04-08-2015 10:50 AM - edited 03-17-2019 05:03 PM
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Directory Integration of Cisco Jabber client.
Ask questions from Monday, April 13th, 2015 to Friday, April 24th, 2015
Cisco Jabber has the capability to obtain the directory information directly from either LDAP or CUCM server- using EDI, BDI or UDS. Enhanced Directory Integration (EDI) is an LDAP-based contact source for Cisco Jabber for Windows clients. Basic Directory Integration (BDI) is an LDAP-based contact source for non-Windows Jabber clients (MAC and Mobile).Cisco Unified Communications Manager UDS is a Cisco Unified Communications Manager contact source and is available as a contact source for all Cisco Jabber clients. UDS is the contact source used for Expressway Mobile and Remote Access.
The directory parameters can be configured using jabber-config.xml file or the service profile. Alternatively, Cisco Jabber for Windows can also automatically discover and connect to the directory server if the workstation on which you install Cisco Jabber is on the Microsoft Windows Active Directory domain.
Furthermore, Cisco Jabber can also search for contacts from the Personal Address book in Microsoft Outlook client using MAPI when both the clients co-exist in a PC.
This session aims in helping customers with the design, configuration and troubleshooting of Cisco Jabber Directory Integration.
Ritesh Tandon is currently a senior engineer on the collaboration team in Bangalore TAC. His areas of expertise include Cisco Unified Communications Manager and UC applications which integrates with it. Ritesh has over 5 years of experience in Unified Communications as a whole. He focuses on troubleshooting and working with various voice products and clients, including Cisco unified communication manager, Cisco Jabber, Cisco Im and Presence Server, Cisco Attendant Console Suite , Cisco Emergency Responder and many more. Prior to joining Cisco he has also worked on Nortel\Avaya PBX and Contact Center Deployments. He holds a Bachelor of Engineering degree in Electronics and Telecommunication from Punjab technical University.
Nirmal Issac is a customer support engineer in Cisco TAC team for Unified Communications technology based in Bangalore. His area of expertise include Cisco Unified Communications Manager, IM & Presence server, Cisco Jabber, Cisco Emergency Responder and Attendant Console. He has over 3 years of industry experience working with large enterprises and Cisco Partners. He holds a Bachelor of Engineering degree in TeleCommunication. He also holds CCIE certification (#45964) in Collaboration technology.
Find other https://supportforums.cisco.com/expert-corner/events.
**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions
04-24-2015 05:50 PM
Hi Ritesh
Thank you for such an amazingly detailed response. Unfortunately we will continue to utilize the _cuplogin method for service profile retrieval for the foreseeable future. I'm assuming _cisco-uds is required due to the "Use logged on User Credentials" flag not being available via the SOAP interface that CUP uses against UCM?
Regardless, I'd like to more accurately explain the scenarios for which we are trying to account:
Scenario 1 (in use today) - PC's and Mac's joined to the same domain in which their users accounts reside, Service Discovery via _cuplogin and jabber-config.xml. EDI for the PC's and the Mac's use BDI via stored credentials in the Service Profile(s). The obvious improvement here is to not use shared credentials for the Mac users - if the service account get's locked or needs to be updated, it causes a service outage for all Macs and requires many profiles to be updated.
It would appear that the check box would work for these users - if we were using the _cisco-uds record.
Scenario 2 - PC's joined to a different domain than the IM/P User account (the credentials used to log into the PC are irrelevant in the other domain), Service Discovery via _cuplogin and a special Jabber client bootstrapped to look for jabber-config-offdomain.xml. The jabber-config-offdomain file directory config looks like this:
<PrimaryServerName>domain.controller.fqdn</PrimaryServerName>
<ServerPort1>636</ServerPort1>
<UseWindowsCredentials>0</UseWindowsCredentials>
<ConnectionUserName>ldapaccount in UPN format</ConnectionUserName>
<ConnectionPassword>xxxxxx</ConnectionPassword>
<UseSSL>1</UseSSL>
The improvement here being the removal of the hardcoded credentials in the config file and reliance on the Service Profile for LDAP credentials (either via stored server side credentials or preferably the Use logged on User checked box)..
That really gets to the heart of my question - what user credentials is that check box referring to? The credentials used to log into the PC or the credentials used to log into Jabber...i'm really hoping the latter.
Thanks
Zack
04-14-2015 06:33 AM
Hi There,
We have been testing Jabber integration using EDI (for Windows) and BDI (for mobile).
We are using the following config for BDI to allow use of AD contact photo.
<BDIPhotoSource>thumbnailPhoto</BDIPhotoSource>
When connecting in the office (not through Collab edge), contact photos seem to work OK and the list is populated on iphone etc.
When client comes in through Copllab edge, the Directory searches are OK but the contact photos do not show up at all unless they are already cached on the client device.
Why is this? The directory is being accessed OK so I'm having trouble understanding why this does not work.
cucm 10.5, Jabber client 10.6.1 (iphone)
p.s. Why does Jabber not sync *all* the telephone numbers listed for the user from AD?
It's also fairly annoying having to populate 'other' with the users internal telephone number! (Surely jabber should know the user's DN and not have to replicate this?) Note that we and a lot of clients use external International Direct Dial in AD field.
Many thanks,
Peter.
04-14-2015 08:19 AM
Hi Peter ,
For the first part of your query :-
Jabber clients (whether jabber windows or jabber mobile (like iPhone or android)) use UDS only, when connecting via MRA/Collab-edge.
Which is the reason why BDI is not used when you are using collab-edge and contact photos are only shown when cached.
Directory searches actually work because they are being handled by UDS\CUCM.
Since contact photos do not reside on CUCM , therefore you get no photos.
To solve this problem you have host the contact photos on a Web server which is reachable from outside your network and put this configuration in the jabber-config.xml file under directory tab :-
<UdsPhotoUriWithToken>http://server_name/%%uid%%.jpg</UdsPhotoUriWithToken>
For more information you can refer this :-
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/10_6/CJAB_BK_C56DE1AB_00_cisco-jabber-106-deployment-and-installation-guide/CJAB_BK_C56DE1AB_00_cisco-jabber-106-deployment-and-installation-guide_chapter_01111.html#CJAB_RF_CEA70FA2_00
For your second part of your query :-
I understand that you would like jabber to get the user's extension automatically, when searched (as what is configured on CUCM ,as a DN for that user) instead of you manually configuring it on the 'other' telephoneNumber attribute on AD.
I can understand you have configured jabber to talk to AD for contact searches ,so AD does not have this information (i.e. user's extension) unless you configure in it.
Also currently even if we point jabber to search CUCM using UDS , contact information which we get back from CUCM for a user,is the one which you see on the end user's page
I can only say that this can be taken up an enhancement where we can get the user's extension from CUCM and concatenate that with the result which jabber gets after searching the user against a directory source.
Hope this helps.
If i may have mis-understood your second query , please do correct me.
Thanks,
Ritesh Tandon
04-16-2015 02:40 AM
Many thanks for the reply and Information.
This leads to some other queries though:-
Since the whole point of having a Directory such as AD is *not* to have to maintain separate databases, such as a separate webserver with contact photos,
a) When will UDS also natively contain or return the contact photos?
or
b) When will Collb Edge support BDI or EDI?
Since Cisco do seem to have grasped that End User experience is key, I would have thought having the same experiance whether in or out the office would be a priority, and for me the collab edge is not *quite* there. Getting close though!
cheers
04-16-2015 11:06 AM
Hi Peter,
I am happy to hear that we are actually coming up to your expectations :)
But , right now i would not have any definite information\timelines on when these would be supported :-
++ When would contact photos also being hosted on CUCM , so that UDS can return them when connected over MRA\Collab-edge.
++ When would EDI\BDI be supported with Collab-edge.
These are actually enhancements ,and I believe BU's from jabber,CUCM,VCS would have to work together in figuring these out.
But , thank you for your constructive feedback. I will surely send this across to them, so that they can consider putting these on their respective future road-maps.
Thanks,
Ritesh Tandon
04-14-2015 09:55 AM
Hi all,
I am very new to jabber and run some problems. I have the following suitation
1. External IBM Domino ldap server for contact search. Users are from external company.
2. Contact Photos for internal users hosted on a Web server. Http://server/emailaddress.jpg
3. Windows AD for jabber authentication
The idea was to populate contact photos for internal users and use the ldap server for external contact search.
Please give me some direction.
Thanks
04-14-2015 11:50 AM
Hi Getamessay,
Thank you for posting the query. From your query, I understand the below requirements.
a) CUCM is Synced with AD server, hence authentication should happen with AD.
b) Jabber should perform contact search from IBM Domino server
TAC Support
Cisco TAC / Jabber Development team supports only the below contact sources for Cisco Jabber. Please refer the below guide.
I do not think that Cisco Jabber would extend the support for Dominos any time soon. So, the Integration with Dominos - even if it works, will not be supported by Cisco TAC.
CUCM server also officially does not support Domino, thus we cannot sync the users to CUCM.
Work around:
If you want to move ahead with the same requirement, we can analyze logs and try to help you as a best effort to understand where the Sync fails and we can try to fix it by modifying the parameters. Again, the solution will not be supported by Cisco TAC in case of a network down situation.
If so, please provide me the jabber-config.xml file that you have deployed, along with the Problem Report from Jabber client after recreating the issue. Also, please provide the below information:
a) The time when the search was made
b) The user whom you seached for
c) IP Address / Hostname of Dominos server
d) Packet capture from the PC
c) Photo retrieval from Web Server.
The configurations required for photo retrieval from WebServer are listed in the below link.
Please let me know if you have any additional questions. I hope this helps.
Regards-- Nirmal Issac
04-14-2015 12:42 PM
Hi Nirmal,
Thanks for the response.
For now I would like to fix the photo retrieval. I am using Apache Web server URI source where the photos are stored. What attributes can I use for
BDIPhotoUriWithToken? Do I need any directory integration for photo retrieval?
Regards
Getamessay
04-14-2015 01:07 PM
Hi Getmessay,
Thank you for the response. The parameters that I provided earlier are EDI and BDI parameters. That method of photo retrieval works only with LDAP as the tokens are obtained from the values in LDAP attributes.
Yes, you need either LDAP / UDS directory integration for the photo retrieval to work. As LDAP integration failed with Domino, I would recommend configuring UDS so that the users in CUCM can be fetched for Directory search and Web Server can be used for photo retrieval. Please refer the below guide.
Sample Configuration for UDS Photo retrieval:
<Directory>
<DirectoryServerType>UDS</DirectoryServerType>
<UdsPhotoUriWithToken>http://server-name/%%uid%%.jpg</UdsPhotoUriWithToken>
</Directory>
In the above configuration, the contact information will be fetched from CUCM using UDS. Jabber client will replace %%uid%% with the UserID of the contact. Hence the name of the photo saved in Web Server for a user should be (His UserID in CUCM).jpg
Please let me know if you have any questions.
Regards - Nirmal Issac
04-14-2015 09:22 PM
Hi Getamessay,
As my colleague as already pointed out that Lotus Domino is not supported for LDAP sync with CUCM and as a directory source for jabber.
Therefore, I will just try to explain the possible scenario's you have (i.e. without the Domino), already explained by my colleague, in a different way :-
Scenario 1 :-
Using MS AD as a Directory Source for Jabber clients (EDI\BDI) and pointing jabber to get contact photos from web server.
Please see this diagram which will give you a visual representation of what it would look like :-
The configuration which you would need to include in the jabber-config.xml file, would look like the following :-
++ For EDI ++
<PhotoUriSubstitutionEnabled>true</PhotoUriSubstitutionEnabled>
<PhotoUriSubstitutionToken>sAMAccountName</PhotoUriSubstitutionToken>
<PhotoUriWithToken>http://www.jabber-photo.com/Photos/sAMAccountName.jpg</PhotoUriWithToken>
++ For BDI ++
<BDIPhotoUriSubstitutionEnabled>true</BDIPhotoUriSubstitutionEnabled>
<BDIPhotoUriSubstitutionToken>sAMAccountName</BDIPhotoUriSubstitutionToken>
<BDIPhotoUriWithToken>http://www.jabber-photo.com/Photos/sAMAccountName.jpg</BDIPhotoUriWithToken>
So, when user is searched in MS AD, the 'sAMAccountName' value returned for the user would be used as the name of the .jpg photo for that user, in the url request to fetch the contact photo from Web server.
If you do not want to give 'sAMAccountName' here , then you can give any other AD attribute like 'EmployeeID', but then just make sure you have saved the contact photo as <EmployeeID>.jpg on the web server.
Scenario 2 :-
Using CUCM as a Directory Source for Jabber clients (UDS) and pointing jabber to get contact photos from web server.
Please see this diagram which will give you a visual representation of what it would look like :-
The configuration which you would need to include in the jabber-config.xml file, would look like the following :-
<DirectoryServerType>UDS</DirectoryServerType>
<UdsPhotoUriWithToken>http://www.jabber-photo.com/Photos/%%uid%%.jpg</UdsPhotoUriWithToken>
Jabber client will replace %%uid%% with the UserID of the contact. Hence the name of the photo saved in Web Server for a user should be (His UserID in CUCM).jpg
For your reference and understanding , i have also attached sample jabber-config.xml files from my lab ,which have the required configuration for both the above scenario's.
Hope this helps.
In case you have any further queries on the above , please do let us know.
Thanks,
Ritesh Tandon
04-15-2015 02:48 AM
Hi Ritesh,
Many thanks for the explanation. I will test UDS option with mail ID of the contact. Not with UserID. If possible :
<DirectoryServerType>UDS</DirectoryServerType>
<UdsPhotoUriWithToken>http://www.jabber-photo.com/Photos/%%mail%%.jpg</UdsPhotoUriWithToken>
The other question: is it possible to have contact lookup from a web server?
Regards;
Getamessay
04-15-2015 05:37 AM
Hi Getamessay,
Thank you for the response.
a) I will test UDS option with mail ID of the contact. Not with UserID
I think there is a confusion with the term 'UserID'. The UserID is the value that CUCM lists in e thend-user page. It can be mapped with the attributes in LDAP as follows.
And the userID will be reflected in the End User page.
The configuration <UdsPhotoUriWithToken>http://www.jabber-photo.com/Photos/%%mail%%.jpg</UdsPhotoUriWithToken> is invalid.
The configuration should remain as:
<UdsPhotoUriWithToken>http://www.jabber-photo.com/Photos/%%uid%%.jpg</UdsPhotoUriWithToken>
For eg,
In my lab, my account details are as below:
sAMAccountName: nissac
mail: nissac@cisco.com
In System --> LDAP --> LDAP System; if I select sAMAcountName, then the name of the jpg file should be nissac.jpg.
If I select mail, then the name of the jpg file should be nissac@cisco.com.jpg
In both the scenarios, the below configuration remains the same:
<UdsPhotoUriWithToken>http://www.jabber-photo.com/Photos/%%uid%%.jpg</UdsPhotoUriWithToken>
b) The other question: is it possible to have contact lookup from a web server?
This is currently not supported. The contact source should either be LDAP or CUCM.
Please let us know if you have any additional queries.
Regards
Nirmal Issac
04-15-2015 05:49 AM
Hi Nirmal,
Thank you.
I fully understand UID attribute. In my case, photos are stored in the web server as follows "Email address.jpg": geta@unvienna.org.jpg.
That was why I tried to use the mail ID.
What other attribures can I use other than uid in UDS deployment.
<UdsPhotoUriWithToken>http://www.jabber-photo.com/Photos/%%uid%%.jpg</UdsPhotoUriWithToken>
Regards,
Getamessay
04-15-2015 06:51 AM
Hi Getamessay,
Thank you for the mail. I'm glad that we were able to help you.
The attribute depends on the LDAP System configuration in CUCM.
All the of the above attributes can be made the uid. Although the below configuration remains the same, Jabber will replace %%uid%% with the value taken from CUCM.
<UdsPhotoUriWithToken>http://www.jabber-photo.com/Photos/%%uid%%.jpg</UdsPhotoUriWithToken>
Please let me know if you have any further queries.
Regards
Nirmal Issac
04-16-2015 10:34 PM
Hi,
I want to make the multiple DCs auth. for the Jabber. Actually, my Windows AD support the global catalog lookup & auth., but the sAMAccountName will be conflicted on the different child-domains on the same tree.
Finally, I should change the CUCM LDAP auth. from "sAMAccountName" to "UserPrincipalName", that is not support on Jabber until now. Any idea on Jabber to support the big AD environment of multiple DCs' domain?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide