Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2576
Views
5
Helpful
3
Replies

LDAP Authentication for End Users on Cisco Call Manager

Go to solution
sienz.sienz
Level 1
Level 1

‎11-09-2010 12:57 PM - edited ‎03-16-2019 01:50 AM

We want to add a group of user from a different domain (XYZ.com) in our network to join the Cisco Call Manager.  They are going to use the Cisco Phone system.  The only issue that we have is the LDAP Authentication. It seems that we can only enter one LDAP Authentication for End Users.  Currently it is using the ABC.com domain.  We can see the users in both ABC and XYZ domain in the User Management in the CCM Admin (I guess because we can add more than 1 LDAP directory in CUCM) but it will not authenticate when the user from XYZ.com try to login to the CCM User Page.

CCM User Page is the user site access to modify their phone feature like speed dials, call forwarding, etc.

Is there any solution on the issue that we are experiencing?  I have no idea on how to add another LDAP Authentication.

Thank you,

sienz

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎11-09-2010 01:37 PM

You can only add one authentication config.

Review this

Additional Considerations for Microsoft Active Directory

In environments that employ a distributed AD topology with multiple  domain controllers geographically distributed, authentication speed  might be unacceptable. When the Domain Controller for the authentication  agreement does not contain a user account, a search must occur for that  user across other domain controllers. If this configuration applies,  and login speed is unacceptable, it is possible to set the  authentication configuration to use a Global Catalog Server.

An important restriction exists, however. Because a Global Catalog does  not carry the Employee ID attribute, this method cannot be used if the  Employee ID is used as the login. Only Domain Controllers may be used  with this attribute.

To enable queries against the Global Catalog, simply configure the LDAP  Server Information in the LDAP Authentication page to point to the IP  address or host name of a Domain Controller that has the Global Catalog  role enabled, and configure the LDAP port as 3268.

The use of Global Catalog for authentication becomes even more efficient  if the users synchronized from Microsoft AD belong to multiple domains,  because it allows Unified CM to authenticate users immediately without  having to follow referrals. For these cases, point Unified CM to a  Global Catalog server and set the LDAP User Search Base to the top of  the root domain.

In the case of a Microsoft AD forest that encompasses multiple trees,  some additional considerations apply. Because a single LDAP search base  cannot cover multiple namespaces, Unified CM must use a different  mechanism to authenticate users across these discontiguous namespaces.

As mentioned in the section on LDAP  Synchronization, in order to support synchronization with an AD  forest that has multiple trees, the UserPrincipalName (UPN) attribute  must be used as the user ID within Unified CM. When the user ID is the  UPN, the LDAP authentication configuration page within Unified CM  Administration does not allow you to enter the LDAP Search Base field,  but instead it displays the note, "LDAP user search base is formed using  userid information."

In fact, the user search base is derived from the UPN suffix for each  user, as shown in Figure 17-14.  In this example, a Microsoft Active Directory forest consists of two  trees, avvid.info and vse.lab. Because the same user name may appear in  both trees, Unified CM has been configured to use the UPN to uniquely  identify users in its database during the synchronization and  authentication processes.

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/7x/directry.html#wp1045381

HTH

java

If this helps, please rate

www.cisco.com/go/pdihelpdesk

HTH

java

if this helps, please rate

View solution in original post

3 Replies 3

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎11-09-2010 01:37 PM

You can only add one authentication config.

Review this

Additional Considerations for Microsoft Active Directory

In environments that employ a distributed AD topology with multiple  domain controllers geographically distributed, authentication speed  might be unacceptable. When the Domain Controller for the authentication  agreement does not contain a user account, a search must occur for that  user across other domain controllers. If this configuration applies,  and login speed is unacceptable, it is possible to set the  authentication configuration to use a Global Catalog Server.

An important restriction exists, however. Because a Global Catalog does  not carry the Employee ID attribute, this method cannot be used if the  Employee ID is used as the login. Only Domain Controllers may be used  with this attribute.

To enable queries against the Global Catalog, simply configure the LDAP  Server Information in the LDAP Authentication page to point to the IP  address or host name of a Domain Controller that has the Global Catalog  role enabled, and configure the LDAP port as 3268.

The use of Global Catalog for authentication becomes even more efficient  if the users synchronized from Microsoft AD belong to multiple domains,  because it allows Unified CM to authenticate users immediately without  having to follow referrals. For these cases, point Unified CM to a  Global Catalog server and set the LDAP User Search Base to the top of  the root domain.

In the case of a Microsoft AD forest that encompasses multiple trees,  some additional considerations apply. Because a single LDAP search base  cannot cover multiple namespaces, Unified CM must use a different  mechanism to authenticate users across these discontiguous namespaces.

As mentioned in the section on LDAP  Synchronization, in order to support synchronization with an AD  forest that has multiple trees, the UserPrincipalName (UPN) attribute  must be used as the user ID within Unified CM. When the user ID is the  UPN, the LDAP authentication configuration page within Unified CM  Administration does not allow you to enter the LDAP Search Base field,  but instead it displays the note, "LDAP user search base is formed using  userid information."

In fact, the user search base is derived from the UPN suffix for each  user, as shown in Figure 17-14.  In this example, a Microsoft Active Directory forest consists of two  trees, avvid.info and vse.lab. Because the same user name may appear in  both trees, Unified CM has been configured to use the UPN to uniquely  identify users in its database during the synchronization and  authentication processes.

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/7x/directry.html#wp1045381

HTH

java

If this helps, please rate

www.cisco.com/go/pdihelpdesk

HTH

java

if this helps, please rate

Go to solution
Jes80
Level 1
Level 1
In response to Jaime Valencia

‎01-09-2023 10:35 AM

hello,

Since we can only allow one LDAP authentication.

If we change LDAP Authentication in UCM from ABC domain to  XYZ domain for testing and then change back to ABC.com

Is there anything we need to worry that willl break when we put it back to ABC.com ?

 

tks,

J

0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to Jes80

‎01-09-2023 11:23 AM

You’re already asking this in another thread. Please do not create duplicates.



Response Signature


0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents