This document describes the steps mentioned to configure in the
LDAPv3 integration: LDAPv3 integration allows end users to be synchronized from a centralized user database to CUCM’s local LDAPv3-compliant database, which is part of the IBM Informix Database Server (IDS). LDAPv3 is useful when there is an existing LDAPv3 database with all the user information. LDAPv3 user synchronization is only used to synchronize end users. Application users are always provisioned locally in the CUCM LDAPv3 IDS. LDAPv3 authentication can be enabled in addition to LDAPv3 synchronization. LDAPv3 authentication passes any password-based
login requests through the CUCM server to the LDAPv3 server where user login is authenticated (pass-through authentication). LDAPv3 authentication has the benefit of maintaining one central password database. CUCM does not replicate the passwords that are configured in the central LDAPv3 database.
LDAPv3 synchronization replicates personal and organization user data to the CUCM database. The personal and organizational user data cannot be modified from CUCM administration after LDAPv3 synchronization is enabled. Personal and organizational user data must be modified on the LDAPv3 server by the LDAPv3 administrator, and resynchronization must occur before the changes are reflected in CUCM.
Integration between voice applications and a corporate LDAPv3 directory is a common task for many enterprise IT organizations. Microsoft Active Directory integrations are by far the most popular in the United States, but various LDAPv3 solutions are supported. Various versions of Netscape, Sun One, and Open LDAP LDAPv3 directories are also supported.
CUCM supports two types of LDAPv3 integration. LDAPv3 authentication requires LDAPv3 synchronization to be turned on.
■ LDAPv3 synchronization: All end users’ personal and organizational data is managed in the LDAPv3 directory and synchronized (replicated) to the CUCM IDS database.Directory requests are processed locally on CUCM after synchronization has taken place. Various end user configuration information will no longer be available to change in CUCM Administration.
■ LDAPv3 authentication: Allows user authentication against an LDAPv3 directory.Passwords are managed in the central LDAPv3 server when LDAPv3 authentication is turned on. The password configuration information will no longer be available through CUCM administration.
The synchronization process is as follows:
1. At the beginning of the synchronization process, all existing CUCM end-user accounts are deactivated.
2. If there were any differences in the LDAPv3 server, LDAPv3 user accounts that exist in the CUCM user database are reactivated and their settings are updated.
3. LDAPv3 user accounts that exist in LDAPv3 only are added to the CUCM database and activated.
4. Deactivated accounts are purged from the CUCM database after 24 hours.
Synchronization Best Practices
The account that CUCM uses to read the LDAPv3 directory should be configured in the following way:
■ Create a dedicated account used only for synchronization. Set LDAPv3 server permissions for this account to read-only or a higher permissions level for all user objects located below the user search bases specified in the synchronization agreements. The password of the account should be set to never expire because this is a servicelevel account that will not receive a password change notification upon logging in to the system. Password change permission exceptions are normally performed for cross-server authentication purposes.
When LDAPv3 authentication is enabled, CUCM performs the following tasks:
■ End-user passwords are authenticated against the corporate directory.
■ End-user passwords are managed in LDAPv3. CUCM Administration will no longer include a password option. Passwords must be changed on the LDAPv3 server.
■ End-user passwords are stored only in LDAPv3.
Application users are still authenticated against the local CUCM LDAPv3 database.
Application-user passwords are stored only in the local CUCM database, as well as enduser PINs and other CUCM user settings.
It is best practice to configure CUCM to query a Microsoft Active Directory (AD) Global Catalog (GC) server for faster response times. Configure the LDAPv3 server information on the LDAPv3 Authentication page to point to the IP address or host name of a domain controller that has the Global Catalog role enabled, and configure the LDAPv3 port as 3268. This will enable queries against a Microsoft Global Catalog server.
The use of Global Catalog for authentication becomes more efficient if the users belong to multiple Microsoft AD domains. It allows CUCM to authenticate users immediately without having to follow referrals. Point CUCM to a Global Catalog server and set the
LDAPv3 Authentication Configuration
The LDAPv3 authentication configuration procedure includes the following steps:
Step 1. Add the CUCM directory user and assign administrator access rights in the
Step 2. Configure LDAPv3 authentication. CUCM Administration: Choose System >
LDAPv3 > LDAPv3 Authentication to configure the CUCM directory user
configured in the LDAPv3 directory, the user search base, and the LDAPv3
server(s). Select the Use LDAP Authentication for End Users check box, as
shown in Figure 4-19. The example would only authenticate users in the
EastFishkill organizational unit of the WPHC.sanester domain.
LDAPv3 Synchronization Configuration
The LDAPv3 synchronization configuration procedure includes the following steps:
Step 1. Add CUCM directory users and assign administrator access rights in the
LDAPv3 directory (depends on LDAPv3 directory server).
Step 2. Activate the Cisco DirSync service.
System > Service Parameters. Choose the
Cisco DirSync service from the appropriate server. The service parameters include the
maximum number of synchronization agreements, hosts (directory servers), and several
timers. This will not be required in most deployments, but might be required in larger
environments where LDAP system tuning is very important because of the large nature of
the system (scalability).
Step 3. Configure the LDAPv3 system.
Step 4. Configure the LDAPv3 directory.
CUCM Administration: Navigate to System > LDAPv3 > LDAPv3 System to configure the LDAPv3 server type (Microsoft Active Directory or other) and the LDAPv3 attribute that should be mapped to the CUCM user ID (many times, this is the sAMAccountName The LDAPv3 directory configuration is configured once per synchronization agreement synchronization session. CUCM Administration: Choose System > LDAPv3 > LDAPv3
Directory and click Add New to add a new synchronization agreement. A warning appears, indicating that all existing end users in the local CUCM user database who are not found in the LDAPv3 directory specified in the synchronization agreement will be deleted. The LDAPv3 directory will overwrite the CUCM user database if the sn (last name) LDAPv3 attribute matches.