VSOM & LDAP Integration

Unanswered Question
Nov 21st, 2009
Hi,
I would like to understand the full integration between the VSOM & Microsoft LDAP.
I read at the user guide that the vsom do not import groups & policies from the LDAP. so i need to enter manually at the vsom the users, groups & policies.
I understand that the integration is only with password authentication which is hold just at the ldap.
is that correct?
is there a roadmap for full integration ?
thanks,
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ANDREW OSBORNE Tue, 01/19/2010 - 10:41

Avi,

I was trying to figure this out myself last night and got it working (sort of).

Note: I'm not an LDAP expert or an AD expert so anyone feel free to correct me if I'm wrong.  I would love to get this working better.

It appears how the authentication takes place is the media server performs a simple bind with the LDAP server using the username and password provided on the login page.  If the bind is successful then the user is authenticated.  I don't know if this is true or not but I ran across a post last night that said in AD you can only bind using the cn.  For AD that equates to "Andrew Osborne" in my case.  In VSOM you then have to set up the user account so that the user name matches exactly the cn in AD so my username in VSOM is "Andrew Osborne".

How I configured it to work was:

- From the Video Surveillance Management Console select "Operations Manager" on the left side.

- Change the Authentication Type from Application Database to LDAP Server.

- Put in the hostname of the LDAP server. (I just put the IP address of my AD server)

- Enter the host port.(I just put in 389)

- For the Relative Distinguished Name use something like "cn=%username%,OU=VSOM,OU=Users"

     - cn=%username% <- uses the username from the loging page

     - OU=VSOM,OU=Users <- this needs to change to the OU where your VSOM users are.

- Domain Controllers needs to be something like "DC=cisco,DC=com" to match your domain

- Make sure you click on the Update button

Back in VSOM:

- Go to the Users page

- then when you add or edit a user you have the option to select "Local Password" or "LDAP"

- Enter the username to match the AD cn which in my case was "Andrew Osborne"

- Select LDAP

- Enter the first name and last name.  These are locally significant.

- Select any other options you need.

- finally select submit.

After doing this I was able to log in using the same password that I have in AD but not the same username.  If anyone has a different method to get VSOM to authenticate using the same username as in AD that would be great.

Good luck.

samfielder Wed, 03/31/2010 - 13:46

Thanks for the great description Andrew,

I had to make one minor change to your explaination to get it to work for me:

"- For the Relative Distinguished Name use something like  "cn=%username%,OU=VSOM,OU=Users""

- For this I used "CN=%username%,CN=Users"

- This changed made it work for me.

I agree that I would prefer to use the login name (i.e. bsmith) rather than the CN (i.e. Bob Smith).

I waiting for Cisco TAC to let me know if there is a fix or work around for this.

I will update this post if I find anything.

Thanks again!

tluidens Wed, 04/07/2010 - 05:13

Also thanks Andrew

But how about this variation. What would you put in the RDN field if your users span multiple ou e.g. they are in both a security group and an HR group - any way to specify multiple OU. Any suggestions appreciated.

samfielder Wed, 04/07/2010 - 09:20

Update:

I have spoken with TAC again.

They say you cannot change the attribute that is queried by VSOM. It uses the CN, so you have to change the users CN to bsmith (rather than Bob Smith).

g-fontaine Wed, 04/07/2010 - 10:35

Hello,

     We have been working with VSOM for while now and using LDAP for authentication. Our settings are:

RDN: %username%

Delimiter: @

DC: yourdomain.com

Port: 389

Host Name: IP of your DC

VSOM will search the entire OU structure to find a match. If you need to specify security (what cameras they can or cannot see) you will need to do this in VSOM.

greg.fuller Fri, 04/16/2010 - 11:28

I just got this working with a Sun Java LDAP Directory Server v6.  I used the following config to do it:

Host Name:  dns/ip name of your LDAP server

Host Port:  389

RDN:  uid=%username%,OU=People (uid can be whatever attribute you want to bind against, OU=People is whatever OU your LDAP server has your users in)

DC:  DC={enter your TLD here}, DC={enter your domain suffix here}

That will bind to the Sun LDAP directory server using the username/password you enter into the VSOM login page.

--greg

Actions

This Discussion