Information Technology Reference
In-Depth Information
Microsoft Active Directory (2000, 2003, 2008)
■
Microsoft Active Directory Application Mode 2003
■
Microsoft Lightweight Directory Services 2008
■
iPlanet Directory Server 5.1
■
Sun ONE Directory Server (5.2, 6.x)
■
Open LDAP (2.3.39, 2.4)
■
CUCM can interact with LDAP in two ways:
LDAP Synchronization
populates the
CUCM database with user attributes from LDAP, and
LDAP Authentication
redirects
password authentication to the LDAP system. Typically, Synchronization and Authentica-
tion are enabled together. In either case, some information that now comes from LDAP is
no longer configurable in CUCM—the fields actually become read-only in CUCM, be-
cause the information can only be edited in LDAP. The following sections review LDAP
Synchronization and Authentication in more detail.
LDAP Synchronization
Implementing LDAP Synchronization (LDAP Sync) means that some user data (but not all)
is maintained in LDAP and replicated to the CUCM database. When LDAP Sync is en-
abled, user accounts must be created and maintained in LDAP and cannot be created or
deleted in CUCM; the user attributes that LDAP holds become read-only in CUCM. How-
ever, some user attributes are not held in LDAP and are still configured in CUCM because
those attributes exist only in the CUCM database.
Perhaps most important to understand is that with LDAP Sync, the user passwords are still
managed in the CUCM database. This means that, although a user account in LDAP is
replicated to the CUCM database, the user password must be maintained in both the
LDAP system and in CUCM; this is likely to confuse and annoy the user.
CUCM uses the DirSync service to perform LDAP Sync. The synchronization can be con-
figured to run just once, on demand, or on a regular schedule. The choice depends on the
system environment and the frequency of changes to LDAP content; the need for up-to-
date information must be balanced against the load on the servers and network if the sync
is frequent or takes place during busy times.
Note:
If LDAP Authentication is enabled and LDAP fails or is inaccessible, the only End-
User account that will be able to log on to the CUCM system is the Application
Administrator account defined during install. This may cause drastic unified communica-
tions service interruption, depending on how users normally interact with the system. Of
course, if LDAP has failed, it is likely to be a serious issue already, causing many applica-
tions to cease functioning.
LDAP Authentication
LDAP Authentication redirects password authentication requests from CUCM to the
LDAP system. End-User account passwords are maintained in the LDAP system and are
not configured, stored, or replicated to CUCM. Because one of the benefits (particularly
