CM7 LDAP Auth from two Domains

Unanswered Question
Nov 5th, 2009
User Badges:

Users in two AD Domains will be using LDAP authentication. I have set up LDAP directories for both domains, but what would i set LDAP Manager Distinguised Name too? Also, would I simply add a second LDAP server to authentiate against?


I have had sporatic LDAP auth failures, Windows Event log says Pre authentication failure.. Anyone heard of this? thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Paul Reck Thu, 11/05/2009 - 15:46
User Badges:
  • Silver, 250 points or more

Are the two domains within a single forest?


from the 7.x SRND


http://www.cisco.com/en/US/partner/docs/voice_ip_comm/cucm/srnd/7x/directry.html


To enable authentication, a single authentication agreement may be defined for the entire cluster. The authentication agreement supports configuration of up to three LDAP servers for redundancy.


If they are in the same forest have a read through the Additional Considerations for AD section here


http://www.cisco.com/en/US/partner/docs/voice_ip_comm/cucm/srnd/7x/directry.html#wp1045381


it might put you on the right path.


regards,


Paul

balitewiczp Thu, 11/05/2009 - 15:54
User Badges:

thanks. I'll look through them. I have one of my own that i was reading, and I wonder if something changed and these ldap servers are now GC's. My doc says I have to change the port numbers.

balitewiczp Thu, 11/05/2009 - 15:55
User Badges:

yes, they are in the same forest, just different domains.

Paul Reck Thu, 11/05/2009 - 16:08
User Badges:
  • Silver, 250 points or more

Hi Pete,


Have you got set the LDAP Attribute for User ID to the userPrincipalName under LDAP System?


regards,


Paul

Paul Reck Thu, 11/05/2009 - 16:16
User Badges:
  • Silver, 250 points or more

Hi Pete,


that might be the problem.


from the SRND link I posted previously.


In order to support synchronization with an AD forest that has multiple trees, the UserPrincipalName (UPN) attribute must be used as the user ID within Unified CM.


and a caveat.


Support for LDAP authentication with Microsoft AD forests containing multiple trees relies exclusively on the approach described above. Therefore, support is limited to deployments where the UPN suffix of a user corresponds to the root domain of the tree where the user resides. AD allows the use of aliases, which allows a different UPN suffix. If the UPN suffix is disjointed from the actual namespace of the tree, it is not possible to authenticate Unified CM users against the entire Microsoft Active Directory forest. (It is, however, still possible to use a different attribute as user ID and limit the integration to a single tree within the forest.)


regards,


Paul

balitewiczp Thu, 11/05/2009 - 16:21
User Badges:

I have one tree, different domains.


I'll research it some more.


The LDAP distinguished name is in DomainA, so maybe that explains failed attempts from DomainB.


Thanks for your help

Paul Reck Thu, 11/05/2009 - 16:32
User Badges:
  • Silver, 250 points or more

Hi Pete,


a poor assumption on my part there.


If the LDAP distinguished name is a Global Catalog Server, on port 3268 it shouldn't be an issue.


No problem


regards,


Paul

pratik.rb Sun, 11/08/2009 - 03:49
User Badges:

Hi,


We have done this kind of configuration for one of our clients and prior to implementation had run into similar issues.

So what we suggested our client is to have two domains like this:

1) Parent domain for corporate (example cisco.com

2) Child domain for tenants (example tenants.cisco.com)


We created the LDAP distinguished name in the parent domain (and it auto gets the rights required to access the users in child domain).


We configured the CUCM to use UPN as username (UPN example: [email protected] and [email protected]) and configured LDAP authentication using port 3268 pointing to parent domain.


This is working setup.


One caveat for using UPNs we faced was that Extension mobility users had tough time keying in the UPN ([email protected]) in EM Login prompts and also there was a unknown limitation of 32 characters in username field which did not allow long usernames (UPNs) to be keyed in completely during EM login.


Hope this helps.

balitewiczp Tue, 11/10/2009 - 07:33
User Badges:

Thanks for the info. I believe Im running into the same issue. I'll try your recommendations.

Actions

This Discussion