Password not synching to CM 6.1 when LDAP authentication is enabled

Unanswered Question
Aug 29th, 2008
User Badges:

The users are reflecting in CM 6.1 from active directory are active but the passwords are not synchronising when I try to logon to ccmuser using AD account passwords any ideas on this ?? Any suggestions will be of great help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gogasca Sun, 08/31/2008 - 22:14
User Badges:
  • Green, 3000 points or more

What are the values for LDAP Authentication option,

CUCM never stores the AD passwords/synch them.

We only redirect the auth request to AD based on the LDAP auth configuration

MARK HANDERMANN Mon, 09/01/2008 - 07:57
User Badges:

First of all thanks a ton for replying ....The scenario is as follows

LDAP Directory Information

LDAP Configuration Name: CN=Administrator,CN=Users,DC=cisco,DC=com

LDAP password: *********

LDAP User SearchBase: cn=Users,DC=cisco,DC=com


The Synchronization works perfectly fine when I create user in AD it is replicated in CM 6.1 but when I try to logon using the same credentials as AD for that user using


http://CMhostname:8443/ccmuser the same credentials as I have in AD the authentication fails !! does not accept the same password as Active directory. Do we need to change something on Tom cat web server for accepting the authentication



vmilanov Mon, 09/01/2008 - 08:16
User Badges:

Hi,


Synchronization with LDAP and authentication against LDAP are two different processes. The synchronization process is aimed to retrieve the list of users and their properties from a the AD's database (but not the passwords|, whereas the authentication, you know already, it is used to validate a username-password pair.


So they work different. The synch process uses the 'Administrator' user, that you have configured to bind via LDAP and read the database. It has to have read-only rights within the LDAP.


The authentication process uses the username and password pair, that a user has entered to bind, on behalf of that user, to the LDAP, and if the bind has been successful, the authentication credentials are valid.


HTH,


Vasil

Ayodeji Okanlawon Mon, 09/01/2008 - 08:30
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 IP Telephony

Have you configured the LDAp Authentication? IN CCM??

Ayodeji Okanlawon Mon, 09/01/2008 - 02:32
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 IP Telephony

Hi,


You need to configure the LDAP authentication option just as you did setup the LDAP server on CCM.



MARK HANDERMANN Mon, 09/01/2008 - 08:51
User Badges:

Yes the LDAP authentication is already configured on CCM thanks for your reply though

vmilanov Mon, 09/01/2008 - 09:23
User Badges:

Hi again,


UCM6.x does make difference whether the user is an end-user or a system ('application' in UCM 6.x) user. The UCM Administrator user is being considered an 'Application' user, and so its credentials are being kept locally on the UCM LDAP repository. If you would like to make a LDAP user an administrative one, you should assign it a UCM administrative role. Toy can do that by clicking on the username from the User Management->End Users, and then go to bottom of the page, 'Permissions Information' group, and add the user to the UCM Administrators group - 'Standard CCM Admin Users'. The same way you can assign other roles to users.


By default end-users, that were synched from the LDAP do not belong to any group, or do not have any role.


HTH,


Vasil

MARK HANDERMANN Mon, 09/01/2008 - 10:43
User Badges:

Vasil


Thanks so much ..I guess that should work let me try that here real quick

vmilanov Tue, 09/02/2008 - 12:59
User Badges:

Sorry,


I didn't saw that you are loging in to the ccmuser page.


As I wrote above, the LDAP authentication is a process where the UCM binds to the AD on behalf of the user, i.e. with the credentials, that user has entered, as if the UCM is the user itself. If it binds successfully, then the credentials are OK.


If the user-password pair you use have not been miss-typed, the next thing to check is which LDAP attribute you have chosen for user ID.


The place to set this is in System->LDAP->LDAP System->'LDAP Attribute for User ID*'.


The native to MS AD is sAMAccountName, but it might be also mail address, or userPrincipalName. I use sAMAccountName.



Regards,


Ayodeji Okanlawon Mon, 09/01/2008 - 12:58
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 IP Telephony

I didnt understand your problem properly...


When you try to login to ccmuser page, your end users are not authenticated?


For this to owrk, you need to associate your end users to Standard CCM end user group...You do not need to assign them to Admin user roles...

MARK HANDERMANN Tue, 09/02/2008 - 06:42
User Badges:

I did assign the users to standard CCM end users group but still I am not able to get authenticated also tried assigning them Admin roles but still cant login to ccmuser page ?? any more ideas ?

edguidry Thu, 08/06/2009 - 14:07
User Badges:

Hello. What was the resolution to the LDAP auth issue? I am having the same problem.


Thanks!

Eddie

jasondrisc Wed, 08/12/2009 - 05:43
User Badges:

Hello, I am currently trying to set this up in a lab environment and running into the same issue. I would be very interested to hear the resolution.


Thanks,


Jason

david-lima Wed, 08/12/2009 - 11:41
User Badges:
  • Bronze, 100 points or more

Hi guys, verify the configuration of the LDAP Manager Distinguished Name, LDAP Password and the most important the LDAP User Search Base.

I have a similar problem becasue a miss configuration of the User Base Search.

Hope this help

David

jasondrisc Wed, 08/12/2009 - 11:51
User Badges:

Hello, thanks for your reply and as an update supporting it.... My issue was a misconfiguration in the 'LDAP User Search Base'.


Thanks,


Jason

Actions

This Discussion