Multiple AD Domain access from CUCM through OpenLDAP?

JJMakowski · ‎01-31-2013

Is anyone integrating CUCM with AD through an OpenLDAP Proxy?

We are currently working on consolidating our CUCM 8.6 and CCME 7.1 phone systems into a single v9.1 cluster.

Our Active Directory is still a single forest with mutiple Child Domains.

CUCM has a limit of 5 LDAP Configurations. But we can't integrate through the Root of the Forest because CUCM will not be able to dig into the Child Domains. They would each need their own Configuration. Unfortunately we have 7 Child Domains plus the Root.

Our AD team is currently working on collapsing the Child Domains to the Root, but until they can collapse a few of them, we're stuck with not enough Configurations available in CUCM.

I have been trying to install and configure OpenLDAP on different Linux distros (Fedora, Ubuntu Server, CentOS). Not being on top of my Linux game has made this difficult and not being an LDAP expert makes it even more so.

I've tried multiple online How To's and think I have a working basic LDAP server. But when I try to enable the Proxy it doesn't seem to work.

I don't know if it's a problem with my OpenLDAP config or with how I am trying to set up the LDAP Configuration (I am using a defunct Unity Connection server to test the integration).

If anyone is doing this and has some guidance on what I might be missing, I would really appreciate the assistance.

Thanks,

Jim Makowski

dakeller · ‎04-24-2013

James,

Unfortunately, Cisco will not be able to provide additional guidance on this for you. You are correct that the Cisco LDAP Synch is limited to 5 sources, but more importantly, you can only have one authentication source. So even if we did provide more synchs for users, you still would to to use a single reference for LDAP Authentication (aka LDS or ADAM).

Also, I have not heard any plans to increase the LDAP synch number beyond 5.

Thanks,

Dan Keller

Technical Marketing Engineer

JJMakowski · ‎04-24-2013

Dan,

Thanks for the response.

Even though I mentioned the 5 connection limitation for synching, the crux of my problem was not to look for a way to increase this, but rather to find someone who has a working OpenLDAP configuration that might be able to help me solve my issues with my multiple attempts to get a working, synching OpenLDAP proxy from Unity Connection to AD.

We ended up having another staff member configure LDS for this and have a working setup now. We dumped the OpenLDAP path, it was a total waste of time unless you are a Linux and LDAP guru (which I am not). I followed HowTo's as closely as possible (making changes where necessary) and never got it to work.

That being said, as far as the Authentication part, you can point the Authentication connection to the Root of a multi-domain Forest and have it work for all child domains in the Forest. That's how we set it up. My best guess is that Unity (or CUCM) was not delving into AD to pull out information for Authentication. Rather it's probably just passing an Authentication request to AD and AD does all the delving, returning either a Yes or No to whether the credentials given were valid.

This is probably the key difference between the Synching and the Authentication. When you set up a connection for synching, Unity/CUCM itself goes into AD using the credentials provided and the search base to find the info it needs to pull into its database. It doesn't ask AD for the info, it goes in and takes it. And for some reason the way it's programmed (either on the AD side or in the Cisco side) it cannot branch out to child domains. So each child domain needs its own connection and the system is limited to 5 total.

Thanks.

skilambi · ‎04-24-2013

Even for synching you can point to the GC and it should synch all the sub domains listed.

Thanks

Srini

JJMakowski · ‎04-24-2013

Not according to this document http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/8x/directry.html

"A synchronization agreement for a domain will not synchronize users outside of that domain nor within a child domain because Unified CM does not follow AD referrals during the synchronization process."

Also, I think I misspoke when I said that Authentication worked for child-domains, this may not have been true. We've had so many changes lately I can't exactly recall.

skilambi · ‎04-24-2013

Yep I know that link very well it isn’t correct. They are pointing to a DC not GC. If you point to the GC it will work

Thanks

Srini

kkhanis · ‎04-24-2013

Hi guys,

This is very interesting since we are trying to achieve something similar where there customer is looking to integrate multiple separate AD domains to the cuc and cucm.

we have partially achieved this via LDS for directory sync (not sure if this is similar to what Srini has mentioned here as using the GC) but we are stuck at trying to get authentication working using the proxyuser object on the LDS and creating a trust between the child domains.

Did you achieve this in the same way Jim? Or Srini is this different to the GC method you mention here?

Thanks in advance to the advice guys.

Regards,

Kamran

kkhanis · ‎05-14-2013

Hi guys,

Did you manage to get this multi-domain AD setup working using ADLDS or just via a multi-domain GC? For authentication and directory sync both.

Sorry if this is a noob question...just trying to see where to start!

Any advice would be appreciated.

Regards,

Kamran