|
0:00:13
|
Ok, so welcome back everyone from the break.
|
|
0:00:18
|
And one of the things that I did over the break was just
|
|
0:00:22
|
to troubleshoot a little bit more the problem with the phones registering.
|
|
0:00:26
|
And the problem was just a careless oversight on my part.
|
|
0:00:31
|
I had forgotten to add the primary router address
|
|
0:00:34
|
for the DHCP subnet on CUCM for the phones.
|
|
0:00:39
|
So that was the reason that I could ping over to the subnet
|
|
0:00:43
|
from CUCM and from any router,
|
|
0:00:46
|
but I could not ping the phones
|
|
0:00:49
|
per se from...
|
|
0:00:52
|
Well I couldn't ping them from corporate headquarters,
|
|
0:00:54
|
I could ping them from the same subnet over on Branch 2.
|
|
0:01:01
|
So as soon as I added that,
|
|
0:01:03
|
a little bit while I did a reset on the phone **#**
|
|
0:01:08
|
so they reset and quickly asked for a new IP address
|
|
0:01:12
|
or DHCP information.
|
|
0:01:13
|
They got their router and they registered just fine.
|
|
0:01:18
|
So I'm going to go and change those phones now.
|
|
0:01:23
|
So they're updated with the proper naming convention.
|
|
0:02:40
|
I think I gave that 2000 instead of 3000.
|
|
0:02:44
|
I meant to say three.
|
|
0:02:47
|
Ok, so everything is up and as it should be.
|
|
0:02:54
|
So let's move on and talk about Active Directory and LDAP.
|
|
0:02:59
|
So let's go create some end users
|
|
0:03:01
|
for our phones.
|
|
0:03:05
|
We'll just create some simple users such as...
|
|
0:03:11
|
hqphone1
|
|
0:03:15
|
and password, it doesn't really matter because we're going to be
|
|
0:03:20
|
synching, so let's just leave it as it is.
|
|
0:03:23
|
hqphone1
|
|
0:03:29
|
And we'll associate it. Whoops...
|
|
0:03:31
|
Associate it to a device here.
|
|
0:03:40
|
And let's just say hqphone1.
|
|
0:03:46
|
Ok, so the reason we've done that
|
|
0:03:52
|
is that we already have Uccx admin and variphy as two built-in users
|
|
0:03:58
|
that I have built in to the actual base configuration of this server
|
|
0:04:02
|
every time you reset it.
|
|
0:04:04
|
But I wanted to add one additional user
|
|
0:04:06
|
so that we could see the effects
|
|
0:04:09
|
of what's going to happen to that user as we synchronize
|
|
0:04:15
|
other users from the LDAP, from the Active Directory.
|
|
0:04:21
|
So in order to do this, first of all we need
|
|
0:04:22
|
Directory Sync service running and we've already checked that
|
|
0:04:25
|
under Serviceability for the Publisher.
|
|
0:04:27
|
We're going to go up to System>LDAP>LDAP System
|
|
0:04:33
|
And I'm actually going to bring up here...
|
|
0:04:36
|
Give me one second to bring up the...
|
|
0:04:41
|
Active Directory Schema Diagram that we're going to be using.
|
|
0:04:46
|
So for our lab, we've got an Active Directory Schema
|
|
0:04:51
|
on our server. It doesn't really matter about the server name.
|
|
0:04:56
|
The IP address is what's important.
|
|
0:05:01
|
As well as a user name and password that can be used to
|
|
0:05:06
|
access and read the schema.
|
|
0:05:10
|
And this can be thought of in sort of a fully qualified domain name.
|
|
0:05:14
|
Or FQDN naming convention.
|
|
0:05:17
|
So if we start at the bottom and go up,
|
|
0:05:19
|
that's the way that we'll work here.
|
|
0:05:22
|
So we've got ous
|
|
0:05:24
|
our organizational units.
|
|
0:05:26
|
So we've got executive.island natural exports
|
|
0:05:29
|
.ine.com
|
|
0:05:34
|
And of course the way that we reference them is dc equals com,
|
|
0:05:39
|
dc equals ine, ou equals island natural exports
|
|
0:05:44
|
and if we just left it there for a search base
|
|
0:05:47
|
then we could find any users in any of the organizational units
|
|
0:05:52
|
below island natural exports.
|
|
0:05:56
|
Island natural exports being INE of course.
|
|
0:05:59
|
In our fictitious example here.
|
|
0:06:04
|
So we've got -- we could reference individual branches
|
|
0:06:09
|
though as well.
|
|
0:06:12
|
So what we'll do -- and that's what we mean by non-contiguous
|
|
0:06:15
|
name spaces. So I could call on the executive name space
|
|
0:06:18
|
and the security name space, but not call on IT for instance.
|
|
0:06:24
|
Ok, so what we're going to do is first of all
|
|
0:06:26
|
enable synchronizing from the LDAP server.
|
|
0:06:29
|
And we have to choose what type.
|
|
0:06:31
|
And then we're going to say that the attribute for the
|
|
0:06:34
|
Cisco User database
|
|
0:06:38
|
is going to be User ID.
|
|
0:06:40
|
What is the Active Directory entity that we're going to synchronize with User ID?
|
|
0:06:46
|
So are we going to make the telephone number equal to User ID?
|
|
0:06:50
|
And the important thing is that whatever entity we do choose to use,
|
|
0:06:54
|
we must make sure that it's a unique entity on the LDAP side.
|
|
0:07:01
|
Ok, if we choose something like say...
|
|
0:07:05
|
really anything
|
|
0:07:07
|
if mail or telephone number, if there are any duplicates,
|
|
0:07:10
|
while the Active Directory may allow duplicates in that particular field
|
|
0:07:13
|
like telephone number, it's not going to work if they are duplicates on our side.
|
|
0:07:20
|
Ok, so we're just going to use the Security Account Manager
|
|
0:07:24
|
account name, or the SAM account name.
|
|
0:07:28
|
Ok, so once we've enabled it,
|
|
0:07:30
|
now we can setup directory synchronization.
|
|
0:07:35
|
So we'll add a new and it tells us
|
|
0:07:37
|
Existing End Users not found in the corporate directory will be deleted.
|
|
0:07:41
|
So, existing users that are in our CUCM directory,
|
|
0:07:45
|
but do not yet exist in the Active Directory,
|
|
0:07:48
|
they'll be deleted from our directory.
|
|
0:07:51
|
And for correct integration it's necessary the User ID
|
|
0:07:55
|
attribute is unique as I just mentioned.
|
|
0:07:58
|
So first of all we can call it anything we want.
|
|
0:08:00
|
Let's call it INE Executive.
|
|
0:08:06
|
And the distinguished name
|
|
0:08:07
|
this is our use name.
|
|
0:08:11
|
Ok, password.
|
|
0:08:13
|
This is our password.
|
|
0:08:17
|
Confirm the password.
|
|
0:08:18
|
And then the user base.
|
|
0:08:23
|
So going from left to right we're going to start at the bottom.
|
|
0:08:28
|
So ou equals executive,
|
|
0:08:32
|
ou equals island natural exports,
|
|
0:08:38
|
space, dc equals ine
|
|
0:08:41
|
comma space
|
|
0:08:43
|
dc equals com
|
|
0:08:47
|
Ok if we only want to synchronize the executive branch.
|
|
0:08:52
|
If we wanted to we could synchronize everyone
|
|
0:08:54
|
just by omitting the executive branch.
|
|
0:09:02
|
But let's be more selective.
|
|
0:09:08
|
We can choose the frequency
|
|
0:09:10
|
that we want to resync.
|
|
0:09:12
|
Six hours being the maximum frequency.
|
|
0:09:16
|
We can change attributes such as I happen to know
|
|
0:09:18
|
that the phone number is not stored under telephone number
|
|
0:09:21
|
in the Active Directory.
|
|
0:09:23
|
Phone Number here for the Cisco directory
|
|
0:09:26
|
is stored in the Active Directory under the IP phone.
|
|
0:09:29
|
And that's just because I changed it.
|
|
0:09:31
|
And the server IP address is
|
|
0:09:35
|
right here.
|
|
0:09:36
|
So we'll just copy that, we're not using SSL.
|
|
0:09:41
|
We'll say save.
|
|
0:09:42
|
This won't save if this is not a proper search path
|
|
0:09:46
|
and the User name and password don't work right.
|
|
0:09:49
|
It'll return and error.
|
|
0:09:50
|
But it was successful, so that must mean that's a proper search path.
|
|
0:09:53
|
I can perform a full sync now.
|
|
0:09:57
|
And it will say that it's in process.
|
|
0:10:00
|
And it will essentially stay there and
|
|
0:10:03
|
say cancel sync if it's not searching -- if it hasn't completed.
|
|
0:10:09
|
So if I go back into here
|
|
0:10:11
|
and it says perform full sync again
|
|
0:10:13
|
this means that it has synced properly
|
|
0:10:16
|
I should be able to go back to End Users
|
|
0:10:18
|
and I should see a lot of users.
|
|
0:10:20
|
Now I still see Uccx and Varipy.
|
|
0:10:23
|
Notice the department name no longer says 'do not delete'.
|
|
0:10:26
|
Ok, that's because in the CUCM database
|
|
0:10:30
|
they were listed -- first of all their last names were listed as lowercase
|
|
0:10:34
|
and the department I had filled out do not delete this user or
|
|
0:10:38
|
use this user for variphy or whatever.
|
|
0:10:41
|
Ok, that's not the way it was listed in the Active Directory.
|
|
0:10:45
|
But I did have those users created in Active Directory, therefore
|
|
0:10:49
|
or that way I wouldn't lose the access to them
|
|
0:10:53
|
when I pulled that over.
|
|
0:10:54
|
And because the User ID was the same,
|
|
0:10:56
|
it didn't necessarily overwrite the record
|
|
0:10:59
|
it simply took control or simply synchronize the attributes
|
|
0:11:04
|
that it had from the LDAP status
|
|
0:11:07
|
which the sync status is active.
|
|
0:11:10
|
It took over the attributes.
|
|
0:11:12
|
Notice password is still here. That's because we haven't setup authentication.
|
|
0:11:16
|
Last name it overwrote, anything that the field is gone for
|
|
0:11:20
|
it overwrote.
|
|
0:11:21
|
But notice my control devices are still all here.
|
|
0:11:24
|
In fact while I'm here, I need to go ahead and
|
|
0:11:27
|
add the other two phones
|
|
0:11:29
|
that were added recently to the database.
|
|
0:11:34
|
Ok, so those stayed, the three that were there stayed
|
|
0:11:38
|
as part of the field values because we didn't replace or delete the user.
|
|
0:11:45
|
Because it also existed in Active Directory.
|
|
0:11:48
|
Now the hqphone1 is currently set to LDAP status inactive.
|
|
0:11:53
|
And essentially will be deleted at some point.
|
|
0:11:55
|
We can't delete it.
|
|
0:11:57
|
We have no delete buttons anymore.
|
|
0:12:00
|
Add or anything else.
|
|
0:12:02
|
But we do have a number of other users.
|
|
0:12:05
|
And we can take and associate these users
|
|
0:12:07
|
with the various phones that we have.
|
|
0:12:11
|
So it pulled over all sorts of information
|
|
0:12:14
|
Jack Shepherd, a telephone number that happens to begin in a plus.
|
|
0:12:18
|
We can change that, but only from Active Directory.
|
|
0:12:22
|
His department, he's the VP of Human Resources.
|
|
0:12:24
|
His e-mail ID.
|
|
0:12:28
|
Ok, so if we want we could say device association to 1001 for instance.
|
|
0:12:34
|
And we're still updating the fields that we still have access to control.
|
|
0:12:42
|
The entire record is our CUCM database
|
|
0:12:44
|
We've just synchronized and we'll continue to synchronize certain fields.
|
|
0:12:49
|
Ok, now we can also go and setup LDAP Authentication.
|
|
0:12:54
|
So right now if I authenticate,
|
|
0:12:56
|
it's going to authenticate against my CUCM password
|
|
0:13:00
|
which right now isn't anything.
|
|
0:13:02
|
So just as an example, I'm going to add the user to a group
|
|
0:13:07
|
and the group that I'm going to add it to contains
|
|
0:13:10
|
end
|
|
0:13:12
|
and it's standard CUCM End Users.
|
|
0:13:14
|
And by adding it to this group and pressing save,
|
|
0:13:18
|
the role that's applied is standard CCM standard End User
|
|
0:13:21
|
and Standard CCM User Administration.
|
|
0:13:23
|
So I can now administer or log in to my CCM User web page.
|
|
0:13:29
|
So I will copy this guy's name here
|
|
0:13:32
|
log out of CUCM,
|
|
0:13:37
|
log in to...
|
|
0:13:41
|
CCM user instead of, whoops
|
|
0:13:46
|
CCM user instead of CCM admin
|
|
0:13:50
|
and try to log in as jshepherd and let's see no password.
|
|
0:13:55
|
That didn't work.
|
|
0:13:57
|
What about jshepherd and cisco.
|
|
0:14:03
|
Pretty much nothing's going to work and that's because
|
|
0:14:08
|
I never assigned him a password.
|
|
0:14:10
|
And it can't have a blank password.
|
|
0:14:12
|
So I can go back to User Management>
|
|
0:14:15
|
End User
|
|
0:14:17
|
and I'm going to say it begins with js
|
|
0:14:20
|
that's first name, so it just begins with j
|
|
0:14:27
|
And I'll grab Jack Shepherd
|
|
0:14:29
|
and say that his password
|
|
0:14:33
|
is going to be cisco123
|
|
0:14:37
|
Ok, just so you can see
|
|
0:14:39
|
it's cisco123
|
|
0:14:44
|
and I'm just going to copy that or cut it
|
|
0:14:51
|
paste
|
|
0:14:52
|
paste
|
|
0:14:53
|
save
|
|
0:14:57
|
and I'll go up to CCM user
|
|
0:15:03
|
and log in as
|
|
0:15:08
|
jshepherd
|
|
0:15:12
|
cisco123
|
|
0:15:14
|
and I'm now logged in.
|
|
0:15:17
|
Ok, so I'm going to go back to CCM admin.
|
|
0:15:21
|
And this time I'm going to...
|
|
0:15:24
|
And I purposefully made his end user password
|
|
0:15:26
|
something other than what the LDAP is.
|
|
0:15:29
|
The LDAP is password cisco, this one I made cisco123 as the password.
|
|
0:15:34
|
So LDAP authentication
|
|
0:15:38
|
I'm going to enable LDAP authentication
|
|
0:15:42
|
and it's actually already got some info in there
|
|
0:15:44
|
from the last time I setup this server.
|
|
0:15:50
|
And save the snapshot,
|
|
0:15:51
|
but you would copy basically the same information.
|
|
0:15:54
|
Now I can authenticate it against the sub ou
|
|
0:16:00
|
of executive, but that will only authenticate users in executive.
|
|
0:16:06
|
And I might have more than one
|
|
0:16:10
|
for instance, I haven't saved this yet
|
|
0:16:11
|
I'm not going to just yet.
|
|
0:16:17
|
I have INE executive here.
|
|
0:16:19
|
But I might also -- just copy this so I can keep a bunch of settings --
|
|
0:16:23
|
have INE sales let's say.
|
|
0:16:27
|
And...
|
|
0:16:30
|
So let's just grab -- actually I can just start typing it in
|
|
0:16:32
|
and it will... no no
|
|
0:16:36
|
It's not filing in my fields for me.
|
|
0:16:39
|
Ok, so ou equals sales.
|
|
0:16:42
|
ou equals island natural exports.
|
|
0:16:46
|
dc equals ine
|
|
0:16:48
|
dc equals com
|
|
0:16:51
|
Ok, everything else is the same.
|
|
0:16:54
|
Save.
|
|
0:16:55
|
Perform full sync.
|
|
0:16:59
|
User Management>End User
|
|
0:17:02
|
I should have a few additional users.
|
|
0:17:05
|
I do.
|
|
0:17:07
|
For instance, I believe...
|
|
0:17:14
|
Let's see...
|
|
0:17:19
|
I believe sales manager, I believe she was in the sales category.
|
|
0:17:22
|
But we definitely have a few additional users.
|
|
0:17:24
|
Also if I go back to Directory INE sales,
|
|
0:17:27
|
it says perform full sync, so it didn't
|
|
0:17:30
|
it doesn't say cancel sync, it obviously completed properly.
|
|
0:17:33
|
We could look at the traces if we like.
|
|
0:17:36
|
So if I want to authenticate
|
|
0:17:38
|
against more than just the executive branch,
|
|
0:17:43
|
then I have to leave it at a higher level.
|
|
0:17:46
|
So I'm going to stop here at this higher level rather than
|
|
0:17:50
|
digging down into any of the others
|
|
0:17:52
|
because unlike sync directory I only have
|
|
0:17:55
|
I can't say 'add' up here.
|
|
0:17:57
|
I only have one single base, search base that I can sync for...
|
|
0:18:05
|
for all of... Let's just make sure the password's right.
|
|
0:18:08
|
For the entire server.
|
|
0:18:10
|
So you just sync against the root of the forest
|
|
0:18:13
|
and it will work for everyone.
|
|
0:18:15
|
So now that we've checked this and saved this
|
|
0:18:17
|
if I go back to User Management>End User
|
|
0:18:21
|
and go back to jshepherd
|
|
0:18:23
|
notice that password just doesn't even exist anymore.
|
|
0:18:27
|
Pin is here, but password doesn't exist.
|
|
0:18:31
|
So, if I try to test this
|
|
0:18:34
|
by going to CCM User
|
|
0:18:39
|
and I try to log in as jshepherd,
|
|
0:18:43
|
and I'm going to put this here so that you can see
|
|
0:18:45
|
I'm cutting this user name.
|
|
0:18:47
|
And pasting only cisco.
|
|
0:18:51
|
That works,
|
|
0:18:54
|
but of course if I try to log out
|
|
0:18:58
|
and log in as cisco123 which is what his password previously was
|
|
0:19:06
|
set in the local database, that no longer works.
|
|
0:19:09
|
Because I'm proxying authentication
|
|
0:19:11
|
over to the LDAP.
|
|
0:19:16
|
Ok, any questions on LDAP?
|
|
0:19:24
|
Someone asked, "It used to be that you could synch a maximum of
|
|
0:19:27
|
five ous. Is that still the case?"
|
|
0:19:31
|
Let's see...
|
|
0:19:32
|
3, 4, 5, 6
|
|
0:19:36
|
Let's just try it here real quick.
|
|
0:19:41
|
I don't believe that's the case with version 7.
|
|
0:19:43
|
I know for a fact that's not the case with version 8.
|
|
0:19:47
|
But let's just try.
|
|
0:19:49
|
Actually let's go back and do a copy.
|
|
0:20:12
|
Save
|
|
0:20:13
|
Sync
|
|
0:20:14
|
Ok.
|
|
0:20:17
|
Copy
|
|
0:20:23
|
INE IT
|
|
0:20:44
|
Perform full sync
|
|
0:20:46
|
Ok.
|
|
0:20:52
|
and copy
|
|
0:20:54
|
and INE Opps
|
|
0:21:12
|
Yep. It looks like that is the case because I lost my add new button.
|
|
0:21:20
|
Maybe not.
|
|
0:21:26
|
Nope I don't think so.
|
|
0:21:27
|
Whoops, let me go back.
|
|
0:21:29
|
Let me just copy this.
|
|
0:21:33
|
Copy
|
|
0:21:36
|
INE security
|
|
0:21:52
|
Yep.
|
|
0:21:53
|
Still can't add more than five.
|
|
0:21:55
|
So that is still the case Robert with version 7
|
|
0:21:58
|
I believe that limit has been lifted with 8.
|
|
0:22:00
|
However, one of the things that 8 does that is very nice
|
|
0:22:04
|
is you can sync with an entire forest
|
|
0:22:10
|
and then you can build in, there's an additional
|
|
0:22:14
|
field here for LDAP custom filter
|
|
0:22:19
|
and you can build in custom filter, so that you can filter out
|
|
0:22:22
|
what you don't want to synchronize.
|
|
0:22:24
|
That's really one of the nice new features about 8.
|
|
0:22:28
|
"Is there a way to keep existing end users in CUCM
|
|
0:22:31
|
even if we have synchronized with ad
|
|
0:22:34
|
and the users do not exist in the ad?"
|
|
0:22:37
|
The answer is no there is no way to keep end users in. Application users
|
|
0:22:44
|
are your only users that will not be affected.
|
|
0:22:47
|
You added on the application users will not be affected. Correct?
|
|
0:22:50
|
And that is correct. Application users are not touched by
|
|
0:22:55
|
in any way by the synchronization or the authentication
|
|
0:23:00
|
of Active Directory or any other LDAP.
|
|
0:23:05
|
So not only did I not have any synchronization or removal of my users
|
|
0:23:09
|
for instance CTI port was done from a previous
|
|
0:23:13
|
integration of Uccx.
|
|
0:23:15
|
Actually Uccx is already integrated for you in the lab
|
|
0:23:18
|
just as we have it.
|
|
0:23:19
|
And notice that password is still here
|
|
0:23:21
|
I can change that
|
|
0:23:23
|
I can associate devices I can do everything
|
|
0:23:25
|
but there is no -- there's also fields that don't exist for application users
|
|
0:23:31
|
and that's really because it's stored in a separate database.
|
|
0:23:35
|
Application users are stored in a completely separate database
|
|
0:23:37
|
than the end users.
|
|
0:23:40
|
Ok, but you cannot keep any of the end users.
|
|
0:23:43
|
And we showed that by our hqphone1
|
|
0:23:46
|
which is inactive.
|
|
0:23:48
|
So I can go into this hqphone1, but it says
|
|
0:23:53
|
that there is a delete pending.
|
|
0:23:55
|
And so...
|
|
0:23:58
|
There is no password because that password has been alleviated by
|
|
0:24:03
|
LDAP Authentication.
|
|
0:24:05
|
But I won't be able to really do anything against this user.
|
|
0:24:09
|
There's a delete pending and it's just waiting
|
|
0:24:12
|
for that cleanup process to go and delete that...
|
|
0:24:16
|
that user.
|
