Embed Size (px)
Citation preview
LDAP Authentication Setup
This chapter provides information to configure LDAP directory, authentication, and custom filters using CiscoUnified CommunicationsManager. The LDAP directory configuration takes place in the following windows:
• LDAP System Configuration
• LDAP Directory
• LDAP Authentication
• LDAP Filter Configuration
You canmake changes to LDAP directory information and LDAP authentication settings only if synchronizationwith the customer LDAP directory is enabled in the Cisco Unified Communications Manager AdministrationLDAP System Configuration window.
For additional information, see topics related to the directory, application users, and end users in the CiscoUnified Communications Manager System Guide.
• About LDAP Authentication Setup , on page 1• Update LDAP Authentication, on page 2• LDAP Authentication Settings , on page 2
About LDAP Authentication SetupIn Cisco Unified CommunicationsManager Administration, use the System >LDAP >LDAPAuthenticationmenu path to configure LDAP authentication.
The authentication process verifies the identity of the user by validating the user ID and password/PIN beforegranting access to the system. Verification takes place against the Cisco Unified Communications Managerdatabase or the LDAP corporate directory.
You can only configure LDAP authentication if you enable LDAP synchronization in the LDAP SystemConfiguration window.
User accountsmust be synchronizedwith CiscoUnified CommunicationsManager to use LDAP authentication.Administrators must enable LDAP synchronization and configure LDAP directory instance(s) to use theLDAP authentication mechanism.
Note
LDAP Authentication Setup1
When both synchronization and LDAP authentication are enabled, the system always authenticates applicationusers and end user PINs against the Cisco Unified Communications Manager database. End user passwordsget authenticated against the corporate directory; thus, end users need to use their corporate directory password.
When only synchronization is enabled (and LDAP authentication is not enabled), end users get authenticatedagainst the Cisco Unified Communications Manager database. In this case, the administrator can configure apassword in the End User Configuration window in Cisco Unified CommunicationsManager Administration.
When you are using the sAMAccountName value for the LDAP Attribute for User ID field, you can onlyauthenticate with one LDAP Domain. To authenticate with multiple domains, you need to use the ActiveDirectory Lightweight Directory Service (AD LDS).
Note
Update LDAP AuthenticationThe setting of the Enable Synchronizing from LDAP Server check box in the LDAP System Configurationwindow affects your ability to modify LDAP authentication settings. If synchronization with the LDAP serveris enabled, you cannot modify LDAP directory information and LDAP authentication settings. See topicsrelated to understanding the directory in the Cisco Unified Communications Manager System Guide for moreinformation about LDAP synchronization.
Conversely, if you want to enable administrators to modify LDAP directory information and LDAPauthentication settings, you must disable synchronization with the LDAP server.
LDAP Authentication SettingsThe following table describes the LDAP authentication settings.
Table 1: LDAP Authentication Settings
DescriptionField
LDAP Authentication for End Users
Click this check box to require authentication of endusers from the LDAP directory. If the check box isleft unchecked, authentication gets performed againstthe database.
You can only access this field if LDAPsynchronization is enabled in the LDAPSystem Configuration window.
Note
Use LDAP Authentication for End Users
Enter the user ID of the LDAP Manager who is anadministrative user that has access rights to the LDAPdirectory in question.
You can only access this field if LDAPauthentication for end users is enabled.
Note
LDAP Manager Distinguished Name
LDAP Authentication Setup2
LDAP Authentication SetupUpdate LDAP Authentication
DescriptionField
Enter a password for the LDAP Manager.
You can only access this field if LDAPauthentication for end users is enabled.
Note
LDAP Password
Reenter the password that you provided in the LDAPPassword field.
You can only access this field if LDAPauthentication for end users is enabled.
Note
Confirm Password
Enter the user search base. Cisco UnifiedCommunications Manager searches for users underthis base.
You can only access this field if LDAPauthentication for end users is enabled.
Note
LDAP User Search Base
LDAP Server Information
Enter the host name or IP address where you installedthe corporate directory.
You can only access this field if LDAPauthentication for end users is enabled.
Note
Host Name or IP Address for Server
LDAP Authentication Setup3
LDAP Authentication SetupLDAP Authentication Settings
DescriptionField
Enter the port number on which the corporatedirectory receives the LDAP requests. You can onlyaccess this field if LDAP authentication for end usersis enabled.
The default LDAP port forMicrosoft Active Directoryand for Netscape Directory specifies 389. The defaultLDAP port for Secured Sockets Layer (SSL) specifies636.
How your corporate directory is configured determineswhich port number to enter in this field. For example,before you configure the LDAP Port field, determinewhether your LDAP server acts as a Global Catalogserver and whether your configuration requires LDAPover SSL. Consider entering one of the following portnumbers:
LDAP port when LDAP server is not a Global Catalogserver:
• 389—When SSL is not required. (This portnumber specifies the default that displays in theLDAP Port field.)
• 636—When SSL is required. (If you enter thisport number, make sure that you check the UseSSL check box.)
LDAP port when LDAP server is a Global Catalogserver:
• 3268—When SSL is not required.
• 3269—When SSL is required. (If you enter thisport number, make sure that you check the UseSSL check box.)
Your configuration may require thatyou enter a different port number thanthe options that are listed in thepreceding bullets. Before youconfigure the LDAP Port field,contact the administrator of yourdirectory server to determine thecorrect port number to enter.
Tip
LDAP Port
LDAP Authentication Setup4
LDAP Authentication SetupLDAP Authentication Settings
DescriptionField
Check this check box to use SSL encryption forsecurity purposes.
Note • If LDAP over SSL is required, thecorporate directory SSL certificatemust be loaded into Cisco UnifiedCommunicationsManager. TheCiscoUnified Communications OperatingSystem Administration Guidedescribes the certificate uploadprocedure.
• You can do LDAP UserAuthentication using the IP addressor the hostname. When IP address isused while configuring the LDAPAuthentication, LDAP configurationneeds to bemade the IP address usingthe command utils ldap config
ipaddr.When hostname is usedwhileconfiguring the LDAPAuthentication,DNS needs to be configured toresolve that LDAP hostname.
If you check the Use SSL check box, enter the IPaddress or the hostname that exists in the corporatedirectory SSL certificate in the Host Name or IPAddress for Server field in the LDAP AuthenticationConfiguration window. If the certificate contains anIP address, enter the IP address. If the certificatecontains the hostname, enter the hostname. If you donot enter the IP address or hostname exactly as itexists in the certificate, problems may occur for someapplications; for example, applications that useCTIManager.
Use SSL
Click this button to add another row for entry ofinformation about an additional server.
You can only access this button if LDAPauthentication for end users is enabled.
Note
Add Another Redundant LDAP Server
LDAP Authentication Setup5
LDAP Authentication SetupLDAP Authentication Settings
LDAP Authentication Setup6
LDAP Authentication SetupLDAP Authentication Settings
