Cisco Unified Communications Manager System Guide, Release 6.0(1)
Understanding the Directory
Downloads: This chapterpdf (PDF - 434.0KB) The complete bookPDF (PDF - 12.83MB) | Feedback

Understanding the Directory

Table Of Contents

Understanding the Directory

Cisco Unified Communications Manager and the Corporate LDAP Directory

Directory Access

DirSync Service

DirSync Service Parameters

Data Migration Assistant

Authentication

Using the Cisco Unified Communications Manager Database Versus the Corporate LDAP Directory

Directory Access for Cisco Unified Communications Endpoints

LDAP Directory Configuration Checklist

Where to Find More Information


Understanding the Directory


Directories comprise specialized databases that are optimized for a high number of reads and searches and occasional writes and updates. Directories typically store data that does not change often, such as employee information, user privileges on the corporate network, and so on.

Because directories are extensible, you can modify and extend the type of information that is stored in them. The term directory schema refers to the type of stored information and the rules that it obeys. Many directories provide methods for extending the directory schema to accommodate information types that different applications define. This capability enables enterprises to use the directory as a central repository for user information.

The Lightweight Directory Access Protocol (LDAP) provides applications with a standard method for accessing and potentially modifying the information that is stored in the directory. This capability enables companies to centralize all user information in a single repository that is available to several applications with a reduction in maintenance costs through the ease of adds, moves, and changes.

This chapter covers the main principles for synchronizing Cisco Unified Communications Manager with a corporate LDAP directory. The chapter also discusses the administrator choice not to synchronize with a corporate LDAP directory and the consequences of that choice of configuration. The chapter also summarizes considerations for providing Cisco Unified Communications endpoints, such as Cisco Unified IP Phones and Cisco IP SoftPhone, with access to a corporate LDAP directory.

The following list summarizes the changes in directory functionality from previous releases of Cisco Unified Communications Manager:

Decoupling the directory component from Cisco Unified Communications Manager ensures high Cisco Unified Communications Manager availability independent of the corporate directory.

Cisco Unified Communications Manager and related applications store all application data in the local database instead of in an embedded directory. The embedded directory gets removed, and Cisco Unified Communications Manager supports synchronization with the customer directory.

This chapter includes the following topics:

Cisco Unified Communications Manager and the Corporate LDAP Directory

Directory Access

DirSync Service

Data Migration Assistant

Authentication

Using the Cisco Unified Communications Manager Database Versus the Corporate LDAP Directory

Directory Access for Cisco Unified Communications Endpoints

LDAP Directory Configuration Checklist

Where to Find More Information

The considerations that this chapter presents apply to Cisco Unified Communications Manager as well as the following applications that are bundled with it: Cisco Extension Mobility, Cisco Web Dialer, Bulk Administration Tool, and Cisco Unified Communications Manager Real-Time Monitoring Tool.

For all other Cisco voice applications, refer to the respective product documentation that is available at

http://www.cisco.com

In particular, for Cisco Unity, refer to the Cisco Unity Design Guide and to the following white papers: Cisco Unity Data and the Directory, Active Directory Capacity Planning, and Cisco Unity Data Architecture and How Cisco Unity Works.

Cisco Unified Communications Manager and the Corporate LDAP Directory

Administrators access directory information about end users from the Cisco Unified Communications Manager Administration End User Configuration window (User Management > End User). Administrators use this window to add, update, and delete user information such as user ID, password, and device association, but only if synchronization from the LDAP Server is not enabled (that is, if the Enable Synchronizing from LDAP Server check box is not checked in the Cisco Unified Communications Manager Administration LDAP System window).

Applications and Services That Use the Database

The following Cisco Unified Communications Manager applications and services use the database for user and other types of information:

Bulk Administration Tool (BAT)

Cisco Unified Communications Manager Auto-Register Phone Tool

AXL

Cisco Extension Mobility

Cisco Unified Communications Manager User Options

Cisco Conference Connection

CTIManager

Cisco Unified Communications Manager CDR Analysis and Reporting

Cisco Unified Communications Manager Assistant

Cisco Customer Response Solutions (CRS)

Cisco Emergency Responder (CER)

Cisco Unified IP Phone Services

Personal Address Book (PAB)

FastDials

Cisco Web Dialer

Cisco IP Communicator

Cisco Unified Communications Manager Attendant Console

Directory Access

The following definition applies throughout this chapter:

Directory access refers to the ability of Cisco Unified Communications endpoints, such as Cisco Unified IP Phones and Cisco IP Softphone, to access a corporate LDAP directory.

Figure 20-1 Directory Access for Cisco Unified Communications Endpoints

Figure 20-1 illustrates directory access as it is defined in this chapter. In this example, a Cisco Unified IP Phone gets access. The client application performs a user search against an LDAP directory, such as the corporate directory of an enterprise, and receives several matching entries. The Cisco Unified IP Phone user can then select one entry and use it to dial the corresponding person from the Cisco Unified IP Phone.


Note Directory access, as defined here, involves only read operations on the directory and does not require that the administrator make any directory schema extensions or other configuration changes.


DirSync Service

The DirSync application performs the synchronization of data in the Cisco Unified Communications Manager database with the customer LDAP directory information. Cisco Unified Communications Manager administrators set up the DirSync service by first configuring the LDAP-directory-related Cisco Unified Communications Manager windows. The following windows apply:

LDAP System (System > LDAP System)

LDAP Directory (System > LDAP Directory)

DirSync allows Cisco Unified Communications Manager to synchronize the data from corporate directories to Cisco Unified Communications Manager. DirSync allows synchronization from Microsoft Windows Server 2000 and Windows Server 2003 Active Directory (AD), Netscape/iPlanet Directory, Sun ONE Directory Server 5.1, and Sun Java System Directory Server 5.2 to the Cisco Unified Communications Manager database.


Note A DirSync that is invoked for Microsoft Active Directory performs a complete (total) synchronization of data. A DirSync that is invoked for Netscape Directory performs an incremental synchronization.


DirSync allows the following options:

Automatic synchronization, which synchronizes the data at regular intervals.

Manual synchronization, which allows forcing the synchronization.

Stop synchronization, which stops the current synchronization. If synchronization is in progress, check for agreement.


Note When directory synchronization is enabled, Cisco Unified Communications Manager Administration cannot update any user information that is synchronized from the customer Corporate Directory.


DirSync Service Parameters

You can configure service parameters for the DirSync service. Use the System > Service Parameters menu option in Cisco Unified Communications Manager Administration. On the window that displays, choose a server in the Server drop-down list box. Choose the Cisco DirSync service in the Service drop-down list box. The Service Parameter Configuration window allows configuration of the DirSync service parameters.

For more information about the DirSync service, refer to the Cisco Unified Serviceability Administration Guide.

Data Migration Assistant

The Cisco Unified Communications Manager Data Migration Assistant (DMA) provides conversion of Cisco Unified Communications Manager 4.x data to a format that is compatible with later releases of Cisco Unified Communications Manager.

For details on obtaining, installing, and using DMA, refer to the applicable Data Migration Assistant User Guide.

Authentication

The authentication process verifies the identity of the user by validating the user ID and password/PIN before granting access to the system. Verification takes place against the Cisco Unified Communications Manager database or the LDAP corporate directory.

The system makes LDAP authentication, which the Cisco Unified Communications Manager administrator makes available in the LDAP Authentication window, available only when LDAP synchronization is enabled in the LDAP System window.

When both synchronization and LDAP authentication are enabled, the system always authenticates application users and end user PINs against the Cisco Unified Communications Manager database. End user passwords get authenticated against the corporate directory; thus, end users need to use their corporate directory password.

When only synchronization is enabled (and LDAP authentication is not enabled), end users get authenticated against the Cisco Unified Communications Manager database. In this case, the administrator can configure a password by using the Cisco Unified Communications Manager Administration End User Configuration window.

Using the Cisco Unified Communications Manager Database Versus the Corporate LDAP Directory

Two options exist for using directory information:

To use only the Cisco Unified Communications Manager database for users, which is the default functionality when you install Cisco Unified Communications Manager, Release 6.0, create users with End User Configuration to add to the database (password, names, device association, and so forth). Authentication takes place against the information that is configured in Cisco Unified Communications Manager Administration. End users and administrators can make password changes if this method is used. This method does not entail LDAP synchronization.

To use the Corporate LDAP directory (either Microsoft Active Directory or Netscape Directory) with Cisco Unified Communications Manager, the following steps must take place:

For users to use their LDAP corporate directory passwords, the Cisco Unified Communications Manager administrator must configure LDAP authentication (System > LDAP > LDAP Authentication).

Administrators cannot configure LDAP authentication unless they first configure LDAP synchronization. Doing so blocks further end user configuration.


Note Keep in mind that configuring authentication is optional. If authentication is not enabled, administrators and end users have two passwords, an Active Directory or Netscape Directory password and a Cisco Unified Communications Manager password.


Directory Access for Cisco Unified Communications Endpoints

The guidelines in this section apply regardless of whether Cisco Unified Communications Manager or other Cisco Unified Communications applications have been synchronized with a corporate directory. The end-user perception in both cases remains the same because the differences affect only how applications store their user information and how such information is kept consistent across the network.

The following sections summarize how to configure corporate directory access to any LDAPv3-compliant directory server for XML-capable phones such Cisco Unified IP Phones 7940, 7960, and so on.


Note Cisco IP Softphone, Release 1.2 and later, includes a built-in mechanism to access and search LDAP directories, as does the Cisco IP Communicator. Refer to the product documentation for details on how to configure this feature.


Directory Access for Cisco Unified IP Phones

XML-capable Cisco Unified IP Phones, such as 7940 and 7960, can search a corporate LDAP directory when a user presses the Directories button on the phone. The IP phones use HyperText Transfer Protocol (HTTP) to send requests to a web server. The responses from the web server must contain some specific Extensible Markup Language (XML) objects that the phone can interpret and display. In the case of a corporate directory search, the web server operates as a proxy by receiving the request from the phone and translating it into an LDAP request, which is in turn sent to the corporate directory server. After the response is encapsulated in the appropriate XML objects, the response gets interpreted and sent back to the phone.

Figure 20-2 illustrates this mechanism in a deployment where Cisco Unified Communications Manager has not been synchronized with the corporate directory. In this scenario, the message exchange does not involve Cisco Unified Communications Manager.

Figure 20-2 Message Exchange for Cisco Unified IP Phone Corporate Directory Access Without Directory Synchronization

You can configure the proxy function that the web server provided by using the Cisco Unified IP Phone Services Software Development Kit (SDK) version 2.0 or later, which includes the Cisco LDAP Search Component Object Model (COM) server.

In addition, directory access for Cisco Unified IP Phones includes the following characteristics:

The system supports all LDAPv3-compliant directories.

Cisco Unified Communications Manager user preferences (speed dials, call forward all, personal address book) do not get synchronized with the corporate LDAP directory. Therefore, users have a separate login and password to access the Cisco Unified Communications Manager User Options window.

LDAP Directory Configuration Checklist

Table 20-1 lists the general steps and guidelines for configuring LDAP directory information.

Table 20-1 User Directory Configuration Checklist 

Configuration Steps
Related procedures and topics

Step 1 

Use the LDAP System windows to configure LDAP system settings.

LDAP System Configuration, Cisco Unified Communications Manager Administration Guide

Step 2 

Use the LDAP Directory windows to configure LDAP directory settings.

LDAP Directory Configuration, Cisco Unified Communications Manager Administration Guide

Step 3 

Use the LDAP Authentication windows to configure LDAP authentication settings.

LDAP Authentication Configuration, Cisco Unified Communications Manager Administration Guide

Step 4 

If directory synchronization is enabled, use the DirSync service to synchronize with the customer corporate LDAP directory.

Cisco Unified Serviceability Administration Guide

Step 5 

To convert Cisco Unified Communications Manager 4.x data to a format that is compatible with later releases of Cisco Unified Communications Manager, use the Cisco Unified Communications Manager Data Migration Assistant (DMA).

Data Migration Assistant User Guide

Where to Find More Information

Related Topics

LDAP System Configuration, Cisco Unified Communications Manager Administration Guide

LDAP Directory Configuration, Cisco Unified Communications Manager Administration Guide

LDAP Authentication Configuration, Cisco Unified Communications Manager Administration Guide

Data Migration Assistant User Guide

Cisco Unified Serviceability Administration Guide

Cisco Unified Communications Manager Groups, page 5-3

System Configuration Checklist, page 5-18

Application Users and End Users, page 21-1

Credential Policy, page 22-1

Application User Configuration, Cisco Unified Communications Manager Administration Guide

End User Configuration, Cisco Unified Communications Manager Administration Guide

Additional Cisco Documentation

Installing Cisco Unified Communications Manager Release 6.0(1)

Cisco Unified Communications Solution Reference Network Design (SRND)