Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CM7 LDAP Auth from two Domains

Users in two AD Domains will be using LDAP authentication. I have set up LDAP directories for both domains, but what would i set LDAP Manager Distinguised Name too? Also, would I simply add a second LDAP server to authentiate against?

I have had sporatic LDAP auth failures, Windows Event log says Pre authentication failure.. Anyone heard of this? thanks

10 REPLIES
Bronze

Re: CM7 LDAP Auth from two Domains

Are the two domains within a single forest?

from the 7.x SRND

http://www.cisco.com/en/US/partner/docs/voice_ip_comm/cucm/srnd/7x/directry.html

To enable authentication, a single authentication agreement may be defined for the entire cluster. The authentication agreement supports configuration of up to three LDAP servers for redundancy.

If they are in the same forest have a read through the Additional Considerations for AD section here

http://www.cisco.com/en/US/partner/docs/voice_ip_comm/cucm/srnd/7x/directry.html#wp1045381

it might put you on the right path.

regards,

Paul

New Member

Re: CM7 LDAP Auth from two Domains

thanks. I'll look through them. I have one of my own that i was reading, and I wonder if something changed and these ldap servers are now GC's. My doc says I have to change the port numbers.

New Member

Re: CM7 LDAP Auth from two Domains

yes, they are in the same forest, just different domains.

Bronze

Re: CM7 LDAP Auth from two Domains

Hi Pete,

Have you got set the LDAP Attribute for User ID to the userPrincipalName under LDAP System?

regards,

Paul

New Member

Re: CM7 LDAP Auth from two Domains

it is currently set to SmAccountName

Bronze

Re: CM7 LDAP Auth from two Domains

Hi Pete,

that might be the problem.

from the SRND link I posted previously.

In order to support synchronization with an AD forest that has multiple trees, the UserPrincipalName (UPN) attribute must be used as the user ID within Unified CM.

and a caveat.

Support for LDAP authentication with Microsoft AD forests containing multiple trees relies exclusively on the approach described above. Therefore, support is limited to deployments where the UPN suffix of a user corresponds to the root domain of the tree where the user resides. AD allows the use of aliases, which allows a different UPN suffix. If the UPN suffix is disjointed from the actual namespace of the tree, it is not possible to authenticate Unified CM users against the entire Microsoft Active Directory forest. (It is, however, still possible to use a different attribute as user ID and limit the integration to a single tree within the forest.)

regards,

Paul

New Member

Re: CM7 LDAP Auth from two Domains

I have one tree, different domains.

I'll research it some more.

The LDAP distinguished name is in DomainA, so maybe that explains failed attempts from DomainB.

Thanks for your help

Bronze

Re: CM7 LDAP Auth from two Domains

Hi Pete,

a poor assumption on my part there.

If the LDAP distinguished name is a Global Catalog Server, on port 3268 it shouldn't be an issue.

No problem

regards,

Paul

New Member

Re: CM7 LDAP Auth from two Domains

Hi,

We have done this kind of configuration for one of our clients and prior to implementation had run into similar issues.

So what we suggested our client is to have two domains like this:

1) Parent domain for corporate (example cisco.com

2) Child domain for tenants (example tenants.cisco.com)

We created the LDAP distinguished name in the parent domain (and it auto gets the rights required to access the users in child domain).

We configured the CUCM to use UPN as username (UPN example: user1@cisco.com and user2@tenants.cisco.com) and configured LDAP authentication using port 3268 pointing to parent domain.

This is working setup.

One caveat for using UPNs we faced was that Extension mobility users had tough time keying in the UPN (user1@cisco.com) in EM Login prompts and also there was a unknown limitation of 32 characters in username field which did not allow long usernames (UPNs) to be keyed in completely during EM login.

Hope this helps.

New Member

Re: CM7 LDAP Auth from two Domains

Thanks for the info. I believe Im running into the same issue. I'll try your recommendations.

280
Views
4
Helpful
10
Replies