Solved: Jabber/Presence questions

Joel Fox · ‎07-11-2014

Good morning - I have a question, or several of them, related to implementing Jabber. We are running Cisco CallManager version 9.1.2.12900-11, as well as IM/Presence version 9.1.1.51900-1. Jabber is successfully configured and working for our current domain, but we will be performing a domain migration to our parent company's domain in the future. Callmanager is set up to sync with LDAP; we currently have 2 accounts set up to query, 1 for each domain. The Auth account is for our current domain. (We have a trust between the 2 domains, which puzzles me as to why we need one query account for each domain). For simplicity, I'll list the domain setup:

parent.local - parent domain

child.parent.local - future sub-domain name

child.lan - current domain - will cease to exist after migration

When we join the the parent forest, we will be a sub-domain, not just an O/U, which according to my server guys is a huge difference. (for the record, I have not worked with domains before, so I'm trying to wrap my head around this!). I know a lot of information is missing, but my questions are rather general, so hopefully I've provided what is needed to answer them:

1. Does anyone currently operate in a forest environment with multiple sub-domains and are successfully using jabber?

2. From what I've gathered so far, I'm going to need an auth account with enterprise forest level credentials... Am I correct?

3. If my users from the parent domain successfully sync with LDAP and callmanager, shouldn't they be able to use Jabber already?

Thanks for any input, I'm still reading up on this, but I figured I'd give this a shot as well!

George Thomas · ‎07-11-2014

LDAP sync is not the issue but LDAP authentication is. You can only have one LDAP authentication agreement. In you case, since your sub-domain is the child, you could create an account in parent.local and do the LDAP authentication there. However you would need a LDAP sync agreement with the subdomains.

You will need an account with enterprise forest level credentials to bind to the domains.

Since you are authenticating against child.lan, your users in parent.local wont be able to authenticate. You will have to point the LDAP auth agreement to parent.local for it to work.

Take a look at the SRND which explains your scenario is detail:

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/8x/uc8x/directry.html

Please rate useful posts.

View solution in original post

George Thomas · ‎07-11-2014

LDAP sync is not the issue but LDAP authentication is. You can only have one LDAP authentication agreement. In you case, since your sub-domain is the child, you could create an account in parent.local and do the LDAP authentication there. However you would need a LDAP sync agreement with the subdomains.

You will need an account with enterprise forest level credentials to bind to the domains.

Since you are authenticating against child.lan, your users in parent.local wont be able to authenticate. You will have to point the LDAP auth agreement to parent.local for it to work.

Take a look at the SRND which explains your scenario is detail:

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/8x/uc8x/directry.html

Please rate useful posts.

Joel Fox · ‎07-11-2014

Thank you! I'm happy to know that I was on the right track and not completely clueless haha. I will most certainly check out the link you provided; I greatly appreciate it. We have 3 subdomains plus the parent, so adding the three LDAP sync accounts should not be a issue. If I recall you can have up to 5 sync accounts...

Thank you!

Joel