11-05-2009 01:58 PM - edited 03-15-2019 08:22 PM
Users in two AD Domains will be using LDAP authentication. I have set up LDAP directories for both domains, but what would i set LDAP Manager Distinguised Name too? Also, would I simply add a second LDAP server to authentiate against?
I have had sporatic LDAP auth failures, Windows Event log says Pre authentication failure.. Anyone heard of this? thanks
11-05-2009 03:46 PM
Are the two domains within a single forest?
from the 7.x SRND
http://www.cisco.com/en/US/partner/docs/voice_ip_comm/cucm/srnd/7x/directry.html
To enable authentication, a single authentication agreement may be defined for the entire cluster. The authentication agreement supports configuration of up to three LDAP servers for redundancy.
If they are in the same forest have a read through the Additional Considerations for AD section here
http://www.cisco.com/en/US/partner/docs/voice_ip_comm/cucm/srnd/7x/directry.html#wp1045381
it might put you on the right path.
regards,
Paul
11-05-2009 03:54 PM
thanks. I'll look through them. I have one of my own that i was reading, and I wonder if something changed and these ldap servers are now GC's. My doc says I have to change the port numbers.
11-05-2009 03:55 PM
yes, they are in the same forest, just different domains.
11-05-2009 04:08 PM
Hi Pete,
Have you got set the LDAP Attribute for User ID to the userPrincipalName under LDAP System?
regards,
Paul
11-05-2009 04:11 PM
it is currently set to SmAccountName
11-05-2009 04:16 PM
Hi Pete,
that might be the problem.
from the SRND link I posted previously.
In order to support synchronization with an AD forest that has multiple trees, the UserPrincipalName (UPN) attribute must be used as the user ID within Unified CM.
and a caveat.
Support for LDAP authentication with Microsoft AD forests containing multiple trees relies exclusively on the approach described above. Therefore, support is limited to deployments where the UPN suffix of a user corresponds to the root domain of the tree where the user resides. AD allows the use of aliases, which allows a different UPN suffix. If the UPN suffix is disjointed from the actual namespace of the tree, it is not possible to authenticate Unified CM users against the entire Microsoft Active Directory forest. (It is, however, still possible to use a different attribute as user ID and limit the integration to a single tree within the forest.)
regards,
Paul
11-05-2009 04:21 PM
I have one tree, different domains.
I'll research it some more.
The LDAP distinguished name is in DomainA, so maybe that explains failed attempts from DomainB.
Thanks for your help
11-05-2009 04:32 PM
Hi Pete,
a poor assumption on my part there.
If the LDAP distinguished name is a Global Catalog Server, on port 3268 it shouldn't be an issue.
No problem
regards,
Paul
11-08-2009 03:49 AM
Hi,
We have done this kind of configuration for one of our clients and prior to implementation had run into similar issues.
So what we suggested our client is to have two domains like this:
1) Parent domain for corporate (example cisco.com
2) Child domain for tenants (example tenants.cisco.com)
We created the LDAP distinguished name in the parent domain (and it auto gets the rights required to access the users in child domain).
We configured the CUCM to use UPN as username (UPN example: user1@cisco.com and user2@tenants.cisco.com) and configured LDAP authentication using port 3268 pointing to parent domain.
This is working setup.
One caveat for using UPNs we faced was that Extension mobility users had tough time keying in the UPN (user1@cisco.com) in EM Login prompts and also there was a unknown limitation of 32 characters in username field which did not allow long usernames (UPNs) to be keyed in completely during EM login.
Hope this helps.
11-10-2009 07:33 AM
Thanks for the info. I believe Im running into the same issue. I'll try your recommendations.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide