Jabber LDAP_UseCredentialsFrom parameter

wimarques · ‎04-05-2019

Dear Community,

I'm having a hard time trying to use LDAP_UseCredentialsFrom = CUCM in my Jabber Config.xml.

What I'm trying to do is to create a Jabber config for non domain joined users.

I don't want to use a common ldap account or LDAP anonymous binding, so re using CUCM credentials (which are synched from LDAP) sounds like a good idea at first.

Documentation is not really clear about how to use this setting.

On the Call Manager side Directory UC service is configured as secure LDAP

In service profile "Use user Credentials" is unticked

I'm using Jabber 12.5 and CUCM 12.5 in a lab environnement.

<?xml version="1.0" encoding="utf-8"?>
<config version="1.0">
<Directory>
<LDAP_UseCredentialsFrom>CUCM</LDAP_UseCredentialsFrom>
<LdapUserDomain>ad.example.com</LdapUserDomain>
<UseSipUriToResolveContacts>true</UseSipUriToResolveContacts>
<SipUri>mail</SipUri>
<DirectoryUri>mail</DirectoryUri>
</Directory>

</config>

CUCM UserID is mapped with SaamAccountName in AD.

If anyone has already made this work, any help would be really appreciated.

Regards

Maren Mahoney · ‎04-05-2019

CUCM credentials are referred to as "UDS". If you have a Directory entry for user lookups it may very well be UDS as well.

Try that and let us know.

Maren

wimarques · ‎04-05-2019

Hi,
Thanks for taking Time to help
Not sure to understand, do you suggest to tick uds in service profile ?

wimarques · ‎04-05-2019

Checked Jabber Logs and i can see that the parameter is succesfully validated:

[ConfigService-ConfigStoreManager] [CSFUnified::ConfigStoreManager::getValue] - key : [LDAP_UseCredentialsFrom] skipLocal : [0] value: [CUCM] success: [true] configStoreName: [TftpConfigStore]
[CredentialsSyncer] [CSFUnified::CredentialsSyncer::Impl::getDynamicCredentialsConfigMasterName] - Sync key for LDAP has been configured to be CUCM, so redirect it to CUP

Unsecured LDAP and took a network capture where I can see that LDAP binding is not happening. Same in jabber logs.

Maren Mahoney · ‎04-05-2019

I apologize. I completely misread your question.

If I understand (and correct me if I'm wrong), you have users in CUCM who are LDAP Sync/Auth'ed. You want them to use CUCM credentials instead of their LDAP credentials for LDAP-based Directory Services? (I don't understand that so I must be getting it wrong.)

Something to know: Once a user is LDAP Auth'ed, CUCM will throw out any previously configured local password for that account. Additionally, CUCM does not maintain a password for that user nor does it cache the LDAP password that the user enters when they log into Jabber. CUCM will verify the username/password combination with the LDAP server and then throws them away.

The way to do what you are looking for is (I believe) to tick the "Use User Credentials" checkbox. This should work whether the underlying PC is joined to the domain or not. (Again, if I'm reading your scenario correctly.)

Is this what you are looking to do? If not, can you give a "John Doe uses Jabber to log in with such-and-such credentials and then I want....." explanation of your environment?

Maren

wimarques · ‎04-08-2019

Hello,
Yes, my CUCM users are LDAP synched/authenticated. It happens that they use non domain joined workstations (let say like if they sometime use a MAC in a entrerprise windows environement). On that workstation they do not use their personnal creds to log into windows. In that scenario "Use User Credentials" does not work. In this case I usually configure BDI or Anonymous Ldap binding securing them by adding TLS/SSL negociation with the LDAP server.
Now, why would I use a Common/Anomymous account to login if this parameter allows me to re use CUCM users credentials. So from my understanding, this parameter allows to re use CUCM credentials to search in LDAP directory BUT when I checked the logs I noticed that jabber didn't try at all to bind into the ldap sever. Don't know why it behaves like that, probably because this setting must be used in a particular way with a specific Service Profile configuration but I didnt figure it out for the moment. So if someone have an idea/advise.

Maren Mahoney · ‎04-08-2019

Hmmm.....

According to the On-Premises Deployment for Cisco Jabber 12 - Chapter: Contact Source:

So that should work as long as you specify the correct LDAP server and Search Base in the Service Profile.

I'm wondering if your previous attempt at using the jabber-config.xml file did not work because:

So try a specific Service Profile for your non-domain-joined with the Directory information set up with the IP/DNS name of the LDAP server, with a User Search Base, and with the "Use Logged On User Credential" ticked, UDS unticked.

In the Jabber log it references "redirect it to CUP". Do you have an IMP server integrated in your lab?

Maren

wimarques · ‎04-08-2019

I'll give it a try and hope I'll come back to you by tomorrow.