Cisco Unified Communications Manager System Guide, Release 8.6(1)
Understanding the Directory
Downloads: This chapterpdf (PDF - 179.0KB) The complete bookPDF (PDF - 12.6MB) | Feedback

Table of Contents

Understanding the Directory

LDAP Directory Configuration Checklist

Cisco Unified Communications Manager and the Corporate LDAP Directory

Directory Access

DirSync Service

DirSync Service Parameters

Authentication

Using the Cisco Unified Communications Manager Database Versus the Corporate LDAP Directory

Directory Access for Cisco Unified Communications Endpoints

Where to Find More Information

Understanding the Directory

Directories comprise specialized databases that are optimized for a high number of reads and searches and occasional writes and updates. Directories typically store data that does not change often, such as employee information, user privileges on the corporate network, and so on.

Because directories are extensible, you can modify and extend the type of information that is stored in them. The term directory schema refers to the type of stored information and the rules that it obeys. Many directories provide methods for extending the directory schema to accommodate information types that different applications define. This capability enables enterprises to use the directory as a central repository for user information.

The Lightweight Directory Access Protocol (LDAP) provides applications with a standard method for accessing and potentially modifying the information that is stored in the directory. This capability enables companies to centralize all user information in a single repository that is available to several applications with a reduction in maintenance costs through the ease of adds, moves, and changes.

This chapter covers the main principles for synchronizing Cisco Unified Communications Manager with a corporate LDAP directory.The chapter also discusses the administrator choice not to synchronize with a corporate LDAP directory and the consequences of that choice of configuration. The chapter also summarizes considerations for providing Cisco Unified Communications endpoints, such as Cisco Unified IP Phones and Cisco IP Softphone, with access to a corporate LDAP directory.

The following list summarizes the changes in directory functionality from previous releases of Cisco Unified Communications Manager:

  • Decoupling the directory component from Cisco Unified Communications Manager ensures high Cisco Unified Communications Manager availability independent of the corporate directory.
  • Cisco Unified Communications Manager and related applications store all application data in the local database instead of in an embedded directory. The embedded directory gets removed, and Cisco Unified Communications Manager supports synchronization with the customer directory.

This chapter includes the following topics:

LDAP Directory Configuration Checklist

If you want to do so, you can add users from your corporate directory to the Cisco Unified Communications Manager database by synchronizing the user data to the database. Cisco Unified Communications Manager allows synchronization from the following directories to the database:

  • Microsoft Active Directory 2000
  • Microsoft Active Directory 2003
  • Microsoft Active Directory 2008
  • Microsoft Active Directory Application Mode 2003
  • Microsoft Lightweight Directory Services 2008
  • iPlanet Directory Server 5.1
  • Sun ONE Directory Server 5.2
  • Sun ONE Directory Server 6.x
  • OpenLDAP 2.3.39
  • OpenLDAP 2.4

Note Microsoft Active Directory Application Mode support is limited to those directory topologies already supported with a native Active Directory connection. No additional topologies, such as multi-forest, multi-tree single forest, or global catalog are supported.


Cisco Unified Communications Manager supports the following types of synchronization:

  • Automatic synchronization, which synchronizes the data at regular intervals.
  • Manual synchronization, which allows forcing the synchronization.
  • Stop synchronization, which stops the current synchronization. If synchronization is in progress, check for agreement.

Table 19-1 lists the general steps and guidelines for configuring LDAP directory information. For more information, see the “Where to Find More Information” section.

 

Table 19-1 User Directory Configuration Checklist

Configuration Steps
Related procedures and topics

Step 1

Activate the DirSync service to synchronize with the customer corporate LDAP directory.

Cisco Unified Serviceability Administration Guide

Step 2

Access the LDAP System Configuration window to configure LDAP system settings.

 

LDAP System Configuration , Cisco Unified Communications Manager Administration Guide

Step 3

If you want to use LDAP filters, access the LDAP Filter Configuration window to create LDAP filters.

LDAP Custom Filter Configuration , Cisco Unified Communications Manager Administration Guide

Step 4

Access the LDAP Directory window to configure LDAP directory settings.

LDAP Directory Configuration , Cisco Unified Communications Manager Administration Guide

Step 5

Access the LDAP Authentication window to configure LDAP authentication settings.

Authentication

LDAP Authentication Configuration , Cisco Unified Communications Manager Administration Guide

Cisco Unified Communications Manager and the Corporate LDAP Directory

In Cisco Unified Communications Manager Administration, you can access directory information about end users from the End User Configuration window ( User Management > End User ). If you do not enable LDAP synchronization, you use this window to add, update, and delete user information such as user ID, password, and device association. If you enable LDAP synchronization, you cannot add an end user, delete an end user, or change some existing user information, including user IDs, in the End User Configuration windows.

Applications and Services That Use the Database

The following Cisco Unified Communications Manager applications and services use the database for user and other types of information:

  • Bulk Administration Tool (BAT)
  • Cisco Unified Communications Manager Auto-Register Phone Tool
  • AXL
  • Cisco Extension Mobility
  • Cisco Unified CM User Options
  • Cisco Conference Connection
  • CTIManager
  • Cisco Unified Communications Manager CDR Analysis and Reporting
  • Cisco Unified Communications Manager Assistant
  • Cisco Customer Response Solutions (CRS)
  • Cisco Emergency Responder (CER)
  • Cisco Unified IP Phone Services
  • Personal Address Book (PAB)
  • FastDials
  • Cisco Web Dialer
  • Cisco IP Communicator

Directory Access

The following definition applies throughout this chapter:

  • Directory access refers to the ability of Cisco Unified Communications endpoints, such as Cisco Unified IP Phones and Cisco IP Softphone, to access a corporate LDAP directory.

Figure 19-1 Directory Access for Cisco Unified Communications Endpoints

 

Figure 19-1 illustrates directory access as it is defined in this chapter. In this example, a Cisco Unified IP Phone gets access. The client application performs a user search against an LDAP directory, such as the corporate directory of an enterprise, and receives several matching entries. The Cisco Unified IP Phone user can then select one entry and use it to dial the corresponding person from the Cisco Unified IP Phone.


Note Directory access, as defined here, involves only read operations on the directory and does not require that you make any directory schema extensions or other configuration changes.


DirSync Service

DirSync performs the synchronization of data in the Cisco Unified Communications Manager database with the customer LDAP directory information. After you activate the DirSync service in Cisco Unified Serviceability, you configure LDAP related information in the following windows in Cisco Unified Communications Manager Administration:

  • LDAP System Configuration ( System > LDAP System )
  • Find and List LDAP Directories ( System > LDAP > LDAP Directory )

DirSync allows you to synchronize the data from corporate directories to Cisco Unified Communications Manager. For information about which directories are supported for synchronization, see the “LDAP Directory Configuration Checklist” section.


Note When you configure a user in the corporate directory, ensure that you configure a last name for the user. After you configure LDAP synchronization in Cisco Unified Communications Manager Administration, users without last names in the corporate directory do not synchronize with the Cisco Unified Communications Manager database. No error displays in Cisco Unified Communications Manager Administration, but the log file indicates which users did not synchronize.



Note A DirSync that is invoked for Microsoft Active Directory performs a complete (total) synchronization of data.


DirSync allows the following options:

  • Automatic synchronization, which synchronizes the data at regular intervals.
  • Manual synchronization, which allows forcing the synchronization.
  • Stop synchronization, which stops the current synchronization. If synchronization is in progress, check for agreement.

Note When directory synchronization is enabled, Cisco Unified Communications Manager Administration cannot update any user information that is synchronized from the customer corporate directory.


DirSync Service Parameters

You can configure service parameters for the DirSync service. Choose System > Service Parameters in Cisco Unified Communications Manager Administration. In the window that displays, choose a server in the Server drop-down list box. Choose the Cisco DirSync service in the Service drop-down list box. The Service Parameter Configuration window allows configuration of the DirSync service parameters.


Note For specific information on how to activate the DirSync service, see the Cisco Unified Serviceability Administration Guide.


Authentication

The authentication process verifies the identity of the user by validating the user ID and password/PIN before granting access to the system. Verification takes place against the Cisco Unified Communications Manager database or the LDAP corporate directory.

You can only configure LDAP authentication if you enable LDAP synchronization.

When both synchronization and LDAP authentication are enabled, the system always authenticates application users and end user PINs against the Cisco Unified Communications Manager database. End user passwords get authenticated against the corporate directory; thus, end users need to use their corporate directory password.

When only synchronization is enabled (and LDAP authentication is not enabled), end users get authenticated against the Cisco Unified Communications Manager database. In this case, the administrator can configure a password in the End User Configuration window in Cisco Unified Communications Manager Administration.

Using the Cisco Unified Communications Manager Database Versus the Corporate LDAP Directory

Two options exist for using directory information:

  • To use the Cisco Unified Communications Manager database for users, create users in the End User Configuration window to add to the database (password, names, device association, and so forth). Authentication takes place against the information that is configured in Cisco Unified Communications Manager Administration. End users and administrators can make password changes if this method is used. This method does not entail LDAP synchronization.
  • To use the Corporate LDAP directory, the following steps must take place:

For users to use their LDAP corporate directory passwords, you must configure LDAP authentication (System > LDAP > LDAP Authentication).

You cannot configure LDAP authentication unless you first configure LDAP synchronization. Doing so blocks further end user configuration in Cisco Unified Communications Manager Administration.


Tip Keep in mind that configuring authentication is optional. If authentication is not enabled, administrators and end users have two passwords, a corporate directory password and a Cisco Unified Communications Manager password.


Directory Access for Cisco Unified Communications Endpoints

The guidelines in this section apply regardless of whether Cisco Unified Communications Manager or other Cisco Unified Communications applications have been synchronized with a corporate directory. The end-user perception in both cases remains the same because the differences affect only how applications store their user information and how such information is kept consistent across the network.

The following sections summarize how to configure corporate directory access to any LDAPv3-compliant directory server for XML-capable phones such Cisco Unified IP Phones 7940, 7960, and so on.


Note Cisco IP Softphone, Release 1.2 and later, includes a built-in mechanism to access and search LDAP directories, as does the Cisco IP Communicator. See the product documentation for details on how to configure this feature.


Directory Access for Cisco Unified IP Phones

XML-capable Cisco Unified IP Phones, such as 7940 and 7960, can search a corporate LDAP directory when a user presses the Directories button on the phone. The IP phones use HyperText Transfer Protocol (HTTP) to send requests to a web server. The responses from the web server must contain some specific Extensible Markup Language (XML) objects that the phone can interpret and display. In the case of a corporate directory search, the web server operates as a proxy by receiving the request from the phone and translating it into an LDAP request, which is in turn sent to the corporate directory server. After the response is encapsulated in the appropriate XML objects, the response gets interpreted and sent back to the phone.

Figure 19-2 illustrates this mechanism in a deployment where Cisco Unified Communications Manager has not been synchronized with the corporate directory. In this scenario, the message exchange does not involve Cisco Unified Communications Manager.

Figure 19-2 Message Exchange for Cisco Unified IP Phone Corporate Directory Access Without Directory Synchronization

 

You can configure the proxy function that the web server provided by using the Cisco Unified IP Phone Services Software Development Kit (SDK) version 2.0 or later, which includes the Cisco LDAP Search Component Object Model (COM) server.

In addition, directory access for Cisco Unified IP Phones includes the following characteristics:

  • The system supports all LDAPv3-compliant directories.
  • Cisco Unified Communications Manager user preferences (speed dials, call forward all, personal address book) do not get synchronized with the corporate LDAP directory. Therefore, users have a separate login and password to access the Cisco Unified CM User Options window.

Where to Find More Information

Related Topics

Additional Cisco Documentation

  • Installing Cisco Unified Communications Manager Release 8.5(1)
  • Cisco Unified Communications Solution Reference Network Design (SRND)
  • User Moves, Adds, and Changes Guide for Cisco Unity Connection
  • Cisco Unity Design Guide
  • Cisco Unity Data and the Directory , Active Directory Capacity Planning (white paper)
  • Cisco Unity Data Architecture and How Cisco Unity Works (white paper)