Re: Finesse/LDAP Question

mradell · ‎03-02-2022

CUCM 11.5

UCCX/Finesse 12.5

Currently we use LDAP integration and authorization in our CUCM for all users. Our Finesse agents use their LDAP credentials to sign in to Finesse to take calls. The issue is if an agent changes their LDAP password in the middle of the day they can no longer sign in to Finesse until we perform an LDAP sync in the CUCM. How can we avoid this? It's my understanding that LDAP authentication happens from UCCX -> CUCM -> LDAP. That said, CUCM doesn't store the LDAP password or do any of the authentication, LDAP does, so why do we have to resync to resolve the agent not being able to log in after resetting their password? I feel like I'm missing something simple here.

TomMar1 · ‎03-02-2022

I would check the LDAP re-sync time. It can be set to as low as 1 hour.

mradell · ‎03-02-2022

That still wouldn't completely resolve the issue as users would still not be able to log in until the next sync. With over 20k users in LDAP and almost 1k agents that wouldn't help us much.

I need to know "why" this happens. If LDAP is doing all the authentication and the users updated password is in LDAP, why do we have to resync CUCM to allow them to log in to Finesse? In my view the only purpose of the LDAP sync is to pull in any new users and mark inactive any that have been removed. CUCM doesn't do any authentication when using both LDAP Sync and Auth.

Elliot Dierksen · ‎03-02-2022

LDAP Synch defines the users. Is LDAP authentication configured in CUCM? If so, which DC's is it using? Perhaps it is one where it takes longer for the replicated password to get there. For an existing user, LDAP authentication should be immediate once the password change has replicated to the DC that is being used by CUCM for authentication.

mradell · ‎03-02-2022

LDAP sync and auth are both configured in CUCM. Our team doesn't maintain the AD server, but as far as I'm aware our search base is essentially the entire org, they don't really break it down. Regardless, after changing their AD password, users can log in to their PCs, email, etc with their new AD password, but they cannot log in to Finesse until we resync LDAP in CUCM.

Elliot Dierksen · ‎03-02-2022

After the password change, can they log in to the user pages in CUCM? You will have to make sure they are members of the CUCM standard end users group. If they can't, wait a while and check again. If you have LDAP authentication configured, there should be no relation at all to user synch and authentication.

mradell · ‎03-02-2022

That's a great question. I will test that and get back to you. We don't generally advertise the user page for CUCM to the users, but all our agents are a part of that group.

mradell · ‎03-02-2022

So I used a generic AD account we have for testing and had our Help Desk reset the password. What I discovered is that when they went directly in to AD and changed it, I was able to access everything instantly with the new password, even Finesse. The difference with this test account is that they changed the pass directly in AD, not using Microsoft Identity Manager which they use for most of the end users because it changes the password in multiple systems at once. I think that is a clue so I'm going to dig deeper. I'll post back when I figure something out, but feel free to post any suggestions in the meantime.

Ratheesh Kumar · ‎03-07-2022

Hi there

How about SSO ? I would say enabling SSO for finesse/CUCM end users will be a good option for you.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_guide/12_5_1/cucm_b_saml-sso-deployment-guide-12_5/cucm_b_saml-sso-deployment-guide-12_5_chapter_01.html

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/V11-5-1/config/CSR1151-UCCX-SSO.html

Hope this Helps

Cheers
Rath!

***Please rate helpful posts and if applicable mark "Accept as a Solution"***