04-05-2019 01:54 AM
Dear Community,
I'm having a hard time trying to use LDAP_UseCredentialsFrom = CUCM in my Jabber Config.xml.
What I'm trying to do is to create a Jabber config for non domain joined users.
I don't want to use a common ldap account or LDAP anonymous binding, so re using CUCM credentials (which are synched from LDAP) sounds like a good idea at first.
Documentation is not really clear about how to use this setting.
On the Call Manager side Directory UC service is configured as secure LDAP
In service profile "Use user Credentials" is unticked
I'm using Jabber 12.5 and CUCM 12.5 in a lab environnement.
<?xml version="1.0" encoding="utf-8"?>
<config version="1.0">
<Directory>
<LDAP_UseCredentialsFrom>CUCM</LDAP_UseCredentialsFrom>
<LdapUserDomain>ad.example.com</LdapUserDomain>
<UseSipUriToResolveContacts>true</UseSipUriToResolveContacts>
<SipUri>mail</SipUri>
<DirectoryUri>mail</DirectoryUri>
</Directory>
</config>
CUCM UserID is mapped with SaamAccountName in AD.
If anyone has already made this work, any help would be really appreciated.
Regards
04-05-2019 04:50 AM
CUCM credentials are referred to as "UDS". If you have a Directory entry for user lookups it may very well be UDS as well.
Try that and let us know.
Maren
04-05-2019 05:09 AM
04-05-2019 07:28 AM
Checked Jabber Logs and i can see that the parameter is succesfully validated:
[ConfigService-ConfigStoreManager] [CSFUnified::ConfigStoreManager::getValue] - key : [LDAP_UseCredentialsFrom] skipLocal : [0] value: [CUCM] success: [true] configStoreName: [TftpConfigStore]
[CredentialsSyncer] [CSFUnified::CredentialsSyncer::Impl::getDynamicCredentialsConfigMasterName] - Sync key for LDAP has been configured to be CUCM, so redirect it to CUP
Unsecured LDAP and took a network capture where I can see that LDAP binding is not happening. Same in jabber logs.
04-05-2019 10:40 AM
I apologize. I completely misread your question.
If I understand (and correct me if I'm wrong), you have users in CUCM who are LDAP Sync/Auth'ed. You want them to use CUCM credentials instead of their LDAP credentials for LDAP-based Directory Services? (I don't understand that so I must be getting it wrong.)
Something to know: Once a user is LDAP Auth'ed, CUCM will throw out any previously configured local password for that account. Additionally, CUCM does not maintain a password for that user nor does it cache the LDAP password that the user enters when they log into Jabber. CUCM will verify the username/password combination with the LDAP server and then throws them away.
The way to do what you are looking for is (I believe) to tick the "Use User Credentials" checkbox. This should work whether the underlying PC is joined to the domain or not. (Again, if I'm reading your scenario correctly.)
Is this what you are looking to do? If not, can you give a "John Doe uses Jabber to log in with such-and-such credentials and then I want....." explanation of your environment?
Maren
04-08-2019 01:32 AM
04-08-2019 05:12 AM - edited 04-08-2019 05:26 AM
Hmmm.....
According to the On-Premises Deployment for Cisco Jabber 12 - Chapter: Contact Source:
So that should work as long as you specify the correct LDAP server and Search Base in the Service Profile.
I'm wondering if your previous attempt at using the jabber-config.xml file did not work because:
So try a specific Service Profile for your non-domain-joined with the Directory information set up with the IP/DNS name of the LDAP server, with a User Search Base, and with the "Use Logged On User Credential" ticked, UDS unticked.
In the Jabber log it references "redirect it to CUP". Do you have an IMP server integrated in your lab?
Maren
04-08-2019 06:35 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide