Using an LDAP Directory for Cisco PCA Authentication in Cisco Unity Version 5.0(1)
This document contains information about the LDAP-authentication feature in Cisco Unity version 5.0(1).
This first-look feature is not officially supported by Cisco TAC and is provided to customers to demonstrate functionality that may be included in a subsequent release. Customers are welcome to sample the feature with a small number of users—with the understanding that functionality may be limited. We strongly recommend against using the feature widely in a production environment.
About LDAP Authentication
Many companies use user-authentication systems other than Active Directory or Domino. Deploying Cisco Personal Communications Assistant is inconvenient for these companies because they would have to maintain two user databases and train users on using two sets of credentials. In addition, some companies use single sign-on for their web applications and want Cisco PCA to also support single sign-on.
All almost popular directories are LDAP based or support LDAP. Providing a method for users to sign in to Cisco PCA using their existing LDAP credentials makes Cisco PCA more attractive for customers.
Configuring LDAP Authentication
Configuring LDAP authentication is a two-step process:
• Configure Cisco Unity to access an LDAP server. • Associate Cisco Unity subscribers with LDAP users. The Cisco Unity LDAP Authentication Setup wizard guides you through the entire process.
Note: If you later want to associate additional Cisco Unity subscribers with LDAP users, you must click through the screens for configuring Cisco Unity before you can configure subscribers. The wizard retains the values from the last time you ran it, so you do not have to re-specify values when you just want to configure subscribers.
To Configure Cisco Unity to Access an LDAP Server and Configure Cisco Unity Subscribers to Use LDAP Authentication
Step 1 Browse to the CommServer\TechTools directory, and run UnityLDAPAuthSetup.exe. Step 2 On the first page of the Cisco Unity LDAP Authentication Setup wizard, check the Enable LDAP Authentication check box, and click Next. Step 3 On the Server Information page, enter the applicable values: a. In the LDAP Server field, enter the IP address or the fully qualified domain name of the LDAP server that you want Cisco Unity to use for
authentication. b. In the LDAP Port Number field, enter the TCP/UDP port number that Cisco Unity uses to communicate with the LDAP server. c. Click Connect Using Plain TCP Connection (No Encryption).
Caution: User names and passwords will be sent over the network in plain text.
Step 4 Click Next. Step 5 On the Connecting to the LDAP Server page, enter the applicable values: a. Do not check either of the check boxes at the top of the page. Options for allowing anonymous searches and for using encryption prior to
binding may not function properly. b. In the Authentication Method list, click Use a Different NT Account. c. In the User Name, Password, and Domain fields, enter the credentials of an administrator account on the LDAP server.
Step 6 Click Next, and click Yes to confirm that you want to configure LDAP authentication without SSL encryption. Step 7 On the User Search Options page, enter the applicable values: a. In the Distinguished Name of the Entry at Which to Start the Search field, enter the distinguished name of the LDAP container or server to
search for users to associate, for example:
b. In the Scope list, do not choose an option. c. In the User Prompt field, enter the field name that you want to appear on the Cisco PCA logon page for the field where users enter their logon
name, for example, User Name or Logon Name. d. In the Search by Field prompt, enter the LDAP property that is associated with the logon name that users enter.
Step 8 Click Next. Step 9 Click Apply, and click Yes to display the page for configuring subscribers. Step 10 On the Associate LDAP Objects page, double-click the name of the first Cisco Unity subscriber that you want to associate with a user in the
LDAP database. Step 11 On the Search LDAP for Subscriber page, enter the applicable values:
a.In the Search By Field, enter the name of the field in the LDAP database that you want to use to locate a user, for example, alias. b.In the For field, enter the value that you want to search for in the field that you specified in Step a. For example, if you entered “alias” for the Search By Field and you want to find the user whose alias is HSimpson, you would enter HSimpson in the For field. * is supported as a
wildcard, so you could also enter: –*son –*Simp* –HSimp*
Limit the number of records returned as much as possible. If the results from a search exceed approximately 10 records, an error is returned
instead of the records.
Step 12 Click Go. Step 13 In the list at the bottom of the page, click the LDAP user who you want to associate with the Cisco Unity subscriber you chose in Step 10. Step 14 Click Associate. Step 15 Repeat Step 10 through Step 14 to associate the rest of the Cisco Unity subscribers with LDAP users.
Using LDAP Authentication
To users logging on to the Cisco PCA, the only difference between Active Directory/Domino authentication and LDAP authentication is that the Cisco PCA logon page does not include a Domain field when LDAP authentication is configured.
Only the documented method for configuring LDAP authentication is known to work. Other configuration options may or may not work.
SSL encryption only works with some combinations of options, so credentials may be sent over the network in plain text.
After you configure one or more subscribers for LDAP authentication, you must restart the Cisco Unity server.