Solved: VCSC & VCSE: Device/User authentication using LDAP

Rejohn Cuares · ‎02-15-2012

Hi All,

I've configured both the VCSC and VCSE for device and user authentication using LDAP. The issue that I'm facing is my Traversal Zone failed to establish connection to VCSE. I'm certain my LDAP works fine because everything works perfectyle (e.g. user authentication) except for this. The status I got is FAILED under the Traversal Zone page in VCS C.

Has any one encountered the same issue?

Please rate replies and mark question as "answered" if applicable.

Martin Koch · ‎02-15-2012

Thats not an issue, thats the wanted behavior as the traversal zone also uses authentication, so

it will not use the local db anymore but use your ldap server.

You create an additional account with the username used on the VCS reflecting the

SIPIdentityUserName / h235IdentityEndpointID and sure the password as well.

Works fine for us.

Please remember to rate helpful responses and identify

View solution in original post

Martin Koch · ‎02-15-2012

Thats not an issue, thats the wanted behavior as the traversal zone also uses authentication, so

it will not use the local db anymore but use your ldap server.

You create an additional account with the username used on the VCS reflecting the

SIPIdentityUserName / h235IdentityEndpointID and sure the password as well.

Works fine for us.

Please remember to rate helpful responses and identify

Paulo Souza · ‎02-16-2012

Friend,

When you create the traversal zone, you create a user into VCSE's local database to authenticate messages from the VCSC. When you activate LDAP integration, VCSE will no longer look to its local database, it will always look to LDAP data base. So, you need create into your LDAP a user for authenticate messages from VCSC (you can create the same user you had).

Regards,

Paulo Souza

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Rejohn Cuares · ‎02-25-2012

Hi Martin,

I have downloaded the LDAP schemas (commObject, SIPIdentity, H323Identity and H235Identity) from VCS and successfully imported it on my lab LDAP (Windows 2003 Active Directory Server). However when I added an endpoint I got an error. See below.

*************** Importing new LDAP schemas ***************

C:\Documents and Settings\Administrator>ldifde -i -c DC=X DC=cctest,DC=local -f

commObject.ldf

Connecting to "lab-ad01.cctest.local"

Logging in as current user using SSPI

Importing directory from file "commObject.ldf"

Loading entries.......

6 entries modified successfully.

The command has completed successfully

C:\Documents and Settings\Administrator>

C:\Documents and Settings\Administrator>ldifde -i -c DC=X DC=cctest,DC=local -f

SIPIdentity.ldf

Connecting to "lab-ad01.cctest.local"

Logging in as current user using SSPI

Importing directory from file "SIPIdentity.ldf"

Loading entries.............

12 entries modified successfully.

The command has completed successfully

C:\Documents and Settings\Administrator>ldifde -i -c DC=X DC=cctest,DC=local -f

H235Identity.ldf

Connecting to "lab-ad01.cctest.local"

Logging in as current user using SSPI

Importing directory from file "H235Identity.ldf"

Loading entries........

7 entries modified successfully.

The command has completed successfully

C:\Documents and Settings\Administrator>ldifde -i -c DC=X DC=cctest,DC=local -f

H323Identity.ldf

Connecting to "lab-ad01.cctest.local"

Logging in as current user using SSPI

Importing directory from file "H323Identity.ldf"

Loading entries................

15 entries modified successfully.

The command has completed successfully

*************** Adding new endpoint ***************

C:\Documents and Settings\Administrator>ldifde -i -c DC=X DC=cctest,DC=local -f

user.ldf

Connecting to "lab-ad01.cctest.local"

Logging in as current user using SSPI

Importing directory from file "user.ldf"

Loading entries.

Add error on line 2: Unwilling To Perform

The server side error is "The specified method is not supported."

0 entries modified successfully.

An error has occurred in the program

No log files were written. In order to generate a log file, please

specify the log file path via the -j option.

*************** This the content of my "user.ldf".***************

dn: commUniqueId=comm1,ou=h350,DC=X

objectClass: commObject

objectClass: h323Identity

objectClass: h235Identity

objectClass: SIPIdentity

commUniqueId: comm1

h323Identityh323-ID: MeetingRoom1

H323IdentitydialedDigits: 1234

h235IdentityEndpointID: meetingroom1

h235IdentityPassword: password

SIPIdentityUserName: meetingroom1

SIPIdentityPassword: password

SIPIdentitySIPURI: sip:MeetingRoom1@X

Please rate replies and mark question as "answered" if applicable.

Martin Koch · ‎02-27-2012

Check again how to add LDAP entries to AD (I prefer Linux with OpenLDAP btw).

Did you follow:

Adding H.350 objects

Create the organizational hierarchy:

Open up the Active Directory Users and Computers MMC snap-in.
Under your BaseDN right-click and select New Organizational Unit.
Create an Organizational unit called h350.

What is the first line in your file, the comment starting with # as in the example, an empty line or the line

starting with dn: ?

I wonder where it comlains on:

dn: commUniqueId=comm1,ou=h350,DC=X

or

objectClass: commObject

If a whiteline is the first line, I would delete that, just to make it more obvious.

If its the objectClass I would check if the schema is realy properly imported/used.

Please remember to rate helpful responses and identify

Rejohn Cuares · ‎02-27-2012

Yes, i created an H350 OU under my base-dn which in my case cctest.local.

I removed the #comment statement as it wont affect anything. No empty line or additional line before and after the

dn: commUniqueId=comm1,ou=h350,DC=X.

I'm going to manually check the LDAP attributes later this morning today. I'm hoping to find the culprit.

.

Please rate replies and mark question as "answered" if applicable.

RAMEEZ RAHIM · ‎06-12-2012

Increase the Forest Functional level of your AD to WIN2K3. It works

Alok Jaiswal · ‎02-16-2012

Hi,

Can you tell us what is the VCS software version?

With x7 VCS has capability to look into both the databases.

Thanks

Alok

Paulo Souza · ‎02-16-2012

Alok,

I have VCS x7. According to what I have read in VCS's Administration guide and VCS's Authenticate Devices Deployment Guide, the behavior is this:

- If VCS is directly integrated to LDAP Server, then VCS will look only to LDAP database for any authentication

- If you want VCS to look to local and LDAP database, you have to integrate TMS with LDAP Server, then you have to enable TMS Agent into VCS. Then VCS must to be configured to use localdatabe as source for authentication. By doing this, when devices attempt to authenticate, VCS will look to its local database, if the user is not found, then VCS will use TMS Agent to check TMS database for authenticate the user.

If I am understanding wrongly, please let me know. If possible, show the references in documentation.

Thank you!

Regards

Paulo Souza

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Rejohn Cuares · ‎02-24-2012

Hi Guys,

Thanks for all the replies.

Please rate replies and mark question as "answered" if applicable.