08-29-2012 05:24 AM - edited 03-16-2019 12:56 PM
Software Version: 8.6.2.21900-5 Problem Details: iPlanet LDAP is set up on our CUCM cluster for users to authenticate to their user page via
LDAP.
LDAP and LDAP authentication are configured correctly, and they are connected to the server with no problem.
However, any attempt to authenticate via LDAP fails. If we turn LDAP off and authenticate to the local user
database on CUCM, it works perfectly.
This is a virtualized CUCM cluster running version 8.6.2.21900-5.
# I have another CUCM 7.1.5 with that everything works fine.
# I have checked the roles and group CCMUser.
# Reset enduser password in Active Direcory and from Call Manager.
# Same Active Directory works with our 7.1.5 CUCM what could be the reason its not working on 8.6.2
# Is there any security certificate i have to download and uploaded to the Active Directory as its a secure LDAP
Please suggest
Thanks in advance..
08-29-2012 06:05 AM
Hi,
If LDAP over SSL is required, the corporate directory SSL certificate must be loaded into Cisco Unified Communications Manager. Have a look at the Cisco Unified Communications Operating System Administration Guide documents the certificate upload procedure in the Security chapter.
You will also need to change the port to 636 if you are not using GC or 3269 if you are using GC (global catalog server)
Please rate all useful posts
"'Nature is too thin a screen, the glory of the omnipresent God bursts through it everywhere"-Ralph Waldo Emerson
08-29-2012 07:01 AM
Good post aokanlawon (+5). To add to that on CUCM 8.6 the SSL certificate has to be uploaded to CUCM as a Tomcat-Trust, previously in 7.x it was a Directory-Trust which is now gone in CUCM 8.x. After uploading the SSL certificate the Cisco Tomcat service has to be restarted from the command line with "utils service restart Cisco Tomcat".
If the directory sync is working and you can successfully add the LDAP server and authentication entries to CUCM the connection is tested at that time. Therefore the connection and certificates should be correctly loaded to CUCM. To investigate the cause of the failure you could use a packet capture and decypt the SSL traffic (http://htluo.blogspot.com/2009/01/decrypt-https-traffic-with-wireshark.html) to make sure the CUCM server is sending out a request to the LDAP server. I assume that the LDAP authentication settings are the same as the LDAP Directory (hostname/FQDN instead of IP address) so DNS shouldn't be a problem. Also the user search base should be the same between the directory entry and authentication.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide