Information Technology Reference
In-Depth Information
to the End User) of LDAP is a centralized password system (making single sign-on possi-
ble), it is typical and desirable to implement LDAP Authentication with LDAP Sync.
LDAP Integration Considerations
A common misconception regarding CUCM LDAP Integration is that all user data resides
in LDAP. This is absolutely false. With LDAP Sync, certain LDAP user attributes are held
in the LDAP directory and are replicated to the CUCM database as read-only attributes.
The balance of the user attributes in the CUCM database (fields such as Associated De-
vices, PINs, Extension Mobility Profile, and so on) are still held and managed only in the
CUCM database.
There is a similar misconception with LDAP Authentication: Remember that the LDAP
password is
not
replicated to the CUCM database; rather, the entire authentication
process is redirected to the LDAP system.
The interaction of CUCM with LDAP varies with the type of LDAP implementation. The
primary concern is how much data is replicated with each synchronization event. For ex-
ample, Microsoft Active Directory 2000/2003/2008 performs a full sync of all records
every time; this can mean a very large amount of data is being synchronized, potentially
causing network congestion and server performance issues. For this reason, sync intervals
and scheduling should be carefully considered to minimize the performance impact.
Synchronization with all other supported LDAP systems is incremental (for example, only
the new or changed information is replicated), which typically greatly reduces the amount
of data being replicated, thereby reducing the impact on the network and servers.
LDAP Attribute Mapping
The user attribute field names that LDAP uses are most likely
different form the equivalent attribute field names in the CUCM database. Therefore, the
various LDAP attributes must be mapped to the appropriate CUCM database attribute.
Creating an LDAP Sync agreement involves identifying the one LDAP user attribute that
will map to the CUCM
User ID
attribute. In a Microsoft Active Directory integration, for
example, the LDAP attribute that will become the CUCM User ID can be any one of the
following:
sAMAccountName
■
uid
■
mail
■
TelephoneNumber
■
It doesn't matter which one is chosen, but for consistency and ease of use, the attribute
that the users are already using to log in to other applications should be used.
After the initial User ID mapping is selected, some other LDAP attributes should be manu-
ally mapped to CUCM database fields. Table 9-3 lists the fields in the CUCM database
that map to the possible equivalent attribute in each type of supported LDAP database.
