09-19-2008 06:13 AM - edited 03-18-2019 09:40 PM
Has anyone been able to configure the External LDAP option of PCA on Unity 5+ for user authentication (example to CUCM's LDAP or OpenLDAP?
I found the following documentation regarding this but have been unable to make PCA use LDAP, it keeps loading the logon domain option instead.
http://www.ciscounitytools.com/Documents/FL501LDAPauthentication.pdf
09-19-2008 09:32 AM
PCA basically uses IIS. You will need to configure IIS for authentication. If you have VM only setup which it sounds like you do, you will need to create AD Trust between your VM only domain and your production AD domain.
09-19-2008 09:58 AM
Just my information and not disagreeing. But doesn't PCA use tomcat and redirectecd to IIS or something like that?
Randy
09-19-2008 10:06 AM
No worries. I just had to set this up for a customer so I know the dirty details. It's a pain. PCA can use SSL, which if you use SSL, it's IIS. If you dig around IIS, there is the PCA site. To log into the PCA, IIS passes the authentication to the local AD. AD authenticates, and PCA logs in.
To make cross domain logins work, you have to create an AD trust. Once the trust is created, the PCA user inputs their UN/PW and correct domain name. IIS passes the information to AD, AD calls into the other domain for authentication info, etc.
It's probably not documented that well because its really all just MSFT stuff to make it work.
My customer had Voicemail only setup. They wanted to use the PCA. But then we found out, you could not change the password without using SSL. So I had to buildout all the SSL stuff for PCA, and fix the IIS settings so it would work correctly. Super pain.
09-19-2008 10:07 AM
It look like in the \CommServer\cscoserv\ciscopca directory all the page files are java. I do believe it is tied to Tomcat for java (If I stop Tomcat the Page Loads but is Blank).
Also in that directory, there are a couple of files of interest...
ldapLogon.js (Ldap login)
./WEB-INF/struts-config.xml which references the ldapLogon.js.
If I could get the default PCA page to load the LDAP logon java script instead of the logon.js (MS Domain) I think that would make it work to the external LDAP server as configured by the tool \CommServer\TechTools\UnityLdapAuthSetup.exe
09-19-2008 10:12 AM
Cool I wasn't dreaming tomcat is invovled.
Thanks for the info Tommer and andgrim.
Randy - I gave five's to both of you. :-)
09-19-2008 10:13 AM
ok, but how does PCA know that you logged in with some account from another LDAP source that is tied to your Unity Account???
09-19-2008 10:23 AM
If you run the "\CommServer\TechTools\UnityLdapAuthSetup.exe" tool it prompts you to associate an Unity account to an external LDAP account. It looks like the association is stored in the SQL DB.
09-19-2008 10:24 AM
awesome.
09-19-2008 10:26 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: