Using Directory Uri as login without changing cucm userid to mail

stephan.steiner · ‎04-03-2016

Hi

We have a 10.5.2 CUCM/CIMP setup that's integrated with Active Directory. And our customer isn't too happy about having to login into jabber using the scheme samaccountname@domain. We could change the AD sync to use the mail address as userid (right now it's set to use the samaccountname), but as we're also using CCX which does not support userids with an @, this is not the way to go.

So, is there a way for CIMP to accept the directory uri (which contains the email address) as login in Jabber (and especially Jabber Mobile.. we have the PC part handled with an SSO setup based on OpenAM)?

Thanks

Stephan

Suresh Hudda · ‎04-03-2016

I think you can do it by choosing "mail" attribute in Directory URI LDAP under system -> ldap -> ldap directory.

Suresh

stephan.steiner · ‎04-03-2016

Suresh

And which attribute would you set to mail? UserId is a nogo as I wrote above.. my CUCM userIds must remain samAccountNames.. but I wish to use the DirectoryUri (which is set to mail.. and I can find people in Jabber using their mail address) as a login.

Suresh Hudda · ‎04-03-2016

By default, the Jabber ID (JID) is based on the Unified CM User ID<uid>@xmpp domain. The flexible JID feature allows the JID to be constructed based on Directory URI field. The directory URI may be administratively mapped using the following LDAP synchronized data fields:
• mail
• msRTCSIP-PrimaryUserAddress
• Manually Configured by Administrator
This allows organizations to map user JIDs that align with the corporate naming address scheme in use. For example, a user’s JID (IM address) can be mapped to their E-Mail address using the mail parameter, effectively creating a single address for multi-modal communications.

Hope this helps.

Suresh

stephan.steiner · ‎04-04-2016

Hmm.. but the JID isn't necessarily the sign-in name, is it? I have configured my ldap sync to use samAccountName as mail as Directory URI. In Jabber, I can sign in using userid@domain or just userid (assuming SRV records are in place). Once logged in, Jabber shows the JID as being the email address. However, signing in with the email address does not work.. you get the usual "Your username or password is not correct" just as if you use an account that does not exist or mistype your login or password.

Using the configuration above, I can search users in jabber using their directory uri.. so it seems to do what it claims, but apparently the login isn't really the JID. Or is there an additional configuration parameter I have forgot? Is there perhaps something in the jabber.xml I also need to adjust?

I have a suspicion why this thing doesn't work.. I'm using ldap authentication for my users... so I suspect the authentication is made against AD using login and password I put into jabber and since UserId is mapped to samAccountName, the authentication component is checking if there's a user with samAccountName = the email I plug into Jabber and that doesn't work.

Ayodeji Okanlawon · ‎04-05-2016

Stephan,

The JID is the sign id credential for jabber. The default configuration for IM and P is to use userid@xmpp domain to authenticate users. If you want to deviate from this, and use directory uri to sign in, then you will need to use flexible JID feature. This requires quite a few configuration. Please refer to this thread for similar idea

https://supportforums.cisco.com/discussion/12944041/multiple-domain-name-configuration-im-presence

Please rate all useful posts