Download ppt - Cisco Unity Connection 7.0 Directory Integration TOI

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Unity Connection 7.0

Directory Integration TOI

Manoj Agrawal

[email protected]


Overview

One way synchronization of user data from an LDAP directory.

User authentication against LDAP.

No schema extensions. All LDAP access is read-only.

System is functional even when the LDAP server is down.

Active Directory is supported right now. Sun and Netscape in the future.


LDAP Administration pages


Synchronization

User information is synchronized using Cisco DirSync.

Same Cisco DirSync that is used by CUCM.

All of the same configuration options.

Service activated from Cisco Unified Serviceability.

Admin pages nearly identical as well.

Passwords are not synchronized.

The list of LDAP attributes that are included in the sync as well as the mapping to CUC user fields is displayed in the LDAP Directory Configuration page.


Synchronization configuration

LDAP attribute for CUC Alias. This is the LDAP attribute that will correspond to the Alias of CUC users. It is a global setting and will apply to all synchronization configs. For AD this is commonly the sAMAccountName.

LDAP Manager Distinguished Name and password. This is an LDAP user that has rights to access the LDAP directory.

LDAP User Search Base. The container within the directory where the users are located. Users in child containers are also synchronized.


Synchronization configuration (cont)

LDAP Server Hostname/IP Address and Port.

Use SSL. This is an option to enable SSL encryption.

Redundant servers. Multiple LDAP servers (for the same directory) can be specified for redundancy.

Multiple sync configurations are allowed.


LDAP Setup


LDAP Directory Configuration


Synchronization schedule All syncs are full syncs. Incremental syncs will be available in the future.

Synchronization can happen on regular intervals or it can be a one-time synchronization.

For recurring syncs, the sync interval can be specified in number of hours, days, weeks or months. The min interval is 6 hours.

For recurring syncs, the date and time of the next sync can be specified.

On demand syncs can be initiated at any time as long as a sync is not already in progress.


Authentication For users that are integrated (synced) with LDAP, web application

passwords are authenticated against LDAP. This applies to CUCA, CPCA and IMAP access.

Voice mail passwords (PINs) are always authenticated locally.

If the LDAP server is unavailable, CUCA, CPCA and IMAP access will not be available for users that are integrated with LDAP. However, voice mail access will still be available.

For users that are not integrated with LDAP, all authentication occurs locally.


Authentication configuration

LDAP authentication needs to be enabled and configured in addition to LDAP synchronization.

It can only be enabled if LDAP synchronization is also enabled.

It is not necessary to enable LDAP authentication in order to use LDAP synchronization.


Authentication configuration (cont)

Even though multiple synchronization configurations are allowed, only one authentication configuration covers all LDAP users. This means that there is only one search base for authentication.

If the system is configured with multiple sync configurations, authentication must be configured with a search base that is the parent of the search bases used in the sync configurations.

Use of the Global Catalog server is recommended for AD and is required in a multi-domain forest.


LDAP Authentication


Importing users Users must be manually imported either via the Import Users page or BAT. Users

are not automatically imported from LDAP. (CUCM automatically imports them).

A user template must be selected during the import.

The user’s extension is grabbed from LDAP and displayed on the Import Users page. It can be overridden during the import.

The extension that is displayed on the Import Users page can be processed through a regular expression in order to select only a portion of the string. Using [0-9]{4}$ would only grab the last 4 digits from LDAP. For more information on Java regular expressions, please see http://java.sun.com/docs/books/tutorial/essential/regex/index.html.

The extension regular expression can be modified on the Advanced LDAP Settings page.


Import page


More about users

If a user has been imported from LDAP, the user’s page in CUCA will say “Active User imported from LDAP Directory”.

Standalone users (non-LDAP integrated users) can be added to a system that has LDAP enabled.

If the LDAP user object (account) for an LDAP integrated user is deleted from LDAP, after a grace period, the user will be converted to a standalone user.

AXL integrated users can also be added to a system that has LDAP enabled.


User management with BAT

BAT can be used to import LDAP users in bulk. The steps are:

1. Export “Users from LDAP directory” into a CSV file.

2. Modify CSV file (update Extensions or remove users).

3. Create new “Users with Mailbox” using the CSV file.

BAT can also be used to convert existing AXL and standalone users into LDAP integrated users. The steps are:

1. Export “Users from LDAP directory” into a CSV file.

2. Modify the CSV file to only include the users you want to convert.

3. Use BAT to update existing users using the CSV file.


Bulk Export and Import


Co-res

Directory integration on a co-res system is handled entirely by CUCM. The feature works exactly like it would on a standalone CUCM system.

All of the configuration occurs in the CUCM admin pages.

User data is synchronized with LDAP and LDAP authentication occurs for all users (other than the default CUC users).

Due to the co-res integration, the CUC side of the product is completely unaware of the fact that the system is integrated to a corporate directory.


Steps to configure and use LDAP

1. Enable Cisco DirSync.

2. Select the LDAP server type and LDAP attribute for Alias.

3. Configure the LDAP synchronization details.

4. Initiate a manual (on demand) sync.

5. Configure LDAP authentication.

6. Import users.


Troubleshooting

Manual syncs can be initiated from the sync configuration page.

Diagnostic trace files from two components are helpful:

Cisco DirSync

Connection CM Database Event Listener (CuCmDbEventListener)

The DirSync diagnostic trace files are saved to the /var/log/active/cm/trace/dirsync/log4j directory. The filename format is dirsyncxxxxx.log.

The CuCmDbEventListener diagnostics trace files are saved to the /var/opt/cisco/connection/log directory. The filename format is diag_CuCmDbEventListener_xxxxxxxx.uc


Troubleshooting cont

DirSync diagnostics can be enabled from Cisco Unified Serviceability. In Trace -> Configuration:

1. Select Directory Services for the Service Group and click Go.

2. Then select DirSync for the Service and click Go.

3. Change the Debug Trace Level to Debug and click Save.

CuCmDbEventListener diagnostics can be enabled from Cisco Unity Connection Serviceability. In Trace -> Micro Traces:

1. Select CuCmDbEventListener for the Micro Trace and click Go.

2. Select levels 00, 01, 03 and 04 and then click Save.




More Information

Contacts

Manoj Agrawal ([email protected])Jennifer Bui ([email protected])CUC directory integration ([email protected])CUCM directory integration ([email protected])

Documents

FFS (EDCS-603726) CUCM 6 Directory Configuration Admin GuideUnity Connection 7.0 Design Guide: LDAP Directory Integration(http://zed.cisco.com/confluence/display/CUC/Technical+Marketing)


Q&AQ&A
