|
0:00:14
|
So now let’s take a look at an overview of CUCM users, groups
|
|
0:00:18
|
and Lightway Directory Access Protocol Synchronization or LDAP Sync.
|
|
0:00:24
|
So users are of course central to Cisco Unified Communications.
|
|
0:00:29
|
Whether we’re taking a look at IP telephony endpoints
|
|
0:00:33
|
and we specifically are wanting to look at them in relation to
|
|
0:00:37
|
the ability to have a corporate directory of some sort.
|
|
0:00:40
|
IP telephony endpoints, dealing with user lookup,
|
|
0:00:45
|
or else, IP to left of the end users themselves
|
|
0:00:48
|
dealing with authenticating themselves.
|
|
0:00:52
|
Whether we’re dealing with the operations and administration staff.
|
|
0:00:56
|
So application administrators trying to authenticate
|
|
0:01:00
|
or even dealing with user provisioning out
|
|
0:01:03
|
to various to IP telephony applications such as
|
|
0:01:06
|
Unified Contact Center, Unity Connection, Present Server, etc.
|
|
0:01:15
|
So let’s take a look at Lightway Directory Access Protocol
|
|
0:01:19
|
and how this operates with CUCM
|
|
0:01:21
|
and even with Unity Connection.
|
|
0:01:25
|
First of all, down at the bottom, we see our
|
|
0:01:28
|
CUCM or Unity Connection (CUC)
|
|
0:01:31
|
And see that we have an embedded database within the actual server.
|
|
0:01:37
|
We also have something called the directory synchronization agent.
|
|
0:01:41
|
And as long as this has been deactivated, then we have the ability
|
|
0:01:45
|
to synchronize users from an outside LDAP.
|
|
0:01:49
|
Most of the time in our lab environment
|
|
0:01:53
|
and many times in many enterprises including this will be
|
|
0:01:55
|
Microsoft Active Directory but there are certainly others that are supported.
|
|
0:02:01
|
And what this will do as we will see
|
|
0:02:05
|
and go on in our demonstration is
|
|
0:02:07
|
provide the ability to synchronize or pull users from the corporate LDAP.
|
|
0:02:12
|
What we should know right upfront
|
|
0:02:15
|
is that there is no integration with the LDAP
|
|
0:02:18
|
and we are not performing any sort of two-way communication
|
|
0:02:22
|
We are only requesting users in synchronizing one way.
|
|
0:02:27
|
There's two way communication, there's not
|
|
0:02:29
|
two way synchronization, maybe I should more accurately state
|
|
0:02:34
|
So, User provisioning, as a read-only format,
|
|
0:02:39
|
is done from the corporate LDAP so let’s say Microsoft Active Directory for instance,
|
|
0:02:44
|
through the directory sync agent
|
|
0:02:46
|
and those are, those users that are found
|
|
0:02:49
|
based on the unique user ID whether we choose,
|
|
0:02:54
|
are input into the embedded CUCM database.
|
|
0:02:58
|
Now, if there already existing users in the database,
|
|
0:03:02
|
if their user IDs are the same as the users that are being synchronized
|
|
0:03:07
|
then those users will not be lost
|
|
0:03:09
|
and any specific settings that were set for those users
|
|
0:03:12
|
won’t be changed except for the fields that are poled from the LDAP.
|
|
0:03:17
|
So, things such as department, manager,
|
|
0:03:21
|
phone number, things like that. But controlled phones,
|
|
0:03:25
|
extension mobility profile, things that don't exist
|
|
0:03:28
|
in any standard LDAP, will not be poled or changed.
|
|
0:03:33
|
If there are users that
|
|
0:03:35
|
were existing in the embedded CUCM database
|
|
0:03:38
|
that were not present in the LDAP, they will be flagged for deletion
|
|
0:03:43
|
and have the status of Delete Pending and after 24 hours will be deleted.
|
|
0:03:48
|
So a phone does have the ability to request user or phone authentication
|
|
0:03:57
|
And this is actually done through a separate component
|
|
0:04:00
|
in the CUCM that we’ll take a look at in a minute called that IMS.
|
|
0:04:04
|
And the CUCM has the ability to proxy
|
|
0:04:08
|
this authentication request to the LDAP on behalf of the phone or user,
|
|
0:04:13
|
receiver response and then grant that
|
|
0:04:17
|
response back to the phone.
|
|
0:04:19
|
So, return the accept-you’re authenticated, or rejection-you’re not.
|
|
0:04:26
|
But it is important to note, again, there is no data written to the directory.
|
|
0:04:31
|
And user authentication is again a read-only with response
|
|
0:04:35
|
type of situation, just like the user provisioning is a read-only situation.
|
|
0:04:41
|
And these two can be enabled independently.
|
|
0:04:44
|
So first off, in order to
|
|
0:04:48
|
in order to perform the authentication or synchronization, we have to configure each,
|
|
0:04:52
|
but they can be done mutually exclusive of one another.
|
|
0:04:59
|
So let’s a take a look at the difference between End Users
|
|
0:05:03
|
versus Application Users in CUCM.
|
|
0:05:06
|
So Unified Communication Users are divided in two categories
|
|
0:05:10
|
End and Application.
|
|
0:05:12
|
End users are typically those physical users.
|
|
0:05:16
|
They can be telephony users or administrators.
|
|
0:05:19
|
Application users are either those administrators, or separate IT administrator folks,
|
|
0:05:29
|
or more commonly used for voice applications.
|
|
0:05:32
|
For instance, things like IPMA also called Unified CM assistant
|
|
0:05:37
|
attending consul, IP CC or UCC express, the contact center.
|
|
0:05:43
|
Anything that deals with CTI, or Computer Telephony Integration,
|
|
0:05:47
|
also referred to as JTAPI or Java Telephony Application Programming Interface.
|
|
0:05:53
|
Anything that deals with CTI and or JTAPI
|
|
0:05:56
|
which is really the form of CTI use. Those need users to
|
|
0:06:03
|
either provide them with CTI control of all devices or
|
|
0:06:07
|
association and control over just a few devices.
|
|
0:06:10
|
But either way, we typically will almost always create those as application users.
|
|
0:06:16
|
And any that are provisioned for us such as UCCX,
|
|
0:06:19
|
Contact Center Express will be done so as application users.
|
|
0:06:23
|
And then an important notice that application users are always kept local to the CUCM database
|
|
0:06:29
|
and always authenticated locally even
|
|
0:06:32
|
when we are synchronizing with the next external LDAP. So there is
|
|
0:06:37
|
Whenever we synchronize with the external LDAP we overwrite
|
|
0:06:40
|
end users, we do not overwrite or change anything on application users.
|
|
0:06:46
|
And if we also set up LDAP authentication,
|
|
0:06:50
|
only end users are proxied authentication to the LDAP.
|
|
0:06:54
|
Application user are always authenticated locally.
|
|
0:06:58
|
Multi-level Access or MLA.
|
|
0:07:00
|
Those concepts are fully integrated in the CUCM.
|
|
0:07:03
|
The administration pages via
|
|
0:07:04
|
roles and user groups and we’re going to take a look at those in the demo in just a little bit.
|
|
0:07:08
|
We just need to assign the appropriate role to the end users
|
|
0:07:11
|
to turn them to potential administrators
|
|
0:07:14
|
of varying levels, varying access levels.
|
|
0:07:19
|
So some of the features of LDAP synchronization in CUCM
|
|
0:07:23
|
Supported corporate directories are Microsoft Active Directory
|
|
0:07:27
|
version 2000, 2003 and 2007
|
|
0:07:32
|
open LDAP, Netscape 4,
|
|
0:07:35
|
iPlanet 51 and also Sun 152 and version 60.
|
|
0:07:41
|
We do have the ability for redundancy. We can configure multiple LDAP hosts.
|
|
0:07:47
|
We have the ability connect LDAP over SSL so securely.
|
|
0:07:53
|
We have the support for multi-tree active directory
|
|
0:07:58
|
integration or synchronizations, so non-contiguous name spaces or
|
|
0:08:02
|
even separate LDAP's altogether, separate for us.
|
|
0:08:07
|
We have support in eight
|
|
0:08:09
|
and beyond for custom filtering. Initially, we’ll take a look at seven, but
|
|
0:08:13
|
we will certainly, at the end of that look at the
|
|
0:08:16
|
updates to eight with Custom Filtering and how to accomplish that
|
|
0:08:21
|
We have the ability to configure a one-time
|
|
0:08:24
|
synchronization and manual resync
|
|
0:08:26
|
or we can configure periodic synchronization.
|
|
0:08:30
|
So we can have it resynced every time, every day
|
|
0:08:34
|
at a certain time, so every 24 hours or daily or something.
|
|
0:08:38
|
The maximum amount of time
|
|
0:08:40
|
or most frequent that we can do an update is six hours.
|
|
0:08:43
|
Be aware that with the large LDAP in an enterprise production and environment,
|
|
0:08:47
|
this could take a big toll, a big CPU toll on the
|
|
0:08:51
|
publisher server whose performing the directory sync.
|
|
0:08:54
|
And it’s only the publisher that’s performing the directory sync.
|
|
0:08:57
|
One more reason why,
|
|
0:08:58
|
in a production environment you would not have a publisher
|
|
0:09:00
|
as a call processing engine.
|
|
0:09:04
|
Authentication again enabled separately.
|
|
0:09:09
|
So when we enable authentication, end user passwords
|
|
0:09:13
|
will be authenticated against the LDAP or proxy to the LDAP.
|
|
0:09:16
|
However, end user pins will always be authenticated
|
|
0:09:19
|
against the local embedded database, not LDAP.
|
|
0:09:22
|
And again, just to reinforce and drive home application,
|
|
0:09:26
|
passwords will always be authenticated against the local embedded
|
|
0:09:30
|
CUCM database, not the LDAP.
|
|
0:09:34
|
So looking at the default behaviour, we see the password authentication
|
|
0:09:40
|
between IP telephony users or other Cisco applications
|
|
0:09:44
|
done via http or https depending on
|
|
0:09:47
|
he 417 or version 8 of CUCM
|
|
0:09:51
|
will be sent through an http
|
|
0:09:54
|
or https so a web-based service, so the
|
|
0:09:57
|
web server, port 80 or 443 will take that request
|
|
0:10:02
|
and it will be proxy that information to the embedded database.
|
|
0:10:08
|
If we have a Directories buttons, that will go over http for user lookup
|
|
0:10:13
|
to the embedded database, extension mobility,
|
|
0:10:18
|
http or again ability to configure secure https authentication
|
|
0:10:28
|
Looking at it with an LDAP,
|
|
0:10:30
|
we see our http or https authentication or user lookup.
|
|
0:10:35
|
And, first of all, since the user directory has been synchronized,
|
|
0:10:41
|
the user look up is still on the CUCM database.
|
|
0:10:44
|
The authentication does have the ability to proxy that over
|
|
0:10:50
|
again through the IMS which we see there, the Identity Management System.
|
|
0:10:54
|
and we see the directory sync tool pulls the main user attributes from the directory
|
|
0:10:58
|
into the database. User passwords are not synced.
|
|
0:11:01
|
So even if we’re doing authentication to LDAP,
|
|
0:11:03
|
the passwords are not synced.
|
|
0:11:08
|
We are instead authenticating or
|
|
0:11:11
|
if we’re just doing synchronization, we’re authenticating locally from CUCM
|
|
0:11:16
|
embedded database that it just happens to be from
|
|
0:11:19
|
synchronized users but the password are not synced
|
|
0:11:22
|
and if we are doing authentication, it’s proxying that information over.
|
|
0:11:27
|
So here’s looking at the authentication through the Identity Management System
|
|
0:11:32
|
proxying that onto the corporate directory.
|
|
0:11:38
|
Corporate directory lookup. Let’s take a look at this. So an IP phone,
|
|
0:11:44
|
We stated that they do lookup against the embedded user database however
|
|
0:11:49
|
provided in and we will take a look at this as part of the demo
|
|
0:11:53
|
but provided, it’s good to know that it is available
|
|
0:11:57
|
hether for real production or for possible exam question relating to this.
|
|
0:12:02
|
But Cisco does provide an IP services SDK or Software Development Kit
|
|
0:12:08
|
and one of the scripts that’s
|
|
0:12:12
|
inside that downloadable zip file for the SDK comes with a sample LDAP
|
|
0:12:18
|
com object so that you can put this on a Microsoft IIS web server
|
|
0:12:23
|
and you can actually allow the Directories button, of course, CUCM would be
|
|
0:12:30
|
provisioned to point the IP phone to a different web server
|
|
0:12:35
|
for directories button and directory lookup and it would point it to the
|
|
0:12:43
|
Windows IIS web server and the sample script.
|
|
0:12:46
|
The LDAP com object would be running there and we can modify the script
|
|
0:12:51
|
and this supports lookup to any LDAP compliant directory.
|
|
0:12:54
|
So there is a way to lookup
|
|
0:12:57
|
corporate directory based on the LDAP and Cisco provides a sample.
|
|
0:13:04
|
However, enabling lookups does not affect to user provisioning
|
|
0:13:07
|
and authentication in any way in unified communication manager.
|
|
0:13:12
|
And finally, we’ll take a look at the scheme
|
|
0:13:15
|
that we’ll be using for the remainder of these videos for our
|
|
0:13:20
|
actual testing and hands on configuration, here we see that we have that INE
|
|
0:13:28
|
ctive directory schema, the server name is there although that’s less important.
|
|
0:13:32
|
Throughout the slides you will actually see this
|
|
0:13:35
|
this server referred to as the IP address. I'm sorry, not slides, but
|
|
0:13:39
|
throughout the hands on configuration, you’ll see it referred to for a little while
|
|
0:13:43
|
as 177.1.10.110
|
|
0:13:46
|
so the third octet being 10. We have since switched this to dot100.
|
|
0:13:51
|
So just if you happened to be renting any rack time from INE
|
|
0:13:54
|
and practicing LDAP, make sure that you look in the Rack Rental Access Guide
|
|
0:14:01
|
which is part of your Rack Control Page and it is dot100.
|
|
0:14:07
|
Everything else is the same. So we’ve got our top level
|
|
0:14:10
|
DC=com. Next level DC=INE.
|
|
0:14:14
|
Next level OU or Organizational Unity=Island Natural Exports for INE
|
|
0:14:20
|
nd then we've got sub-OUs, we've got our executive OU,
|
|
0:14:25
|
our sales OU, our research and development, IT,
|
|
0:14:29
|
our operations and security OUs and there are users below those.
|
|
0:14:34
|
So we’ll use that as our schema throughout our hands on.
|
