LDAP authentication with CUCM 7x and different domains

gpworld · ‎10-03-2009

I have an enterprise client who we are migrating to voice. We are using LDAP sync and authentication. When we did the core, users selected for sync and authentication worked well. But here is the problem.

I just set up the preproduction remote site. This site is part of different domain but under the same AD forest.

Example:

core site --> domain1.something.com

remote site --> domain2.something.com

User for ldap sync and authentication in CUCM configuration is admin1 within domain1. (like i said, this part worked).

When i added the new directory for the differing site domain2, I used the same user1 for ldap sync and everything worked well. User1 has rights to read from domain2.

However when I changed the authentication piece to move from DC=domain1,DC=something,DC=com to just DC=somthing,DC=com (the top of the forest) authentication breaks on domain1 and just does not work on domain2.

Is there any special rights that user1 need or has to have? Enterprise admin perhaps?

gogasca · ‎10-03-2009

Since you already change it to the parent domain something.com using

LDAP User Search Base: ,DC=something,DC=com

Use an account dedicated to Unified CM, with minimum permissions set to "read" all user objects within the desired search base and with a password set never to expire

You can use LDAP browser to check if you have read permissions:

I use LDAP Admin Tool

Also if LDAP browser works with same parameters as in CUCM, you can sniff traffic in CUCM to see why its not working or change port from 389 to 3268.

HTH

Jonathan Schulenberg · ‎10-03-2009

I would suggest you consider adding multiple LDAP Directory agreements (maximums controlled through DirSync Service Parameters) instead. Elevating the Search Base to a higher level in the forest could result in a _significant_ amount of objects for UCM to parse and load into Informix. I would target the OU containers that are appropriate for each domain instead.

Note that if usernames have the potential to overlap, you will want to change the LDAP Attribute for User ID to userPrincipalName for global uniqueness.

gpworld · ‎10-04-2009

My problem is not that of the directory. I have multiple directories that both work for the import of the users. I.e. 1 directory for domain1 users and a 2nd ldap directory for domain 2 users.

My issue comes with the authentication piece. The user being used for enabling authentication is user1 with a searchbase of DC=domain1,DC=something,DC=com. When i expand the search base for authentication to be just DC=something,DC=com it breaks authentication for domain1 and does not work with domain2.

Domain containers are very specific as we migrate this enterprise and I do not need 50000 users in the CM. Each site has its own containers for users. Two different domain in the same forest.

I can browse to the both domains via user1.

htluo · ‎10-05-2009

CUCM uses LDAP protocol to do authentication.

Windows PC does NOT use LDAP protocol to do authentication (it uses RPC).

To see why LDAP authentication failed, you should get Tomcat Security log from CUCM and packet capture from CUCM.

Usually, when you have multiple domain, you should configure CUCM to use UPN (principle name) as user ID instead of samAccount. An example of UPN would be "user@domain1.com".

Hope this helps.

Michael

http://htluo.blogspot.com