OpenLDAP directory integration with Cisco Unified

Openldap Directory Integration With Cisco Unified-PDF Download

  • Date:17 Feb 2020
  • Views:29
  • Downloads:0
  • Pages:18
  • Size:1.17 MB

Share Pdf : Openldap Directory Integration With Cisco Unified

Download and Preview : Openldap Directory Integration With Cisco Unified


Report CopyRight/DMCA Form For : Openldap Directory Integration With Cisco Unified


Transcription:

User Authentication, When a ldap user has been successfully imported in the database and this user then tries to. login his password needs to be verified The first possibility is to use a password stored in. CUCM different from the user password in the ldap directory by default when a user profile. is created by DirSync it is affected a password ciscocisco The second possibility is to use. the password from the ldap directory As it is not possible for the DirSync tool to retrieve the. ldap password this is a protected field in a ldap directory each time a user tries to login. CUCM attempts to bind to the ldap directory with the supplied credentials If the binding is. successful the user is accepted by CUCM It is important to note that User Authentication. by ldap is only possible when CUCM has been previously configured for Directory. Synchronization, OpenLDAP server is an open source implementation of the Lightweight Directory Access Protocol. All the details about the OpenLDAP directory including installation and configuration are available. at the following url http www openldap org, The OpenLDAP directory is composed of three main parts. The Frontend is responsible for implementing the LDAP protocol and answering the. different requests bind search from the client applications. The Backends provide to the Frontend the actual data Many Backends are available for. use in OpenLDAP Among the most common there are the BDB Backend which stores the. entries in a local Berkeley DB the LDAP Backend which dynamically retrieves data from. another ldap directory or the ODBC Backend which dynamically retrieves data from and. ODBC compatible database It is interesting to understand that when used with Backends. dynamically generating data like LDAP or ODBC OpenLDAP behaves like a proxy so a. successful integration between CUCM and OpenLDAP also permits the synchronization. with almost any other external directory or database like for example Lotus Directory or. The Overlays interact with both the Frontend and the Backends and are used to modify the. behavior of the different modules for example the rwm overlay makes it possible to create. a dynamic attribute mapping between attribute names in the Frontend and their equivalents. in the Backend, The different Backends and Overlays are activated by configuration of OpenLDAP and can be. statically linked with the main OpenLDAP executable slapd or loaded dynamically as modules. Page 2 of 18,OpenLDAP integration challenges, To make the integration possible CUCM will be configured for synchronization with an iPlanet.
directory because this is the directory which has the closest behavior from OpenLDAP. One of the first steps done by CUCM at the very beginning of the synchronization process is to ask. the directory for all the optional controls it implements The general way to perform this is to search. the rootDSE of the directory This request has a target in this case the rootDSE and a list of. requested attributes Unfortunately the diverse directories behave differently regarding this list of. attributes For instance with an empty list of requested attributes AD will answer with the whole list. of the supported controls while OpenLDAP will reply with an empty answer This is because. OpenLDAP implements RFC3673 which asks for a in the attribute list. http tools ietf org html rfc3673, It is possible to have OpenLDAP return all the supported controls with an empty query using a. special OpenLDAP overlay called allop This overlay is not part of the basic OpenLDAP. installation and needs to be added to the default configuration This will be explained in details in. the section Building and configuring OpenLDAP for CUCM Integration. The second challenge is to make the mapping between the fields used by CUCM and the. corresponding fields in the directory The default mapping used for the iPlanet inetOrgPerson. object is given in the Table 1,Table 1 CUCM default field mapping. CUCM User Field Attribute name in inetOrgPerson,User ID One of. employeeNumber,telephonePhone,First Name givenname. Middle Name initials,Last Name sn,Manager ID manager.
Department departmentnumber,Phone Number telephonenumber. Mail ID One of,Title title,Home Phone Number homephone. Mobile Phone Number mobile,Pager Number pager,Page 3 of 18. If your directory or proxyed directory or database uses a different schema for its fields it will be. necessary to make an explicit mapping in the OpenLDAP configuration This is the role of the rwm. overlay rwm can change both the name of objectClass and the names of the fields For example. if OpenLDAP is used to proxy an Active Directory you might need to replace the objectClass. inetOrgPerson by the objectClass user and the field uid by sAMAccountName. Appendix 1 contains a complete example of configuration using mapping for objectClass and fields. In case you need it Appendix 2 contains the definitions for Active Directory specific attributes. Integration Environment, In this application note two different synchronization scenarii will be described. Synchronization between CUCM and Active Directory thru an OpenLDAP proxy. Please note that this example is only for demonstration as direct integration with Active. Directory is natively available with CUCM, Figure 2 Synchronization between CUCM and Active Directory thru an OpenLDAP proxy.
CUCM OpenLDAP Active,Proxy Directory,AD Server dns name is dc test cisco com. AD Server users dn is dc test dc cisco dc com,AD user id field name is sAMAccountName. OpenLDAP proxy dns name is ldapproxy test cisco com. OpenLDAP virtual dn is dc uccmdirectory dc cisco dc com. Synchronization between CUCM and a main OpenLDAP thru an OpenLDAP proxy. Please note that a direct integration between CUCM and the main OpenLDAP is also. possible if you can modify the configuration of the main OpenLDAP. Figure 3 Synchronization between CUCM and a main OpenLDAP thru an OpenLDAP proxy. CUCM OpenLDAP Main,Proxy OpenLDAP,Main OpenLDAP dns name is ldap2 test cisco com. Main OpenLDAP users dn is dc test dc cisco dc com,Main OpenLDAP user id field name is uid. OpenLDAP proxy dns name is ldapproxy test cisco com. OpenLDAP virtual dn is dc uccmdirectory2 dc cisco dc com. The following versions have been used to make the integration successful. CUCM version 5 1 2b, OpenLDAP 2 3 38 stable installed on a Linux Ubuntu 6 06 LTS Server Edition.
Windows Server 2003 SP2 for Active Directory,Page 4 of 18. Building and configuring OpenLDAP for CUCM Integration. The main challenge in building the OpenLDAP application for integration with CUCM is to add the. optional allop overlay as mentioned above This new component was not yet available with the. 2 3 38 stable version which we will use for this integration. Step 1 Acquire root privileges, Step 2 Install GCC required if the linux distribution does not have the GCC compiler by default. apt get y install gcc 3 4, Step 3 Install development libraries required for compiling OpenDLAP. apt get y install build essential libltdl3 dev libdb4 3 dev libssl dev. Step 4 Download and extract OpenLDAP stable 2 3 38. cd usr local src, wget ftp ftp openldap org pub openldap openldap release openldap 2 3 38 tgz. tar xzvf openldap 2 3 38 tgz, Step 5 Download and extract OpenLDAP beta 2 4 5 an copy allop overlay to 2 3 38.
wget ftp ftp openldap org pub openldap openldap test openldap 2 4 5beta tgz. tar xzvf openldap 2 4 5beta tgz, cp r openldap 2 4 5beta contrib slapd modules allop openldap. 2 3 38 contrib slapd modules,Step 6 Build OpenLDAP stable 2 3 38. cd openldap 2 3 38, configure enable ldap enable meta enable rwm enable modules enable. dynamic prefix usr sysconfdir etc localstatedir var openldap. libexecdir usr sbin,make depend,Step 7 Build allop overlay module. sed i s ConfigReply cr contrib slapd modules allop allop c. gcc shared Iinclude Iservers slapd Wall g o contrib slapd. modules allop allop so contrib slapd modules allop allop c. Page 5 of 18,Step 8 Install OpenLDAP and allop module.
make install,mkdir p usr lib openldap, cp contrib slapd modules allop allop so usr lib openldap. cp contrib slapd modules allop slapo allop 5 usr man man5. Step 9 Configure OpenLDAP,cat etc openldap slapd conf. Here paste sample OpenLDAP configuration found in Appendix 1 and finish by ctrl c. Step 10 Start OpenLDAP at OS Startup optional,apt get y install db4 3 util. cd etc init d, Here paste sample startup script found in Appendix 3 and finish by ctrl c. chmod a rx slapd,update rc d slapd start 19 2 3 4 5 stop 19 0 1 6.
Page 6 of 18,Configuring CUCM for OpenLDAP Integration. Step 1 Activate LDAP system, Figure 4 CUCM LDAP System configuration in System LDAP. Step 2 Configure LDAP Synchronization scenario 1, Figure 5 CUCM LDAP Directory configuration for scenario 1. Page 7 of 18,Step 3 Configure LDAP Synchronization scenario 2. Figure 6 CUCM LDAP Directory configuration for scenario 2. Step 4 Configure LDAP authentication, Figure 7 CUCM LDAP Authentication configuration for scenario 2.
Page 8 of 18,User Synchronization Results,Figure 8 Initial user profile in Active Directory. Figure 9 LDAP queries for the user to Active Directory right and thru OpenLDAP proxy left. Note the objectClass mapping from user to inetOrgPerson and field mapping from. sAMAccountName to uid,Page 9 of 18, Figure 10 User profile after successful synchronization in CUCM. CUCM Synchronization Debug Traces, Initial query from CUCM to retrieve supportedControls. DEBUG DSLDAPSyncImpl java 258 LDAPSync Run Run the LDAPSync thread. DEBUG DSLDAPSyncImpl java 1640 LDAPSync resetFlags init variables. DEBUG DSLDAPSyncImpl java 558 LDAPSync checkLDAP Check LDAP setting. DEBUG DSLDAPSyncImpl java 569 LDAPSync checkLDAP Add binary attributes. DEBUG DSLDAPSyncImpl java 747 LDAPSync makeConnection Making connection Attempt 1 currLDAPHostIndex 0 hostList size 1. DEBUG DSLDAPSyncImpl java 1327 LDAPSync getHostAddress Hostname ldapproxy test cisco com. DEBUG DSLDAPSyncImpl java 1333 LDAPSync getHostAddress Result string 10 0 1 93. DEBUG DSLDAPSyncImpl java 760 LDAPSync makeConnection New LDAP URL ldap 10 0 1 93 389. DEBUG DSLDAPSyncImpl java 767 LDAPSync makeConnection Successful LDAP connection to ldap 10 0 1 93 389. DEBUG DSLDAPSyncImpl java 596 LDAPSync checkLDAP Getting supportedcontrol from ctx. DEBUG DSLDAPSyncImpl java 601 LDAPSync checkLDAP Control 1 3 6 1 4 1 4203 1 9 1 1. DEBUG DSLDAPSyncImpl java 601 LDAPSync checkLDAP Control 2 16 840 1 113730 3 4 18. DEBUG DSLDAPSyncImpl java 601 LDAPSync checkLDAP Control 2 16 840 1 113730 3 4 2. DEBUG DSLDAPSyncImpl java 601 LDAPSync checkLDAP Control 1 3 6 1 4 1 4203 1 10 1. DEBUG DSLDAPSyncImpl java 601 LDAPSync checkLDAP Control 1 2 840 113556 1 4 319. DEBUG DSLDAPSyncImpl java 601 LDAPSync checkLDAP Control 1 2 826 0 1 334810 2 3. DEBUG DSLDAPSyncImpl java 601 LDAPSync checkLDAP Control 1 2 826 0 1 3344810 2 3. DEBUG DSLDAPSyncImpl java 601 LDAPSync checkLDAP Control 1 3 6 1 1 13 2. DEBUG DSLDAPSyncImpl java 601 LDAPSync checkLDAP Control 1 3 6 1 1 13 1. DEBUG DSLDAPSyncImpl java 601 LDAPSync checkLDAP Control 1 3 6 1 1 12. INFO DSLDAPSyncImpl java 612 LDAPSync checkLDAP Page control supported true. INFO DSLDAPSyncImpl java 613 LDAPSync checkLDAP Persistent control supported false. DEBUG DSLDAPSyncImpl java 674 LDAPSync checkLDAP Get change logger location. DEBUG DSLDAPSyncImpl java 686 LDAPSync checkLDAP ChangeLog location is not available. INFO DSLDAPSyncImpl java 270 LDAPSync Run LDAP check ok syncMode 0. INFO DSLDAPSyncImpl java 284 LDAPSync Run Start full sync. Page 10 of 18,CUCM query to make full sync from OpenLDAP. DEBUG DSLDAPSyncImpl java 794 LDAPSync LDAPFullSync LDAPFullSync. DEBUG DSLDAPSyncImpl java 803 LDAPSync LDAPFullSync SearchBase cn users dc uccmdirectory dc cisco dc com. DEBUG DSLDAPSyncImpl java 804 LDAPSync LDAPFullSync Filter objectclass inetOrgPerson. DEBUG DSLDAPSyncImpl java 1720 LDAPSync dumpAttrsToReturn. DEBUG DSLDAPSyncImpl java 1726 LDAPSync dumpAttrsToReturn. uid givenname initials sn manager departmentnumber telephonenumber mail title homephone mobile. DEBUG DSLDAPSyncImpl java 815 LDAPSync LDAPFullSync Search when pageControl is supported. DEBUG DSLDAPSyncImpl java 1160 LDAPSync searchInternalExact searchInternalExact enter. INFO DSLDAPSyncImpl java 1171 LDAPSync searchInternalExact Creating new LDAP context. DEBUG DSLDAPSyncImpl java 1174 LDAPSync searchInternalExact Created new LDAP context. DEBUG DSLDAPSyncImpl java 1182 LDAPSync Do count 0. DEBUG DSLDAPSyncImpl java 1183 LDAPSync Base cn users dc uccmdirectory dc cisco dc com. DEBUG DSLDAPSyncImpl java 1184 LDAPSync Filter objectclass inetOrgPerson. INFO DSLDAPSyncImpl java 1188 LDAPSync Number of page searched 1. DEBUG DSLDAPSyncImpl java 1216 LDAPSync searchInternalExact Send user data to DBinterface 2. DEBUG DSLDAPSyncImpl java 857 LDAPSync sendUserData ChangeMode 1. OpenLDAP answer, DEBUG DSLDAPSyncImpl java 870 LDAPSync sendUserData Directory entry is cn Matthieu Speder null null telephonenumber telephoneNumber 3200 mail mail.
mspeder test cisco com mobile mobile 061998 uid uid mspeder givenname givenName Matthieu homephone homePhone 01413 sn sn Speder. DEBUG DSLDAPSyncImpl java 1504 LDAPSync formUserObject Name userid Value mspeder. DEBUG DSLDAPSyncImpl java 1504 LDAPSync formUserObject Name firstname . OpenLDAP directory integration with Cisco Unified Communications Manager Starting with Cisco Unified Communications Manager version 5 x from the client

Related Books