Beruflich Dokumente
Kultur Dokumente
August 2008
Update MR1 January 2009
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Exporting User Group Information and User Profile Information first will provide the .CSV Headers automatically User Group Profile or individual Profile users can be imported from any database extraction Several fields are automatically populated based on the information in the users group defaults. The only mandatory fields are the user ID (uid), password (EncryptedUserPWD), and profile number (prfnum), group name and number.
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
MP Application Server
AXL Adaptor
DB
LDAP Directories
Cisco Unified CM: Directory Synchronization
DirSync
DB
User Lookup
DirSync tool pulls main user attributes from directory into DB User passwords are NOT synced
Corporate Directory
(Microsoft AD, Netscape/iPlanet)
IMS
WWW
Presentation_ID
Cisco Confidential
MPDS 5.x
Yes
Yes No No Yes Yes No No No No No Yes No
8
LDAP Directories
Integration Approaches: Cisco Unified CM
Corporate LDAP Directory
No data written to Directory!
LDAP
Embedded database
LDAP Directories
Cisco Unified CM: End Users vs. Application Users
Key concept: Application Users are always kept local to CUCM DB and authenticated locally, even when integrating with an external directory MLA concepts fully integrated in CUCM administration pages (Roles and User Groups)
Just assign the appropriate Role to End Users to turn them into administrators
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
10
LDAP Directories
Cisco Unified CM: Main Features Supported corporate directories:
Microsoft AD 2000 and 2003
Netscape 4.x, iPlanet 5.1 and Sun ONE 5.2 Built-in redundancy (configure multiple LDAP hosts) SecuritySupport for LDAP over SSL (LDAPS) Support for multi-tree AD (discontiguous namespaces) Configurable periodic or manual resync Authentication (enabled separately):
End User password can be authenticated against directory End User PINs are authenticated against CUCM DB Application User passwords are authenticated against CUCM DB
Presentation_ID
Cisco Confidential
11
Presentation_ID
Cisco Confidential
12
Presentation_ID
Cisco Confidential
13
Presentation_ID
Cisco Confidential
14
Presentation_ID
Cisco Confidential
15
16
Presentation_ID
Cisco Confidential
17
Presentation_ID
Cisco Confidential
18
Presentation_ID
Cisco Confidential
19
Presentation_ID
Cisco Confidential
20
2.
3.
4. 5.
6.
Presentation_ID
Cisco Confidential
21
Regardless of the login page users see, user IDs and passwords are sent to the MP Audio Server for authentication.
Both profiles and user passwords must match and Profiles are case-sensitive.
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
22
MP Web
Choose one of the following options Login Method": 1. Choose Web Page Form to see an HTMLbased Cisco Unified MeetingPlace login window. This is the default authentication method. 2. Choose HTTP Basic Authentication to see a login window rendered by your web browser.
Note : If you choose HTTP Basic Authentication, users cannot log in to Cisco Unified MeetingPlace as guests.
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
User ID/Password
23
2. LDAP Authentication
LDAP authentication compares users login information against the profile database on an LDAPv2-compliant directory server. Once users are authenticated by the LDAP server, users are automatically logged in to Cisco MeetingPlace as long as their LDAP user IDs also exist in Cisco MeetingPlace. Single Forest or Multiple Forests Supported
jsmith@ciscousa.com & jjones@ciscoemea.com Multiple LDAPs must provide two-way trusts between them MeetingPlace configuration points to one LDAP
Presentation_ID
Cisco Confidential
24
MP Web
User Profiles
MeetingPlace Application Server
User Profile DB
CUCM
LDAP Distinguished Name (DN) Single DN=CN=%USERNAME%, OU=People, DC=mydomain, DC=com Or multiple Forests
CN=%USERNAME%
25
Only users who are not found in the LDAP directory are eligible for authentication through the Cisco MeetingPlace directory.
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
26
Presentation_ID
Cisco Confidential
1. Users are prompted by a pop-up login window that is rendered by their web browser.
2. Users enter valid domain user IDs and passwords. Cisco MeetingPlace profile passwords are ignored and not used in the authentication operation. 3. If the web servers accept the login credentials and the user IDs also exist in Cisco MeetingPlace profile databases, users are logged in automatically to Cisco MeetingPlace and are granted access to the Cisco MeetingPlace home page.
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
28
Cont.
The advantage of HTTP Basic Authentication is that it is part of the HTTP specification and is supported by most browsers. The disadvantage is that the password is Base64 encoded before being sent over the network. Since Base64 is not a true encryption, it can be easily deciphered. You can mitigate this security issue by implementing Secure Socket Layer (SSL) on the web server.
Presentation_ID
Cisco Confidential
29
Presentation_ID
Cisco Confidential
30
Cont.
Although Windows Integrated Authentication (WIA) is secure, it does have the following limitations:
Only Microsoft Internet Explorer version 4.0 or later versions support this authentication method.
WIA does not work across proxy servers or other firewall applications WIA works only under the browser's Intranet Zone connections and for any trusted sites you have configured.
Presentation_ID
Cisco Confidential
31
Presentation_ID
Cisco Confidential
32
Resources
Cisco Unified MeetingPlace 7 System Requirements Document
Cisco Unified MeetingPlace 7 Configuration Guide
Directory Service Configuration section UC Manager LDAP Configuration section
Presentation_ID
Cisco Confidential
33
Presentation_ID
Cisco Confidential
34