cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
40159
Views
255
Helpful
46
Replies

Ask the Expert: Directory Integration of Jabber client (EDI/BDI/UDS)

ciscomoderator
Community Manager
Community Manager

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Directory Integration of Cisco Jabber client.

Ask questions from Monday, April 13th, 2015 to Friday, April 24th, 2015

Cisco Jabber has the capability to obtain the directory information directly from either LDAP or CUCM server- using EDI, BDI or UDS. Enhanced Directory Integration (EDI) is an LDAP-based contact source for Cisco Jabber for Windows clients. Basic Directory Integration (BDI) is an LDAP-based contact source for non-Windows Jabber clients (MAC and Mobile).Cisco Unified Communications Manager UDS is a Cisco Unified Communications Manager contact source and is available as a contact source for all Cisco Jabber clients. UDS is the contact source used for Expressway Mobile and Remote Access.

The directory parameters can be configured using jabber-config.xml file or the service profile. Alternatively, Cisco Jabber for Windows can also automatically discover and connect to the directory server if the workstation on which you install Cisco Jabber is on the Microsoft Windows Active Directory domain.

Furthermore, Cisco Jabber can also search for contacts from the Personal Address book in Microsoft Outlook client using MAPI when both the clients co-exist in a PC.

This session aims in helping customers with the design, configuration and troubleshooting of Cisco Jabber Directory Integration.

Ritesh TandonRitesh Tandon is currently a senior engineer on the collaboration team in Bangalore TAC. His areas of expertise include Cisco Unified Communications Manager and UC applications which integrates with it. Ritesh has over 5 years of experience in Unified Communications as a whole. He focuses on troubleshooting and working with various voice products and clients, including Cisco unified communication manager, Cisco Jabber, Cisco Im and Presence Server, Cisco Attendant Console Suite , Cisco Emergency Responder and many more. Prior to joining Cisco he has also worked on Nortel\Avaya PBX and Contact Center Deployments. He holds a Bachelor of Engineering degree in Electronics and Telecommunication from Punjab technical University.

Nirmal IssacNirmal Issac is a customer support engineer in Cisco TAC team for Unified Communications technology based in Bangalore. His area of expertise include Cisco Unified Communications Manager, IM & Presence server, Cisco Jabber, Cisco Emergency Responder and Attendant Console. He has over 3 years of industry experience working with large enterprises and Cisco Partners. He holds a Bachelor of Engineering degree in TeleCommunication. He also holds CCIE certification (#45964) in Collaboration technology.

Find other  https://supportforums.cisco.com/expert-corner/events.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

46 Replies 46

Hi Chi,

Thank you for the query. I understand that you have CUCM server integrated with LDAP which has a single forest and multiple domains. I see that you are trying to achieve the below configuration using UPN as UserId in CUCM.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/8x/uc8x/directry.html#wp1045381

Please confirm if my above understanding is correct.

I would like to understand why you think that Cisco Jabber does not support UPN as UserID. Please explain in detail the issues that you are facing while using UPN, so that we can assist you with those.

Also, please provide us the versions of the CUCM, IM&P and the Jabber client used. It would be helpful if you could share the jabber-config.xml file used.

Regards

Nirmal Issac

Hi Chi,

We believe that your question is to find out if jabber would support UPN as userid , for the same reason my colleague has pointed out in his query to you.

 

Answer to your query would be yes, Jabber does support UPN attribute as a ‘userid’ (when you change that under System >> LDAP >> LDAP system on the CUCM Pub).

Difference seen externally would be , that users would have to use their ‘UPN’ value as userid to login into their jabber clients, instead of the ‘sAMAccountName’ value they were using earlier.

Also,the only other major difference seen on jabber after this change ,would be that IM Address of users would become “user@domain@domain” (as the UPN value is appended with the IM domain which is configured on the CUPS\IM&P server).

This can be avoided if you use CUCM\IM&P 10.0 or above , as you can change the IM schema to Directory URI on CUPS\IM&P server, which in-turn can be set to “msRTCSIP-PrimaryUserAddress” or “mail” on CUCM Publisher. This is also known as “Flexible JabberID”.

But in order to use “Flexible JabberID” you have to upgrade all jabber clients to version 10.6.0 or above , as lower versions of jabber than 10.6 (on any platform) do not support “Flexible JabberID”.
Please go through the below links for reference :-

Jabber for Mac 10.6 Release Notes :-

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/mac/10_6/JABM_BK_C6D012D7_00_cisco-jabber-for-mac-106.html#JABM_RF_F65F8D61_00

Jabber for Android 10.6 Release Notes :-

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Android/10_6/rn/JABA_BK_CB805EB4_00_cisco-jabber-for-android-10-6-release_notes.html#JABA_RF_NCAFF4FB_00

Jabber for iPhone and iPad 10.6 Release Notes :-

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/iPhone_iPad/10_6/RN/JABI_BK_CF3573C2_00_cisco-jabber-for-iphone-and.html#JABI_RF_N61CB8E5_00

Jabber for Windows 10.6 Release Notes :-

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Windows/10_6/rn/JABW_BK_C6A8A6C3_00_cisco-jabber-for-windows-10_6-release-notes.html

Search for "Flexible Jabber ID"

 

Hope this helps.
Please do let us know if you have any further queries.

 

Thanks,
Ritesh Tandon

calluknet
Level 1
Level 1

We were using EDI/BDI integration too but are now moving to UDS to try and get around the issue already mentioned below "when common account gets blocked for to many failed login attempts because we also moved to JW10.6".

Previously we had an issue running multiple system managed domains where the IM Addressing Scheme was set to use Directory URI.  Users within the different system managed domains could not share presence information (e.g. @example.com could not see @uk.example.com and/or vice versa). 

The fix was to add <IMAddresses use-default="false"><IMAddress>mail</IMAddress></IMAddresses> to force the jabber client (via the jabber-config.xml file) to use the "mail" value from the LDAP server to correct the IM address.

If we move to UDS will the IMAddresses element still work within the jabber-config.xml file, would we still need it?

Regards - Stewart

Hi Stewart,

Although server-side IM&P 10.0 and above supports multi-domain using Directory URI as IM Address Schema, the Jabber clients did not add this feature until 10.6.x version.
So, I believe you had placed this fix , <IMAddresses use-default="false"><IMAddress>mail</IMAddress></IMAddresses> in the jabber-config.xml file as you were using 10.5.x or lower version of jabber in your environment at that time.
This fix at that time, only worked with EDI\BDI and not UDS.

But since, now all flavors of jabber 10.6.x support multi domain in IM Address, coming from Directory URI setting , therefore I believe this shouldn't be a problem any more.
Please see the below links for more references :-

 

Jabber for Mac 10.6 Release Notes :-

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/mac/10_6

/JABM_BK_C6D012D7_00_cisco-jabber-for-mac-106.html#JABM_RF_F65F8D61_00

Jabber for Android 10.6 Release Notes :-

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Android/10_6/rn/JABA_BK_CB805EB4_00_cisco-jabber-for-android-10-6-release_notes.html#JABA_RF_NCAFF4FB_00

Jabber for iPhone and iPad 10.6 Release Notes :-

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/iPhone_iPad/10_6/RN/JABI_BK_CF3573C2_00_cisco-jabber-for-iphone-and.html#JABI_RF_N61CB8E5_00

Jabber for Windows 10.6 Release Notes :-

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Windows/10_6/rn/JABW_BK_C6A8A6C3_00_cisco-jabber-for-windows-10_6-release-notes.html

Search for "Flexible Jabber ID"

 

You can also check\confirm this in your environment on one jabber windows user\PC only , by doing the following :-

i)    Make sure jabber 10.6.x is exited.

ii)    Copy your existing ‘jabber-config.xml’ file to a different folder and rename it ‘jabber-config-user.xml’.

iii)    Edit ‘jabber-config-user.xml’ and put the following , after you remove all previous EDI\BDI configuration under the 'Directory' tabs :-

<Directory>
<DirectoryServerType>UDS</DirectoryServerType>
<UdsServer><cucm ip address></UdsServer>
<DirectoryURI>mail</DirectoryURI>
<UseSIPURIToResolveContacts>true</UseSIPURIToResolveContacts>
<SipUri>mail</SipUri>
<UriPrefix>sip:</UriPrefix>
</Directory>

For the above configuration please refer this :-

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/10_6/CJAB_BK_C56DE1AB_00_cisco-jabber-106-deployment-and-installation-guide/CJAB_BK_C56DE1AB_00_cisco-jabber-106-deployment-and-installation-guide_chapter_01111.html#JABM_RF_I07C806F_00

 

iv)    Copy this edited ‘jabber-config-user.xml’ and paste it under :-
C:\Users\<user>\AppData\Roaming\Cisco\Unified Communications\Jabber\CSF\Config
Then Delete Folder :-
C:\Users\<user>\AppData\Local\Cisco\Unified Communications\Jabber

v)    Start Jabber and login. The ‘jabber-config-user.xml’ file will have precedence on the ‘jabber-config.xml’ file, when user logs in.

vi)     Confirm from "show connection status' under Help , that UDS is being used for Directory.

vii)    Try to add a new user (user you do not have in jabber contact list from before) from AD and see if you get the right IM Address this time when you do a view profile of this newly added user.

In this way you can check UDS with jabber windows 10.6.x on one PC only to see if this works fine, prior to putting UDS globally.

 

Hope this helps.

Let me know once you try it , or if you have any further queries.

 

Thanks,

Ritesh Tandon

Comment deleted as it got posted twice.

CHRIS KALETH
Level 5
Level 5

We are having a couple issues over MRA; the first being able to search the directory over MRA.  When I type more than 3 letters it fails to pull any information except for local contacts.  It works fine when connected over VPN or directly on the network.  The second issue is receiving photos over MRA from the any client (Jabber4Windows, Jabber4Mac, and iPhone)

Here is my full directory config: 

<Directory><UdsPhotoUriWithToken>http://pictures.xyz.com/images/JabberPhotos/%%uid%%.jpg</UdsPhotoUriWithToken></Directory>

Our photo server is whitelisted on the Expressway but is not directly open from the Internet. 

Versions:

CUCM 10.5.2

CUPS 10.5.2

Expressway C/E - 8.5.1

Jabber4Mac - Version 10.6.0 (202336)

Jabber4Windows - Version 10.6

Hi Chris,

Thank you for the query. Jabber automatically switches to UDS while operating in MRA. We have not observed any common issues with UDS when Jabber connects over MRA. The photo issue is a result of the issue with Directory itself. The photos would not work until Directory connects.

Hence this issue needs troubleshooting.

 

a) When you connect from VPN/Internal network, what is the mode of directory - LDAP or UDS?

b) Please recreate the issue over MRA and provide me -

 

- PRT (after deleting all existing cache).

- Diagnostic logs & TCP Dump from VCS E and C servers

- Rge name which was searched in Jabber client, and the time of the search.

- Screen shot of Jabber --> Help --> 'Show Connection Status' while connected over MRA and also while connected over Internal network

 

You may attach the logs here in the discussion.

 

Regards

Nirmal Issac

Hi Guys,

 

I am trying to enable SIP URI dialling for an on-premise IM&P solution but the local jabber-client does not appear to accept a valid locally installed jabber-config-user.xml or jabber-config.xml files uploaded to CUCM TFTP root and TFTP services restarted.

I have attempted to generate a file from the jabber-config.xml generator found in the support forums & also from my working Jabber (albeit i am using hybrid).  There appears to be confusion regarding the syntax of SIPURIdial(l)ing - one l or 2 l's ?  The generator produces one "l", my local file here is 2 "l"'s

 

<E

<EnableSIPURIDialling>true</EnableSIPURIDialling>

 

OR

 

<EnableSIPURIDialing>true</EnableSIPURIDialing>

 

i have tried both formats with no success

 

I want to prove whether the issue is local PC/FIrewall/anti-virus with a known working file.

 

can one be posted here please?

 

thanks

 

Stuart

 

Hi Stuart,

 

Thank you for the query. Adding the below policy in jabber-config.xml file enables URI Dialling in the Jabber clients.

 

 

 <Policies>
   <EnableSIPURIDialling>true</EnableSIPURIDialling>
  </Policies>

 

 

 

Documents:

 

CUCM

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/9_0_1/ccmsys/CUCM_BK_CD2F83FA_00_cucm-system-guide-90/CUCM_BK_CD2F83FA_00_system-guide_chapter_0101111.html

 

Jabber Deployment Guide:

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/10_6/CJAB_BK_C56DE1AB_00_cisco-jabber-106-deployment-and-installation-guide/CJAB_BK_C56DE1AB_00_cisco-jabber-106-deployment-and_chapter_010010.html#CJAB_TK_E28C6E1E_00

 

As discussed offline, I understand that you isolated issue with the PC's Anti Virus.

 

Please let us know if you have any additional queries. Thank you.

 

Regards

Nirmal Issac

Lee Marson
Level 5
Level 5

Hello guys,

Could you tell me what is the preferred way to avoid the initial email address logon screen in Jabber for Windows please?

Currently my customer has an email address which is defferent to the Jabber ID. If they use the email address it results in sign-in issues when they move networks even though the domain is the same.

so email is firstname.lastname@company.co.uk

JID is userid@company.co.uk

So I would either like to be able to do the first time login with email address for UX purposes - but this means changing the IM address schema to directory uri. This option would be fine except UDS is not supported I believe and we need to also use MRA - am I correct?

The other option is to use installer switches or modify the msi installer file.

The guide also mentions configuration url - can this be used by J4W as I can't find much info on it?

 

Any advice appreciated

Regards

Lee

 

Lee.

 

Hi Lee,

 

I have broken down your queries into sub-queries , and tried answering them below :-

 

Q : Could you tell me what is the preferred way to avoid the initial email address logon screen in Jabber for Windows please ?

<RT> : One Possible way/scenario I know, in which "initial email address logon screen" is avoided is this :-
Windows PC is joined to the AD domain >> User logs on to windows using his\her AD credentials >> User launches Jabber >> Jabber auto-discovers AD and does a LDAP Bind with it using windows logon credentials >> Jabber gets UPN value for that user from the AD >> UPN Value is "userid@domain" >> Jabber does a DNS SRV service discovery on the 'domain' part >> And shows directly, the prompt to enter userid and password, if the service discovery on the 'domain' derived from UPN is successful.

The second possible scenario which I tried in my lab was with installer switches ,example :-
++ msiexec.exe /i CiscoJabberSetup.msi /quiet EXCLUDED_SERVICES=CUP,CUCM,WEBEX CUP_ADDRESS=cup101.domaina.support
But, still I could see the "initial email address logon screen", so this did not work.

Coming onto next ,I believe configuration urls you have mentioned in your query, also known as jabber provisioning url, is for jabber mobile devices and not for jabber windows , as we cannot use installer switches on jabber on mobile devices.

 

Q : So I would either like to be able to do the first time login with email address for UX purposes - but this means changing the IM address schema to directory uri. This option would be fine except UDS is not supported I believe and we need to also use MRA - am I correct?

<RT> : I can understand that, user's put their mail ID's instead of something like 'userid@domain' (where 'userid' is their sAMAccountName value) , which is causing issues. So, you would like to put the IM Address Schema to "Directory URI" on IM&P server, which in turn is set to 'mail' on CUCM Pub.This is being done so that users can put their mail ID's into the "initial email address logon screen" (instead of 'userid@domain') and still be able to login into jabber.
<Let me know if my above understanding is incorrect>
 
If my above understanding is correct, then I believe changing IM Address schema should not matter here ,this is because change in IM Address Schema, only affects the IM Address of the users and not their userid's , and hence not the login format.

But , when I was researching in my lab , for your query , then I saw that login with mail ID actually works. This is what I did :-

1) I have got CUCM/IM&P 10.5.1 and jabber windows 10.6.2 using _cisco-uds DNS SRV for login.

2) I have a user on CUCM (can be a local or LDAP synced), which is enabled for IM&P and which has a valid mail ID, with a valid service profile configured for it.

3) I delete jabber cache so that I login fresh.

4) On the "initial email address logon screen" I put the mail ID of the user. The domain in the mail ID is used for service discovery.

 

5) Service discovery completes and in the userid bar , I see the actual userid populated. When password is entered then login works.

As you can see above IM Address schema is still "userid@<Default domain>".

Going through the jabber logs , I see the UDS query (made by Jabber) making this difference is this :-

++ https://cucm101.domaina.support:8443/cucm-uds/clusterUser?email=bruce.wayne@domaina.support

And this is what CUCM responds back :-

<?xml version="1.0" encoding="UTF-8" standalone="true"?>
-<clusterUser uri="https://cucm101.domaina.support:8443/cucm-uds/clusterUser?email=bruce.wayne@domaina.support" version="10.5.1">
<result uri="https://CUCM101.domaina.support:8443/cucm-uds/user/567892" version="10.5.1" found="true"/>
<homeCluster serversUri="https://CUCM101.domaina.support:8443/cucm-uds/servers">CUCM101.domaina.support</homeCluster>
-<homeClusterDetails>
<selfProvisioningSecureMode>true</selfProvisioningSecureMode>
<adminProvisionMode>false</adminProvisionMode>
</homeClusterDetails>
</clusterUser>

You can see that CUCM is sending back : https://CUCM101.domaina.support:8443/cucm-uds/user/567892 , after finding the user with that mail ID. Using which jabber is populating the actual userid.

If you have CUCM 10.x and above, and _cisco-uds DNS SRV configured, then you can also check the same and revert. You can put the same UDS query jabber is making (as shown above) in a browser and replace it with your CUCM FQDN and user's mail id, to see, if you get a similar response back from CUCM , as one shown above.
 

 

Q : Changing of IM Address schema to Directory URI on IM&P server ,and it's support with UDS on jabber.

<RT>: Jabber 10.6.0 and above supports "Flexible Jabber ID" and it is supported with UDS as well.
For more details , please see this post in this same discussion :-
https://supportforums.cisco.com/comment/10436601#comment-10436601


I hope the above information helps you.
Please do let us know, in case you have further queries.

 

Thanks,

Ritesh Tandon

Lee Marson
Level 5
Level 5

Hello again :-)

What is the correct configuration to allow secure connection to the LDAP server please.

I configured a UC Profile for EDI using GC protocol TCP port 3268 with the use secure connecition unchecked.

This works fine

To make the connection secure I set the port to 3269 protocol to SSL and checked the secure connection checkbox.

The client would not connect to the server.

Is there something that needs to be set elsewhere e.g on the AD server?

 

Thanks

Lee

Hi Lee,

 

Thank you for the query. The configuration is correct. However, the SSL connection needs the certificate from AD server to be trusted by the Windows OS/Jabber client. Is the AD server's certificate CA signed?

Please run the packet capture in the PC and login to the  the Jabber client. Analysing the capture will confirm if the TLS connection is established between the AD server and the Jabber client. Please provide me the capture as well as the PRT from the Jabber client. Also, please provide me a screen shot of the Enhanced Directory UC profile and the Service profile.

 

Regards

Nirmal Issac

 

 

pjandrasits
Level 1
Level 1

Hello,

Is there any possibility to provide different DirLookupDialRules.xml to JfW clients, similar to configurable path at Jabber for Tablet (Directory Lookup Rules URL)?
We want to implement IM&P for two tenants at one system with a common syncronized AD, where phone numbers are serviced in full E164 format.
The phone lines are configured with four digit extension numbers in appropriate partition of tendant and they are partial overlapping to other tenant.
Therefore I can't use directory lookup dial rules configuration in cucm administration for conversion from extensions to full external numbers, because I can't separate between tenants.
Since there are separate subscriber tftp's for second tendant, I tried to replace DirLookupDialRules.xml in its CUPC subdirectory with appropriate rules, but it seems to be write protected.


Best regards

Patrik

Hi Patrik,

 

Thank you for the query. I checked this in my lab and unfortunately there isn't any way to get over this limitation with CSF devices.  The custom Directory rule URL feature is only available with mobile clients.

The only way I can think about would be  would be populating the ipPhone attribute in AD with the 4 digit extension, and configuring Jabber client to map the phone number field with ipPhone attribute in AD. This would be easier if the field can be edited in bulk in AD.

I will raise an enhancement request so that the feature would be considered by the Development team to be included in the upcoming releases of CUCM server / Jabber client.

Please let me know if you have any additional queries.

Regards

Nirmal Issac

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: