Cisco CallManager System Guide, Release 3.3(2)
Understanding the LDAP Directory
Downloads: This chapterpdf (PDF - 188.0KB) The complete bookPDF (PDF - 3.52MB) | Feedback

Understanding the LDAP Directory

Table Of Contents

Understanding the LDAP Directory

Cisco CallManager Directory

Using an Existing Enterprise Directory

Extending the Enterprise Directory Schema

Migrating to an Enterprise Directory

Managing User Entries in an Enterprise Directory

Enterprise Directory Replication

Where to Find More Information


Understanding the LDAP Directory


This chapter provides background information and deployment guidelines for integrating Cisco CallManager with an existing Lightweight Directory Access Protocol (LDAP) directory. This chapter is written for the administrator of the enterprise LDAP directory.

This chapter includes the following topics:

Cisco CallManager Directory

Using an Existing Enterprise Directory

Extending the Enterprise Directory Schema

Migrating to an Enterprise Directory

Managing User Entries in an Enterprise Directory

Enterprise Directory Replication

Where to Find More Information

Cisco CallManager Directory

The Cisco CallManager uses an LDAP directory to store authentication and authorization information about users of Cisco CallManager applications, which interface with the Cisco CallManager. Authentication establishes the user right to access the system, while authorization identifies the telephony resources a user is permitted to use, such as a specific telephone extension.

When you install the User Preferences plug-in, a number of configuration screens are added to the Cisco CallManager Administrator, which allows you to assign system resources for use by specific users. However, you need to use the native LDAP administration utilities to add user to the directory.

When you install the User Preferences plug-in, you are prompted to integrate the directory with one of the following enterprise LDAP directories:

Microsoft Active Directory (AD)

Netscape Directory Server


Caution Using Katakana, Cyrillic, or other double-byte character sets with DC Directory, Netscape Directory, or Active Directory can cause directory database errors. This release of Cisco CallManager does not support using any double-byte character set with any directory.

After the LDAP directory configuration is complete, you can upload completed workflow application files to the directory. The application server downloads the files to run workflow applications when you use the administration client to start a specific application. This design allows you to start workflow applications from anywhere in the network and run the applications on application servers throughout the enterprise network. Workflow applications communicate with the Cisco CallManager through JTAPI. It is also possible to run workflow applications on the same computer as the Cisco CallManager.

Using an Existing Enterprise Directory

If you integrate a directory with an existing LDAP directory, your directory schema will be extended to add new object classes for storing configuration information and workflow application logic. These extensions can be restricted to a specific branch of the LDAP directory and so should not affect the operation of the overall directory.

The Cisco CallManager Directory Services makes use of an LDAP auxiliary class to associate additional user properties (such as the mapping between the user name and a telephone extension) with the existing user object in your LDAP directory schema.

To use an existing directory, you must know the DN (distinguished name) and password for a user with administrator access to the branch of the directory where you wish to install Cisco CallManager. You will be prompted for this information during installation of the Cisco Customer Directory Configuration plug-in, if you choose to use an existing directory server.

You can use an LDIF (LDAP Interchange Format) file to add multiple entries to your LDAP directory in batch mode, or to add the attributes to an existing LDAP directory that are required to implement Cisco CallManager. The following example shows an LDIF file for adding a new user who will use Cisco CallManager.

Example 14-1 Sample LDIF File

dn: cn=jsmith-CCNProfile, ou=CCN, o=cisco.com
changeType: add
cn: jsmith-CCNProfile
objectclass: top
objectclass: ciscoCCNocAppProfile
ciscoatProfileOwner: John Smith
ciscoCCNatAllDevices: false
ciscoCCNatControlDevices: SEP0010EB001801
ciscoCCNatControlDevices: SEP0010EB001B01
ciscoCCNatControlDevices: SEP0010EB003CF0
ciscoCCNatControlDevices: SEP0010EB003EA3
ciscoCCNatControlDevices: SEP0010EB003EC4

dn: cn=jsmith-profile, ou=CCN, o=cisco.com
changeType: add
cn: jsmith-profile
objectclass: top
objectclass: ciscoocUserProfile
ciscoatProfileOwner: John Smith
ciscoatAppProfile: cn=jsmith-CCNProfile, ou=CCN, o=cisco.com

dn: cn=John Smith, ou=CCN, o=cisco.com
changeType: add
cn: John Smith
givenName: John
sn: Smith
mail: jsmith
userPassword: jsmith
objectclass: top
objectclass: inetOrgPerson
objectclass: ciscoocUser
ciscoatUserProfile: cn=jsmith-profile, ou=CCN, o=cisco.com

Extending the Enterprise Directory Schema

You need an LDAP administrator DN (distinguished name) and password to install Cisco CallManager on a production server. This DN should have read/write/modify privileges for the specific branch of the directory where the Cisco CallManager configuration information will be stored. In addition, the installation program will need to extend the user object in the enterprise directory schema to support additional Cisco IP Telephony-specific attributes.

After the installation of Cisco CallManager on the production server, the enterprise directory is extended to add a new branch for Cisco CallManager configuration information.

Cisco CallManager only requires read/modify access to other branches of the enterprise directory where users are stored. Cisco CallManager adds information in the existing user object to associate the user to Cisco CallManager-specific information.

On the other hand, only Cisco CallManager requires add or modify privileges to the Cisco IP Telephony network branch of the enterprise directory. It should be emphasized to the enterprise directory administrator that the information in this branch should only be modified using the Cisco CallManager Administrator or the Application Administration pages. If modifications are made with native LDAP tools, the configuration required to run Cisco CallManager can become corrupted and Cisco CallManager may have to be reinstalled.

Migrating to an Enterprise Directory

The Cisco CallManager administrator coordinates with the enterprise directory administrator to migrate the configuration information to the enterprise directory and to integrate Cisco CallManager with the user entries in the enterprise directory. The LDIF file can be modified to only add the auxiliary class attributes to the existing user objects, after the enterprise directory is extended by the Cisco CallManager installation.

Managing User Entries in an Enterprise Directory

After installing Cisco CallManager on the production server, users are added to the enterprise directory by the enterprise directory administrator. The enterprise directory administrator may use an LDIF file for bulk insert of configuration information for the existing users to enable them to use Cisco CallManager. Occasionally, when a few users are added to the enterprise directory, the Cisco CallManager administrator may use the Cisco CallManager Administration User windows to configure the new users.

Enterprise Directory Replication

When implementing the Cisco CallManager system, you must consider the way the directory is replicated and partitioned to ensure adequate performance of Cisco CallManager and the other components of the system. The Cisco CallManager workflow framework has been designed to work with enterprise LDAP directories, and the way that partitions of these directories are distributed and replicated will directly affect system performance.

With this kind of geographic distribution, it is essential that the directory servers in each region are partitioned and replicated correctly so that Cisco CallManager has local access to the directory information it needs.

Where to Find More Information

Related Topics

Cisco CallManager Groups, page 4-1

Date/Time Groups, page 4-2

Regions, page 4-4

Device Pools, page 4-8

Device Defaults, page 4-3

Enterprise Parameters, page 4-10

Call Admission Control, page 4-10

System Configuration Checklist, page 4-15

Cisco TFTP

Additional Cisco Documentation

Enterprise Parameters Configuration, Cisco CallManager Administration Guide

Device Support, Cisco CallManager Administration Guide

Service Parameters Configuration, Cisco CallManager Administration Guide

Installing Cisco CallManager Release 3.3

Cisco CallManager Serviceability Administration Guide