Not Working - Ext LDAP Directory for Cisco PCA Authentication Unity 5+

Unanswered Question
Sep 19th, 2008

Has anyone been able to configure the External LDAP option of PCA on Unity 5+ for user authentication (example to CUCM's LDAP or OpenLDAP?

I found the following documentation regarding this but have been unable to make PCA use LDAP, it keeps loading the logon domain option instead.

http://www.ciscounitytools.com/Documents/FL501LDAPauthentication.pdf

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Tommer Catlin Fri, 09/19/2008 - 09:32

PCA basically uses IIS. You will need to configure IIS for authentication. If you have VM only setup which it sounds like you do, you will need to create AD Trust between your VM only domain and your production AD domain.

ranpierce Fri, 09/19/2008 - 09:58

Just my information and not disagreeing. But doesn't PCA use tomcat and redirectecd to IIS or something like that?

Randy

Tommer Catlin Fri, 09/19/2008 - 10:06

No worries. I just had to set this up for a customer so I know the dirty details. It's a pain. PCA can use SSL, which if you use SSL, it's IIS. If you dig around IIS, there is the PCA site. To log into the PCA, IIS passes the authentication to the local AD. AD authenticates, and PCA logs in.

To make cross domain logins work, you have to create an AD trust. Once the trust is created, the PCA user inputs their UN/PW and correct domain name. IIS passes the information to AD, AD calls into the other domain for authentication info, etc.

It's probably not documented that well because its really all just MSFT stuff to make it work.

My customer had Voicemail only setup. They wanted to use the PCA. But then we found out, you could not change the password without using SSL. So I had to buildout all the SSL stuff for PCA, and fix the IIS settings so it would work correctly. Super pain.

andgrim Fri, 09/19/2008 - 10:07

It look like in the \CommServer\cscoserv\ciscopca directory all the page files are java. I do believe it is tied to Tomcat for java (If I stop Tomcat the Page Loads but is Blank).

Also in that directory, there are a couple of files of interest...

ldapLogon.js (Ldap login)

./WEB-INF/struts-config.xml which references the ldapLogon.js.

If I could get the default PCA page to load the LDAP logon java script instead of the logon.js (MS Domain) I think that would make it work to the external LDAP server as configured by the tool \CommServer\TechTools\UnityLdapAuthSetup.exe

ranpierce Fri, 09/19/2008 - 10:12

Cool I wasn't dreaming tomcat is invovled.

Thanks for the info Tommer and andgrim.

Randy - I gave five's to both of you. :-)

Tommer Catlin Fri, 09/19/2008 - 10:13

ok, but how does PCA know that you logged in with some account from another LDAP source that is tied to your Unity Account???

andgrim Fri, 09/19/2008 - 10:23

If you run the "\CommServer\TechTools\UnityLdapAuthSetup.exe" tool it prompts you to associate an Unity account to an external LDAP account. It looks like the association is stored in the SQL DB.

Actions

This Discussion