Users in two AD Domains will be using LDAP authentication. I have set up LDAP directories for both domains, but what would i set LDAP Manager Distinguised Name too? Also, would I simply add a second LDAP server to authentiate against?
I have had sporatic LDAP auth failures, Windows Event log says Pre authentication failure.. Anyone heard of this? thanks
Are the two domains within a single forest?
from the 7.x SRND
To enable authentication, a single authentication agreement may be defined for the entire cluster. The authentication agreement supports configuration of up to three LDAP servers for redundancy.
If they are in the same forest have a read through the Additional Considerations for AD section here
it might put you on the right path.
thanks. I'll look through them. I have one of my own that i was reading, and I wonder if something changed and these ldap servers are now GC's. My doc says I have to change the port numbers.
that might be the problem.
from the SRND link I posted previously.
In order to support synchronization with an AD forest that has multiple trees, the UserPrincipalName (UPN) attribute must be used as the user ID within Unified CM.
and a caveat.
Support for LDAP authentication with Microsoft AD forests containing multiple trees relies exclusively on the approach described above. Therefore, support is limited to deployments where the UPN suffix of a user corresponds to the root domain of the tree where the user resides. AD allows the use of aliases, which allows a different UPN suffix. If the UPN suffix is disjointed from the actual namespace of the tree, it is not possible to authenticate Unified CM users against the entire Microsoft Active Directory forest. (It is, however, still possible to use a different attribute as user ID and limit the integration to a single tree within the forest.)
I have one tree, different domains.
I'll research it some more.
The LDAP distinguished name is in DomainA, so maybe that explains failed attempts from DomainB.
Thanks for your help
a poor assumption on my part there.
If the LDAP distinguished name is a Global Catalog Server, on port 3268 it shouldn't be an issue.
We have done this kind of configuration for one of our clients and prior to implementation had run into similar issues.
So what we suggested our client is to have two domains like this:
1) Parent domain for corporate (example cisco.com
2) Child domain for tenants (example tenants.cisco.com)
We created the LDAP distinguished name in the parent domain (and it auto gets the rights required to access the users in child domain).
This is working setup.
One caveat for using UPNs we faced was that Extension mobility users had tough time keying in the UPN (email@example.com) in EM Login prompts and also there was a unknown limitation of 32 characters in username field which did not allow long usernames (UPNs) to be keyed in completely during EM login.
Hope this helps.