Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3223
Views
51
Helpful
5
Replies

LDAP Integration - which user rights are necessary ?

Antonio Brandao
Level 1
Level 1

‎03-13-2013 07:13 AM - edited ‎03-16-2019 04:14 PM

Hi All,

I been working in a integration of CM 8 and MS AD and I would like to know the user to integrate it need to be administrator of AD or not ?

If not which kind of rights are enouth ?

Is there any cisco docs that says about it ?

I been searching about but just found a not in a doc saying

"Note:

Cisco recommends that you create a specific account with permissions in order to allow it to read all user objects within the sub-tree that was specified by the user search base. The sync agreement specifies the full Distinguished Name of that account so that the account can reside anywhere within that domain."

Could you someone clarify that ?

Thanks

AB

Labels:
0 Helpful
5 Replies 5

Chrysostomos_CY
Level 5
Level 5

‎03-13-2013 07:22 AM

Hi

Design Considerations for LDAP Authentication

Observe the following design and implementation best-practices when deploying LDAP authentication with Cisco Unified CM:

•Create a specific account within the corporate directory to allow Unified CM to connect and authenticate to it. Cisco recommends that you use an account dedicated to Unified CM, with minimum permissions set to "read" all user objects within the desired search base and with a password set to never expire. The password for this account in the directory must be kept in synchronization with the password configuration of the account in Unified CM. If the account password changes in the directory, be sure to update the account configuration in Unified CM. If LDAP synchronization is also enabled, you can use the same account for both functions.

•Enable LDAP authentication on Unified CM by specifying the credentials of the aforementioned account under LDAP Manager Distinguished Name and LDAP Password, and by specifying the directory subtree where all the users reside under LDAP User Search Base.

•This method provides single logon functionality to all end users: when they log in to the Unified CM User Options page, they can now use their corporate directory credentials.

•Manage end-user passwords from within the corporate directory interface. Note that the password field is no longer displayed in the Unified CM Administration pages when authentication is enabled.

•Manage end-user PINs from the Unified CM Administration web pages or from the Unified CM User Options page.

•Manage Application User passwords from the Unified CM Administration web pages. Remember that these application users facilitate communication and remote call control with other Cisco Unified Communications applications and are not associated with real people.

•Enable single logon for Unified CM administrators by adding their corresponding end user to the Unified CM Super Users user group from the Unified CM Administration web pages. Multiple levels of administrator rights can be defined by creating customized user groups and roles.

From the SRND

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/8x/directry.html#wp1070369

Regards

chrysostomos

Please rate all useful posts Regards Chrysostomos ""The Most Successful People Are Those Who Are Good At Plan B""

David Hailey
VIP Alumni
VIP Alumni

‎03-13-2013 08:07 AM

The simple translation is that Cisco is recommending that you have a service account created and used for the CUCM DirSync integration with LDAP.  That account only needs Read Only permissions to the OU or OU(s) in AD where the end user accounts are located.

Hailey

Please rate helpful posts!

Chrysostomos_CY
Level 5
Level 5
In response to David Hailey

‎03-13-2013 12:24 PM

Antonio Brandao

At least say one thank you

Regards

chrysostomos

Please rate all useful posts Regards Chrysostomos ""The Most Successful People Are Those Who Are Good At Plan B""
0 Helpful

Antonio Brandao
Level 1
Level 1
In response to Chrysostomos_CY

‎03-13-2013 01:23 PM

Hey Chrysostomos

Sorry I was away, Thanks a lot for you explanation was very helpful

I did a test with normal domain user which I created and it worked fine, so it´s necessary to be admin rights user to integrate the CM and MS AD

Regards

0 Helpful

Chrysostomos_CY
Level 5
Level 5
In response to Antonio Brandao

‎03-13-2013 11:41 PM

Hi Antonio

You mean its not necessary to have admin rights the user account in LDAP

Regards

chrysostomos

Please rate all useful posts Regards Chrysostomos ""The Most Successful People Are Those Who Are Good At Plan B""
Customers Also Viewed These Support Documents