of 27/27
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Unity Connection 7.0 Directory Integration TOI Manoj Agrawal [email protected]

Cisco Unity Connection 7.0 Directory Integration TOI

  • View
    73

  • Download
    0

Embed Size (px)

DESCRIPTION

Cisco Unity Connection 7.0 Directory Integration TOI. Manoj Agrawal [email protected] Overview. One way synchronization of user data from an LDAP directory. User authentication against LDAP. No schema extensions. All LDAP access is read-only. - PowerPoint PPT Presentation

Text of Cisco Unity Connection 7.0 Directory Integration TOI

Cisco Unity Connection 7.0 EFTCisco Unity Connection 7.0
Overview
One way synchronization of user data from an LDAP directory.
User authentication against LDAP.
System is functional even when the LDAP server is down.
Active Directory is supported right now. Sun and Netscape in the future.
© 2008 Cisco Systems, Inc. All rights reserved.
LDAP Administration pages
Synchronization
Same Cisco DirSync that is used by CUCM.
All of the same configuration options.
Service activated from Cisco Unified Serviceability.
Admin pages nearly identical as well.
Passwords are not synchronized.
The list of LDAP attributes that are included in the sync as well as the mapping to CUC user fields is displayed in the LDAP Directory Configuration page.
© 2008 Cisco Systems, Inc. All rights reserved.
Synchronization configuration
LDAP attribute for CUC Alias. This is the LDAP attribute that will correspond to the Alias of CUC users. It is a global setting and will apply to all synchronization configs. For AD this is commonly the sAMAccountName.
LDAP Manager Distinguished Name and password. This is an LDAP user that has rights to access the LDAP directory.
LDAP User Search Base. The container within the directory where the users are located. Users in child containers are also synchronized.
© 2008 Cisco Systems, Inc. All rights reserved.
Synchronization configuration (cont)
Use SSL. This is an option to enable SSL encryption.
Redundant servers. Multiple LDAP servers (for the same directory) can be specified for redundancy.
Multiple sync configurations are allowed.
© 2008 Cisco Systems, Inc. All rights reserved.
LDAP Setup
LDAP Directory Configuration
Synchronization schedule
All syncs are full syncs. Incremental syncs will be available in the future.
Synchronization can happen on regular intervals or it can be a one-time synchronization.
For recurring syncs, the sync interval can be specified in number of hours, days, weeks or months. The min interval is 6 hours.
For recurring syncs, the date and time of the next sync can be specified.
On demand syncs can be initiated at any time as long as a sync is not already in progress.
© 2008 Cisco Systems, Inc. All rights reserved.
Authentication
For users that are integrated (synced) with LDAP, web application passwords are authenticated against LDAP. This applies to CUCA, CPCA and IMAP access.
Voice mail passwords (PINs) are always authenticated locally.
If the LDAP server is unavailable, CUCA, CPCA and IMAP access will not be available for users that are integrated with LDAP. However, voice mail access will still be available.
For users that are not integrated with LDAP, all authentication occurs locally.
© 2008 Cisco Systems, Inc. All rights reserved.
Authentication configuration
LDAP authentication needs to be enabled and configured in addition to LDAP synchronization.
It can only be enabled if LDAP synchronization is also enabled.
It is not necessary to enable LDAP authentication in order to use LDAP synchronization.
© 2008 Cisco Systems, Inc. All rights reserved.
Authentication configuration (cont)
Even though multiple synchronization configurations are allowed, only one authentication configuration covers all LDAP users. This means that there is only one search base for authentication.
If the system is configured with multiple sync configurations, authentication must be configured with a search base that is the parent of the search bases used in the sync configurations.
Use of the Global Catalog server is recommended for AD and is required in a multi-domain forest.
© 2008 Cisco Systems, Inc. All rights reserved.
LDAP Authentication
Importing users
Users must be manually imported either via the Import Users page or BAT. Users are not automatically imported from LDAP. (CUCM automatically imports them).
A user template must be selected during the import.
The user’s extension is grabbed from LDAP and displayed on the Import Users page. It can be overridden during the import.
The extension that is displayed on the Import Users page can be processed through a regular expression in order to select only a portion of the string. Using [0-9]{4}$ would only grab the last 4 digits from LDAP. For more information on Java regular expressions, please see http://java.sun.com/docs/books/tutorial/essential/regex/index.html .
The extension regular expression can be modified on the Advanced LDAP Settings page.
© 2008 Cisco Systems, Inc. All rights reserved.
Import page
More about users
If a user has been imported from LDAP, the user’s page in CUCA will say “Active User imported from LDAP Directory”.
Standalone users (non-LDAP integrated users) can be added to a system that has LDAP enabled.
If the LDAP user object (account) for an LDAP integrated user is deleted from LDAP, after a grace period, the user will be converted to a standalone user.
AXL integrated users can also be added to a system that has LDAP enabled.
© 2008 Cisco Systems, Inc. All rights reserved.
User management with BAT
BAT can be used to import LDAP users in bulk. The steps are:
Export “Users from LDAP directory” into a CSV file.
Modify CSV file (update Extensions or remove users).
Create new “Users with Mailbox” using the CSV file.
BAT can also be used to convert existing AXL and standalone users into LDAP integrated users. The steps are:
Export “Users from LDAP directory” into a CSV file.
Modify the CSV file to only include the users you want to convert.
Use BAT to update existing users using the CSV file.
© 2008 Cisco Systems, Inc. All rights reserved.
Bulk Export and Import
Co-res
Directory integration on a co-res system is handled entirely by CUCM. The feature works exactly like it would on a standalone CUCM system.
All of the configuration occurs in the CUCM admin pages.
User data is synchronized with LDAP and LDAP authentication occurs for all users (other than the default CUC users).
Due to the co-res integration, the CUC side of the product is completely unaware of the fact that the system is integrated to a corporate directory.
© 2008 Cisco Systems, Inc. All rights reserved.
Steps to configure and use LDAP
Enable Cisco DirSync.
Select the LDAP server type and LDAP attribute for Alias.
Configure the LDAP synchronization details.
Initiate a manual (on demand) sync.
Configure LDAP authentication.
Troubleshooting
Manual syncs can be initiated from the sync configuration page.
Diagnostic trace files from two components are helpful:
Cisco DirSync
The DirSync diagnostic trace files are saved to the /var/log/active/cm/trace/dirsync/log4j directory. The filename format is dirsyncxxxxx.log.
The CuCmDbEventListener diagnostics trace files are saved to the /var/opt/cisco/connection/log directory. The filename format is diag_CuCmDbEventListener_xxxxxxxx.uc
© 2008 Cisco Systems, Inc. All rights reserved.
Troubleshooting cont
DirSync diagnostics can be enabled from Cisco Unified Serviceability. In Trace -> Configuration:
Select Directory Services for the Service Group and click Go.
Then select DirSync for the Service and click Go.
Change the Debug Trace Level to Debug and click Save.
CuCmDbEventListener diagnostics can be enabled from Cisco Unity Connection Serviceability. In Trace -> Micro Traces:
Select CuCmDbEventListener for the Micro Trace and click Go.
Select levels 00, 01, 03 and 04 and then click Save.
© 2008 Cisco Systems, Inc. All rights reserved.
© 2008 Cisco Systems, Inc. All rights reserved.
© 2008 Cisco Systems, Inc. All rights reserved.
More Information
Unity Connection 7.0 Design Guide: LDAP Directory Integration
Q&A
Q&A