cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13633
Views
10
Helpful
14
Replies

Jabber for Windows and LDAP authentication and attribute mapping

jbaly
Level 4
Level 4

We have a customer running CCM 7.1.3 and CUPS 8.6.4. CUPC works fine, but now they want Jabber for Windows.

Question 1. Does "Use LDAP Authentication for End Users" have to be selected in CCM?

Question 2. Can they continue to map "UserID" to "employeeNumber" or must it be "sAMAccountName"? (employeer number makes EM easier!)

James

14 Replies 14

Jonathan Schulenberg
Hall of Fame
Hall of Fame

LDAP Authentication of End Users in CUCM is strongly recommended for CUPC/Jabber. When you login to CUPC/Jabber it authenticates against CUCM. If LDAP doesn't have the same password (i.e. CUCM isn't synced from LDAP) the client won't be able to do LDAP queries if using BDI. This is because it re-uses the same credentials when it attempts to bind to LDAP. If Jabber is configured for EDI, which is only even possible on Jabber for Windows running on domain-joined workstations, then this is not as critical since it would use the Windows ADSI API in the context of the logged-in user. Using EDI exclusively would rule out Jabber for Mac, iOS, Android, and Windows on a non-domain joined workstation though.

As for usernames: You can continue to use employeeNumber if you wish. You'll need to ensure that the jabber-config.xml file maps the username to this value for everything to work. Note that this will be their XMPP URI: 123456@domain.com so be sure that you're comfortable with employee numbers being public.

Please remember to rate helpful responses and identify helpful or correct answers.

Just to clarify, CCM is synced to LDAP - with UserID mapped to employeeNumber (which is their DN number). In CCM, LDAP Authentication is currently set to off. My understanding is that if we turn this on - we can only use sAMAccountName, as LDAP cannot authenticate against other fields. Hence, we'd like to keep it off.

As we are on CCM 7.1 we need ot use EDI as UDS is not available until 8.6. I've created the following xml file:

EDI

0

192.168.x.x

3268

dc=xx,dc=xx,dc=xx

1

employeeNumber

ipPhone

telephoneNumber

mobile

presence

Should this work okay?

James

Update: This is now working fine. CCM autentication to LDAP is off. User ID is mapped to employeenumber. The only change was this line in the config file:

employeeNumber

changed to

employeeNumber

Does Directory Search work with this mapping? Thanks.

I'm having some issues that seems like this one.

CUCM and CUPS on 8.6

My UserID on CUCM is "employeeNumber" instead os sAMAccountName.

And I am using LDAP authentication too.

The problem is when logging into Jabber for Windows.

On Jabber login I am using the employeeNumber as User, and the Network password which is set on AD.

First problem is that is taking too long to login and sometimes it doesn't, it gives a "cant communicato to server/timeout".

When you are able to login, instead of bringing the name of the person, it is getting "employeeNumber@domain.com".

And also, I cannot find other online people.

The LDAP search seems to be ok, the problem seems to be that the CUPS is not correlating the employeeNumber login with the actual user, since I can find myself on the search and it shows me as offline.

Any ideas on this?

Thanks.

Hi Bruno,

Have you configured the jabber-config.xml accordingly ? Check this part of the configuration guide

http://www.cisco.com/en/US/docs/voice_ip_comm/jabber/Windows/9_2/JABW_BK_C9731738_00_jabber-windows-install-config_chapter_0101.html#JABW_RF_AA1BEF05_00

You need to tell jabber to use the employeenumber as the user id

attribute-name

Regards,

Christos

Hello Christos,

Not sure why your post is not showing up here, but yes, I did this as part of researching.

The jabber-config.xml file I've uploaded is this one at this point:

-------------------

   CUPS.domain

   domain.com

   10.10.60.10

   10.10.60.11

   10.10.60.10

   10.10.60.11

   10.10.60.10

   10.10.60.11

   LDAPserver.domain.com

   3268

   DC=domain,DC=com

   ipPhone

   employeeNumber

   false

-----------------------

I also tried changing the "UserID" field under Application --> Cisco Jabber --> Settings on CUPS admin to "employeeNumber" too.

But I still can't see anyone online and not getting the name.

Hi Bruno,

Not sure why it was deleted indeed. I see that you don't have any userid to authenticate to directory. Usually we use the

ConnectionUsername and ConnectionPassword for this. In the sniffer capture do you see any issues binding to active directory ?

Next step would be to check the jabber problem report.

Regards,

Christos

I assume that is because I was on the default "UseWindowsCredentials" setting.

To be sure I modified that also, as I understood from documentation, this user is a general user with read-only privileges right?

This is what I added on the XML file:

0

cisco.cupuser    !8c5∪

Still the same issue.

Therer is no problem reported on the Jabber client, in fact, Connection Status shows everything Successfully connected, including Directory.

The Snifer you mentioned would be on the end user desktop?

Do you know already some sort of filter I can use to look at that?

Thanks.

I guess I did find something on the cs-unfied.log from Problem report on client.

I see the following line:

[csf.person.adsource]  [WriteLogMessage] - Query::RunQuery - [LDAP-FILTER] Executing query  with filter: (&(objectCategory=person)(sAMAccountName=8262))

Obviously it won't find any user on that sAMAccountName, and after that I have:

[ceareaplugin\PresenceAreaWindow.cpp(318)]  [plugin-runtime] [OnClientUserDisplayNameChanged] - Setting new display  name: 8262@domain.local

I think I need to find a way to make this query on  employeeNumber instead of sAMAccountName, but I still don't see where  and why it is doing this Query.

Bruno,

I managed to map the employee ID attribute to the account name by using the jabber-config XML file. One thing to check is to see whether the Windows client is receiving the jabber file correctly. You can find this under the app data folder which is a hidden directory under the user folder within the C drive. Once there go to the Cisco jabber roaming settings. When you start the client from fresh the file should get written to that directory and you can read it in notepad etc.

James

That's a good idea. The full path for the jabber-config.xml in win7 is the following

C:\Users\userid\AppData\Roaming\Cisco\Unified Communications\Jabber\CSF\Config

You might want to delete the cache just in case. Simply delete the following folders

C:\Users\userid\AppData\Roaming\Cisco\Unified Communications\Jabber

C:\Users\userid\AppData\Local\Cisco\Unified Communications\Jabber

HTH,

Christos

Hi, the problem is almost fixed!

I had already done this checking on the xml and it was updating OK.

Reading another discussion I decide to change Directory from EDI (I guess it is the default) to UDS.

I still need to study to understand the differences between, but now I get the correct names displayed and can find and chat with other users.

The xml modification done was:

   UDS

   cisco.cupuser

   password

   http://domain.com/%%uid%%.jpg

Now the problem that remains is within the login, I need to try multiple time to get in.

Since my client is in Portuguese I'm not sure about the message in English, but it is something like this:

"Not able to communicate with server. Connection timeout"

I ended up opening a TAC before this last change since was in a bit of a hurry, so let´s see if I can get some help on this too.

Thanks all so far.

Hi Bruno,

Thanks for the information! However I don't see why this shouldn't work with EDI while it works with UDS. I can try to reproduce but you can persue this with a separate SR if you want.

Regards,

Christos

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: