Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1189
Views
5
Helpful
2
Replies

Secure LDAP

CSCO11629163
Level 1
Level 1

‎08-29-2012 05:24 AM - edited ‎03-16-2019 12:56 PM 

Software Version: 8.6.2.21900-5

Problem Details: iPlanet LDAP is set up on our CUCM cluster for users to authenticate to their user page via
LDAP.
 
LDAP and LDAP authentication are configured correctly, and they are connected to the server with no problem.
However, any attempt to authenticate via LDAP fails.  If we turn LDAP off and authenticate to the local user
database on CUCM, it works perfectly. 

This is a virtualized CUCM cluster running version 8.6.2.21900-5.

# I have another CUCM 7.1.5 with that everything works fine.
# I have checked the roles and group CCMUser.
# Reset enduser password in Active Direcory and from Call Manager.
# Same Active Directory works with our 7.1.5 CUCM what could be the reason its not working on 8.6.2
# Is there any security certificate i have to download and uploaded to the Active Directory as its a secure LDAP

Please suggest

Thanks in advance..

Labels:
0 Helpful
2 Replies 2

Ayodeji Okanlawon
VIP Alumni
VIP Alumni

‎08-29-2012 06:05 AM

Hi,

If LDAP over SSL is required, the corporate directory SSL certificate must be loaded into Cisco Unified Communications Manager. Have a look at the  Cisco Unified Communications Operating System Administration Guide documents the certificate upload procedure in the Security chapter.

You will also need to change the port to 636 if you are not using GC or 3269 if you are using GC (global catalog server)

Please rate all useful posts

"'Nature is too thin a screen, the glory of the omnipresent God bursts through it everywhere"-Ralph Waldo Emerson

Please rate all useful posts

Joseph Martini
Cisco Employee
Cisco Employee
In response to Ayodeji Okanlawon

‎08-29-2012 07:01 AM

Good post aokanlawon (+5).  To add to that on CUCM 8.6 the SSL certificate has to be uploaded to CUCM as a Tomcat-Trust, previously in 7.x it was a Directory-Trust which is now gone in CUCM 8.x.  After uploading the SSL certificate the Cisco Tomcat service has to be restarted from the command line with "utils service restart Cisco Tomcat".

If the directory sync is working and you can successfully add the LDAP server and authentication entries to CUCM the connection is tested at that time.  Therefore the connection and certificates should be correctly loaded to CUCM.  To investigate the cause of the failure you could use a packet capture and decypt the SSL traffic (http://htluo.blogspot.com/2009/01/decrypt-https-traffic-with-wireshark.html) to make sure the CUCM server is sending out a request to the LDAP server.  I assume that the LDAP authentication settings are the same as the LDAP Directory (hostname/FQDN instead of IP address) so DNS shouldn't be a problem.  Also the user search base should be the same between the directory entry and authentication.

0 Helpful
Customers Also Viewed These Support Documents