applies to CUCA, CPCA and IMAP access. • Voice mail passwords (PINs) are always authenticated locally. • If the LDAP server is unavailable, CUCA, CPCA and IMAP access will not be available for users that are integrated with LDAP. However, voice mail access will still be available. • For users that are not integrated with LDAP, all authentication occurs locally.

  11. Authentication configuration • LDAP authentication needs to be enabled and configured in addition to LDAP synchronization. • It can only be enabled if LDAP synchronization is also enabled. • It is not necessary to enable LDAP authentication in order to use LDAP synchronization.

  12. Authentication configuration (cont) • Even though multiple synchronization configurations are allowed, only one authentication configuration covers all LDAP users. This means that there is only one search base for authentication. • If the system is configured with multiple sync configurations, authentication must be configured with a search base that is the parent of the search bases used in the sync configurations. • Use of the Global Catalog server is recommended for AD and is required in a multi-domain forest.

  13. LDAP Authentication

  14. Importing users • Users must be manually imported either via the Import Users page or BAT. Users are not automatically imported from LDAP. (CUCM automatically imports them). • A user template must be selected during the import. • The user’s extension is grabbed from LDAP and displayed on the Import Users page. It can be overridden during the import. • The extension that is displayed on the Import Users page can be processed through a regular expression in order to select only a portion of the string. Using [0-9]{4}$ would only grab the last 4 digits from LDAP. For more information on Java regular expressions, please see http://java.sun.com/docs/books/tutorial/essential/regex/index.html. • The extension regular expression can be modified on the Advanced LDAP Settings page.

  15. Import page

  16. More about users • If a user has been imported from LDAP, the user’s page in CUCA will say “Active User imported from LDAP Directory”. • Standalone users (non-LDAP integrated users) can be added to a system that has LDAP enabled. • If the LDAP user object (account) for an LDAP integrated user is deleted from LDAP, after a grace period, the user will be converted to a standalone user. • AXL integrated users can also be added to a system that has LDAP enabled.

  17. User management with BAT • BAT can be used to import LDAP users in bulk. The steps are: • Export “Users from LDAP directory” into a CSV file. • Modify CSV file (update Extensions or remove users). • Create new “Users with Mailbox” using the CSV file. • BAT can also be used to convert existing AXL and standalone users into LDAP integrated users. The steps are: • Export “Users from LDAP directory” into a CSV file. • Modify the CSV file to only include the users you want to convert. • Use BAT to update existing users using the CSV file.

  18. Bulk Export and Import

  19. Co-res • Directory integration on a co-res system is handled entirely by CUCM. The feature works exactly like it would on a standalone CUCM system. • All of the configuration occurs in the CUCM admin pages. • User data is synchronized with LDAP and LDAP authentication occurs for all users (other than the default CUC users). • Due to the co-res integration, the CUC side of the product is completely unaware of the fact that the system is integrated to a corporate directory.

  20. Steps to configure and use LDAP • Enable Cisco DirSync. • Select the LDAP server type and LDAP attribute for Alias. • Configure the LDAP synchronization details. • Initiate a manual (on demand) sync. • Configure LDAP authentication. • Import users.

  21. Troubleshooting • Manual syncs can be initiated from the sync configuration page. • Diagnostic trace files from two components are helpful: • Cisco DirSync • Connection CM Database Event Listener (CuCmDbEventListener) • The DirSync diagnostic trace files are saved to the /var/log/active/cm/trace/dirsync/log4j directory. The filename format is dirsyncxxxxx.log. • The CuCmDbEventListener diagnostics trace files are saved to the /var/opt/cisco/connection/log directory. The filename format is diag_CuCmDbEventListener_xxxxxxxx.uc

  22. Troubleshooting cont • DirSync diagnostics can be enabled from Cisco Unified Serviceability. In Trace -> Configuration: • Select Directory Services for the Service Group and click Go. • Then select DirSync for the Service and click Go. • Change the Debug Trace Level to Debug and click Save. • CuCmDbEventListener diagnostics can be enabled from Cisco Unity Connection Serviceability. In Trace -> Micro Traces: • Select CuCmDbEventListener for the Micro Trace and click Go. • Select levels 00, 01, 03 and 04 and then click Save.

  23. More Information • Contacts • Manoj Agrawal (manoja@cisco.com) • Jennifer Bui (jbui@cisco.com) • CUC directory integration (cuc-ldap@cisco.com) • CUCM directory integration (userprefs-team@cisco.com) • Documents • FFS (EDCS-603726) • CUCM 6 Directory Configuration Admin Guide • Unity Connection 7.0 Design Guide: LDAP Directory Integration • (http://zed.cisco.com/confluence/display/CUC/Technical+Marketing)

  24. Q&A Q&A

More Related