Hi Dan

Thanks for your input which prompted me to go back over things. I ran some more traces and have discovered that the SPA504g does send a bindrequest() if you use for example, "Simple" LDAP authentication. The UCM6104 will only accept anonymous authentication which I sort of assumed the SPA504g would action as an appropriate bindrequest() as there is no anonymous configuration option on the SPA504g. The UCM6104 LDAP server returns "Innapropriate authentication" if "simple" is used.

I double checked using my LDAP tool and that fails with the same error if anything other than the anonymous option is used.

Does anyone know how to get an SPA504g make an anonymous bind?

Just blind advice - set LDAP Auth Method to simple but leave LDAP Username and LDAP Password empty.

Unless it will solve your issue, I hesitate the SPA504G just will not do anonymous bind (which is considered optional as I mentioned yesterday).

In such unfortunate case you can do (both):

1. call Grandstream support with bug report. There is no reason to force client to do anonymous bind to gain anonymous access. It just cause interoperability issues.
2. call Cisco SMB support with bug report. If Auth Method is set to simple and Username/Password is empty, the SPA should do anonymous bind.

Then wait which company will win the race. Either change will solve the issue in question, but both companies should make proposed changes to increase interoperability. Let us know the results.

Well, It is possible that either company or both companies will not be interested to help you to interconnect their product with product of their competitor. In such unfortunate case you should replace Cisco's phones with the Grandstream ones ...

Oh - one more solution - call Grandstream support asking for authenticated access to phonebook even for read. Claim privacy and security reasons. You need not to mention Cisco's phones in such case. Configure standard non-anonymous simple authentication on SPA504G then.

Consider rating of helpful responses. It will help others to found solutions.

I did try simple without username and password but it still results in an inappropriate authentication response.

I have raised this with Grandstream who are looking into it right now! They know I am using Cisco phones, their PBX should work with other phones besides their own, they are keen to make it an open SIP based system I think.

I will look into raising it with Cisco too. I don't have a service contract with them and nor does my customer so I don't know if I can do this.

Let's see how it goes!

I did try simple without username and password but it still results in an inappropriate authentication response.

Because the SPA504G did not requested bind at start, or because such bind has been rejected by LDAP server ?

I have raised this with Grandstream who are looking into it right now!

Oh, I remember similar enthusiastic approach on Cisco side, three and more year ago. It apply no longer. So gold old times ...

I don't have a service contract

If I remember correctly, you need no service contract as long as device is still in warranty. But even in the case the ticked will be created don't expect fast reply (of any kind). I have no good experience with current SMB support ...

If you enable "simple" authentication the the SPA504g issues a bindrequest() regardless of the "username" and "password" contents. I think an "inappropriate authentication" response goes with a bindrequest().

That's a shame about the recent poor support. I hope that isn't related to large company complacency; perhaps they are snowed under.

Well, I'm confused now. So called "anonymous bind" is no special authentication method - it is just "simple" authentication bind with empty name and password.

Until now I assumed that the bug is on UCM side, because it require anonymous bind despite optional, but also there's suboptimal behavior of SPA504G because it doesn't fire anonymous bind despite configured to do so.

Now it seems you are claiming that the SPA504G do the anonymous bind but UCM is rejecting it. It's different behavior I deducted from the previous descriptions ...

In such case there's nothing wrong with SPA504G - it do right all the things according configuration including the initial anonymous BIND, but UCM is broken as it require anonymous bind, but reject it once received. But it should not work even with LDAPExplorerTool ...

Well, you solved the issue, so we need not to search for exact cause. I'm just curious ...

Just for the completeness, two relevant part of LDAP protocol specification (RFC4513).

About session with no bind at all:

Upon initial establishment of the LDAP session, the session has an anonymous authorization identity. Among other things this implies that the client need not send a BindRequest in the first PDU of the LDAP message layer. The client may send any operation request prior to performing a Bind operation, and the server MUST treat it as if it had been performed after an anonymous Bind operation

About anonymous bind:

An LDAP client may use the anonymous authentication mechanism of the simple Bind method to explicitly establish an anonymous authorization state by sending a Bind request with a name value of zero length and specifying the simple authentication choice containing a password value of zero length.

The UCM instructions state anonymous connection by a client but as it turns out it does accept a "simple" connection with a user name and password.

The 2 statements above certainly clarify the position. I can see the logic of the first but it would have been simpler all round if a bindrequest() was always required; that's another subject for another day I guess :-)

From this point this is how things appear to me:

SPA504g If you specify "none" as the auth type no bindrequest() is issued and the search request is rejected by the UCM because there is no bindrequest(). The UCM behaviour is incorrect according to the statement above. I will alert Grandstream to to this.

SPA504g If you specify "simple" as the auth type a bindrequest() is issued and if there is no username and password this is an implied anonymous bind. The UCM will not allow the Root DN which serves as the username and the password to be removed or at least I have not found a way to remove them as yet. I will alert Grandstream to to this.

SPA504g If you specify "simple" as the auth type a bindrequest() is issued and if there is a correct username and password the connection to the UCM LDAP server is successful. This is not clear in the UCM instructions so again I will alert Grandstream to this.

I think there are 2 things that could be done to improve things. Grandstream could clarify their documentation and make their platform conform to standard. Cisco could add more documentation to their LDAP client instructions to clarify how their authentication combinations resolve. Many people are not that knowledgeable about LDAP from what I can see and probably shouldn't need to be.

There are many anomalies like this general :-)

it would have been simpler all round if a bindrequest() was always required

Yes, but we all need to live on *this* world. ;-)

On the other side, protocols with optional authentication are very common. Namely HTTP or SMTP. So the LDAP approach is rather common than special.

The SPA504G/none and SPA504G/simple+credentials variants are clear and "works as expected".

And now I understand even SPA504G/simple+name+emptypassword variant. The relevant part of specification is here:

An LDAP client may use the unauthenticated authentication mechanism
of the simple Bind method to establish an anonymous authorization
state by sending a Bind request with a name value (a distinguished
name in LDAP string form [RFC4514] of non-zero length) and specifying
the simple authentication choice containing a password value of zero
length.

The distinguished name value provided by the client is intended to be
used for trace (e.g., logging) purposes only.  
...
Servers SHOULD by default fail Unauthenticated Bind requests with a resultCode of unwillingToPerform.

It claim that it is possible to use non-empty name in "anonymous" bind request, but it is designed for debugging, not for the routine use. UCM is wrong badly if it is the only form of anonymous bind it accepts.

What the SPA504G sends if configured with SIMPLE scheme, cn=admin,dc=pbx,dc=com as the username and empty password ? I assume it will send correct "unauthenticated authentication bind", but we can't complain even in the case it will send pure anonymous bind (e.g. empty username).

May be I just misinterpretted your's picture and you have SPA504G configured this way already. It's unclear from your's picture the LDAP password has been configured as empty, or it has been filled by an password so it may be source of my confusion. I assumed there's non-empty password filled.

Many people are not that knowledgeable about LDAP from what I can see 

I had very basic knowledge about LDAP protocol yesterday as well. It's the reason I'm active here. It is good reason to learn something new to help someone else. Gained knowledge may help me sometime in the future. I'm so lazy to read LDAP specification just because it's here (and I'm using no LDAP on SPA) ;-)

and probably shouldn't need to be.

Disagree. Anyone should understand the technology he is using. Or the technology may hurt him.

But it is discussion for other day ;-)

I have attached the 2 documents I referenced and these should have been enough. In particular I want to draw attention to the "LDAP sequence" in the LDAP specific document.

"Disagree. Anyone should understand the technology he is using. Or the technology may hurt him."

Because I can't resist a good debate and because it's perhaps the crux of things I have to respond :-)

If taken literally then most people should probably stop using their household appliances and should certainly leave mobile phones and PC's well alone!

When I was a techy in IT I think I would have said a similar thing but these days I see the line between people using stuff to help them make and sell widgets for example and specialists in their fields.  If I am a taxi driver I should aspire to know all about taxi driving including how to operate a car and perform basic maintenance. I do not need to know how to strip it down and the inner workings of the onboard computers. Similarly I should be able to simply configure an email client without knowing how email works, I just want to use it. That of course is a simplistic approach as the lines are very blurry; there are lots of options you can use to configure email most of which most people never touch for example.

In the case of the LDAP I just wanted to follow simple instructions and for it to work as I want to be a user of it not an expert. The knowledge is useful of course but it took up a lot of time that should have been used on other things.

Yes, things are as they are but we strive for perfection in the knowledge that it is unachievable :-)

I can't resist a good debate

I like it as well. But I'm not sure I can provide good debate in English. Also, I'm not sure I should initiate/continue off-topic debate there. Moderator of this community should shout to us. Damn, I'm the moderator of this community ...

If taken literally then most people should probably stop using their household appliances

No. They should just learn how they works.

Yes, I'm aware that there are a people unable to understand. Even in such case they can use the technology, but they can do only things approved by someone who understand the technology as well as requirements of particular user. Otherwise there will be so may cats killed because dried in microwave oven. And finally, I can accept even 'inexpert usage' as long as the user take full responsibility for any consequences, including those he can't imagine.

Most of people understand it in full in the case of chainsaw. Many people recognize their car require skilled technician for maintenance. There is no reason to consider computer to be special kind of technology.

Unfortunately, some people expect someone else will take responsibility for their decisions. I understand this appealing idea, but "I don't understand" is not acceptable excuse for things already done by someone with suffrage.

I should be able to simply configure an email client without knowing how email works

To return to topic somewhat - yes, you can connect IP phone at home without knowing the background. Then imagine your's son is choking and you can't call Emergency because of phone you installed without necessary knowledge is not properly configured. Are you ready for such consequence ? Let's don't learn and install, I have no problem with it. But don't blame others then.

It's just example, of course, but it describe the idea.

I'm claiming "call expert all the times" ? Definitely not. It will not remove the responsibility from you. If you wish not to learn enough to do the things by self, you should learn enough to select proper expert or (but better 'and') to verify he did it's job.

Even in the case of devices of "remove from package, plug to mains and wait for green led to claim the device is ready" kind you decided to buy particular device, so you are responsible if it doesn't work as expected.

In the short - learn or take consequences. Tertium non datur.

I'm sure I'm sounding unacceptable strong and irreconcilably. Unfortunately, I'm unable to fine tune my sentences in English according my intentions ...

I just wanted to follow simple instructions

We all wish for them, definitely not only just during configuration of LDAP ;-)

we strive for perfection in the knowledge that it is unachievable

True, but not good excuse for not to try to achieve.

Theory /+x-~ reality = life (if that doesn't make sense it's because it doesn't make sense)!

Logic and rationality only apply some of the time.

Logic and rationality apply most of times. But sometime the rules are so complex to be recognized by a man. We use "feeling" then as a workaround (or as a just quick way to estimate). I wish it's better to known rules whenever possible. You may decide which of them you wish to comply with then.

But it's matter of personality, of course. Be sure I know there's no other universal Answer of Life, The Universe and Everything but 42 ...

:-)