Set Up Directory Synchronization and Authentication
- Synchronize with the Directory Server
- Authenticate with the Directory Server
Contact Sources
- Basic Directory Integration
  - Authentication with Contact Sources
Client Configuration for Directory Integration
Federation
- Interdomain Federation
- Intradomain Federation
  - Configure Intradomain Federation
  - Intradomain Federation Example

Integrate with Directory Sources

Set Up Directory Synchronization and Authentication

When you set up an on-premises deployment, you should configure Cisco Unified Communications Manager to do both of the following:

Synchronize with the directory server.
Authenticate with the directory server.

Synchronizing with the directory server replicates contact data from your directory to Cisco Unified Communications Manager.

Enabling authentication with the directory server lets Cisco Unified Communications Manager proxy authentication from the client to the directory server. In this way, users authenticate with the directory server, not with Cisco Unified Communications Manager or a presence server.

Synchronize with the Directory Server

Directory server synchronization ensures that contact data in your directory server is replicated to Cisco Unified Communications Manager.

Enable Synchronization

The first step to synchronize with a directory server is to enable synchronization on Cisco Unified Communications Manager.

Procedure

Step 1	Open the Cisco Unified CM Administration interface.
Step 2	Select System > LDAP > LDAP System. The LDAP System Configuration window opens.
Step 3	Locate the LDAP System Information section.
Step 4	Select Enable Synchronizing from LDAP Server.
Step 5	Select the type of directory server from which you are synchronizing data from the LDAP Server Type drop-down list.

What to Do Next

Specify an LDAP attribute for the user ID.

Populate User ID and Directory URI

When you synchronize your LDAP directory server with Cisco Unified Communications Manager, you can populate the end user configuration tables in both the Cisco Unified Communications Manager and the Cisco Unified Communications Manager IM and Presence databases with attributes that contain values for the following:

User ID

You must specify a value for the user ID on Cisco Unified Communications Manager. This value is required for the default IM address scheme and for users to log in. The default value is sAMAccountName.

Directory URI

You should specify a value for the directory URI if you plan to:

Enable URI dialing in Cisco Jabber.
Use the directory URI address scheme on Cisco Unified Communications Manager IM and Presence version 9.1(1) and higher.

When Cisco Unified Communications Manager synchronizes with the directory source, it retrieves the values for the directory URI and user ID and populates them in the end user configuration table in the Cisco Unified Communications Manager database.

The Cisco Unified Communications Manager database then synchronizes with the Cisco Unified Communications Manager IM and Presence database. As a result, the values for the directory URI and user ID are populated in the end user configuration table in the Cisco Unified Communications Manager IM and Presence database.

Specify an LDAP Attribute for the User ID

When you synchronize from your directory source to Cisco Unified Communications Manager, you can populate the user ID from an attribute in the directory. The default attribute that holds the user ID is sAMAccountName.

Procedure

Step 1

Locate the LDAP Attribute for User ID drop-down list on the LDAP System Configuration window.

Step 2

Specify an attribute for the user ID as appropriate and then select Save.

Important:

If the attribute for the user ID is other than sAMAccountName, you must specify the attribute as the value for the BDIUserAccountName parameter in your client configuration file as follows:

<BDIUserAccountName>attribute-name</BDIUserAccountName>

If you do not specify the attribute in your configuration, and the attribute is other than sAMAccountName, the client cannot resolve contacts in your directory. As a result, users do not get presence and cannot send or receive instant messages.

On Cisco Unified Communications Manager version 9.0(1) and higher, you can populate the directory URI from an attribute in the directory. The default attribute is msRTCSIP-primaryuseraddress.

Procedure

Step 1	Select System > LDAP > LDAP Directory. Remember: To add or edit an LDAP directory, you must first enable synchronization.
Step 2	Select the appropriate LDAP directory or select Add New to add an LDAP directory.
Step 3	Locate the Standard User Fields To Be Synchronized section.
Step 4	Select the appropriate LDAP attribute for the Directory URI drop-down list.
Step 5	Select Save.

Related Tasks

Specify an LDAP Attribute for the User ID

Perform Synchronization

After you add a directory server and specify the required parameters, you can synchronize Cisco Unified Communications Manager with the directory server.

Before You Begin

If your environment includes a presence server, you should ensure the following feature service is activated and started before you synchronize with the directory server:

Cisco Unified Presence: Cisco UP Sync Agent
Cisco Unified Communications Manager IM and Presence: Cisco Sync Agent

This service keeps data synchronized between the presence server and Cisco Unified Communications Manager. When you perform the synchronization with your directory server, Cisco Unified Communications Manager then synchronizes the data with the presence server. However, the Cisco Sync Agent service must be activated and started.

Procedure

Step 1

Select System > LDAP > LDAP Directory.

Step 2

Select Add New.

The LDAP Directory window opens.

Step 3

Specify the required details on the LDAP Directory window.

See the Cisco Unified Communications Manager Administration Guide for more information about the values and formats you can specify.

Step 4

Select Save.

Step 5

Select Peform Full Sync Now.

Note

The amount of time it takes for the synchronization process to complete depends on the number of users that exist in your directory. If you synchronize a large directory with thousands of users, you should expect the process to take some time.

User data from your directory server is synchronized to the Cisco Unified Communications Manager database. Cisco Unified Communications Manager then synchronizes the user data to the presence server database.

Related Information

Administration Guide version 8.6: LDAP Directory Configuration

Administration Guide version 9.0: LDAP directory setup

Authenticate with the Directory Server

You should configure Cisco Unified Communications Manager to authenticate with the directory server. When users log in to the client, the presence server routes that authentication to Cisco Unified Communications Manager. Cisco Unified Communications Manager then proxies that authentication to the directory server.

Procedure

Step 1	Open the Cisco Unified CM Administration interface.
Step 2	Select System > LDAP > LDAP Authentication.
Step 3	Select Use LDAP Authentication for End Users.
Step 4	Specify LDAP credentials and a user search base as appropriate. See the Cisco Unified Communications Manager Administration Guide for information about the fields on the LDAP Authentication window.
Step 5	Select Save.

Related Information

Administration Guide version 8.6: LDAP Directory Configuration

Administration Guide version 9.0: LDAP directory setup

Contact Sources

In on-premises deployments, the client requires a contact source to resolve directory look ups for user information. You can use the following as a contact source:

Basic Directory Integration: Basic Directory Integration (BDI) is an LDAP-based contact source.

Basic Directory Integration

Basic Directory Integration

When using Basic Directory Integration (BDI), the client retrieves contact data from the directory service as follows.

The client connects to the Cisco Unified Presence or Cisco Unified Communications Manager IM and Presence server.
The client gets the LDAP profile configuration section in the service profile from the Cisco Unified Presence or Cisco Unified Communications Manager IM and Presence server. The service profile contains the location of Cisco Unified Communications Manager (TFTP) server. Depending on your configuration, the service profile can also contain the credentials to authenticate with the directory.
The client connects to the Cisco Unified Communications Manager server.
The client downloads the client configuration file from the Cisco Unified Communications Manager server. The client configuration file contains the location of the directory. Depending on your configuration, the client configuration file can also contain the credentials to authenticate with the directory.
The client uses the directory location and the authentication credentials to connect to the directory.

Authentication with Contact Sources

Authentication with Contact Sources

BDI requires users to authenticate with the directory source to resolve contacts. You can use the following methods to authenticate with the contact source, in order of priority:

Specify credentials in Cisco Unified Presence or Cisco Unified Communications Manager

Specify credentials in a profile on the server. The client can then retrieve the credentials from the server to authenticate with the directory.

This method is the most secure option for storing and transmitting credentials.

Set common credentials in the client configuration file

You specify a shared username and password in the client configuration file. The client can then authenticate with the directory server.

Important:

The client transmits and stores these credentials as plain text.

You should use only a well-known or public set of credentials. The credentials should also be linked to an account that has read-only permissions.

Use anonymous binds

Configure the client to connect to the directory source with anonymous binds.

Specify LDAP Directory Configuration on Cisco Unified Presence
Specify LDAP Directory Configuration on Cisco Unified Communications Manager
Set Credentials in the Client Configuration
Use Anonymous Binds

Specify LDAP Directory Configuration on Cisco Unified Communications Manager

Set Credentials in the Client Configuration

Use Anonymous Binds

Specify LDAP Directory Configuration on Cisco Unified Presence

If your environment includes Cisco Unified Presence version 8.x, you can specify directory configuration in the LDAP profile. The client can then get the directory configuration from the server to authenticate with the directory source.

Complete the steps to create an LDAP profile that contains authentication credentials, and then assign that profile to users.

Procedure

Step 1	Open the Cisco Unified Presence Administration interface.
Step 2	Select Application > Cisco Unified Personal Communicator > LDAP Profile.
Step 3	Select Add New.
Step 4	Specify a name and optional description for the profile in the following fields: Name Description
Step 5	Specify a password that the client can use to authenticate with the LDAP server in the following fields: Password Confirm Password
Step 6	Specify the IP address of your primary and backup LDAP servers in the following fields: Primary LDAP Server Backup LDAP Server Backup LDAP Server
Step 7	Select Add Users to Profile and add the appropriate users to the profile.
Step 8	Select Save.

Specify LDAP Directory Configuration on Cisco Unified Communications Manager

If your environment includes Cisco Unified Communications Manager version 9.x and higher, you can specify credentials when you add a directory service. The client can then get the configuration from the server to authenticate with the directory source.

Complete the steps to add a directory service, apply the directory service to the service profile, and specify the LDAP authentication configuration for the directory service.

Procedure

Step 1	Open the Cisco Unified CM Administration interface.
Step 2	Add a directory service as follows: Select User Management > User Settings > UC Service. The Find and List UC Services window opens. Select Add New. The UC Service Configuration window opens. In the Add a UC Service section, select Directory from the UC Service Type drop-down list. Select Next. Specify details for the directory service as follows: Product Type Select Directory. Name Enter a descriptive name for the server, for example, PrimaryDirectoryServer. Description Enter an optional description. Hostname/IP Address Enter the address of the directory server in one of the following formats: Hostname IP Address FQDN Port You do not need to specify a port number. By default, the client always uses port 3268 to connect to the directory server. For this reason, any value you specify does not take effect. Protocol Type Select one of the following protocols from the following drop-down list: TCP UDP TLS Select Save.
Step 3	Apply the directory service to your service profile as follows: Select User Management > User Settings > Service Profile. The Find and List Service Profiles window opens. Find and select your service profile. The Service Profile Configuration window opens. In the Directory Profile section, select up to three services from the following drop-down lists: Primary Secondary Tertiary Specify the credentials that the client can use to authenticate with the LDAP server in the following fields: Username Password Select Save.

Set Credentials in the Client Configuration

You can set credentials in the client configuration with the following parameters:

BDIConnectionUsername
BDIConnectionPassword

Important:

The client transmits and stores these credentials as plain text.

You should use only a well-known or public set of credentials. The credentials should also be linked to an account that has read-only permissions.

The following is an example configuration:

<Directory>
  <BDIConnectionUsername>admin@example.com</BDIConnectionUsername>
  <BDIConnectionPassword>password</BDIConnectionPassword>
</Directory>

Use Anonymous Binds

To use anonymous binds, you set the following parameters in the client configuration file:

Parameter	Value
DirectoryServerType	BDI
BDIPrimaryServerName	IP address FQDN
BDIEnableTLS	True
BDISearchBase1	Searchable organizational unit (OU) in the directory tree
BDIBaseFilter	Object class that your directory service uses; for example, inetOrgPerson
BDIPredictiveSearchFilter	uid or other search filter A search filter is optional.

The following is an example configuration:

<Directory>
  <BDIPrimaryServerName>11.22.33.456</BDIPrimaryServerName>
  <BDIEnableTLS>True</BDIEnableTLS>
  <BDISearchBase1>ou=people,dc=cisco,dc=com</BDISearchBase1>
  <BDIBaseFilter>(&amp;(objectClass=inetOrgPerson)</BDIBaseFilter>
  <BDIPredictiveSearchFilter>uid</BDIPredictiveSearchFilter>
</Directory>

Client Configuration for Directory Integration

Directory integration can be configured through Service Profiles using Cisco Unified Communications Manager 9 or higher or with the configuration file. Use this section to learn how to configure the client for directory integration.

Note

In instances where a Service Profile and the configuration file are present, settings in the Service Profile take priority.

Note

Cisco Unified Presence 8 profiles cannot be used for directory integration.

Configure Directory Integration in a Service Profile
Summary of Directory Integration Configuration Parameters
Attribute Mapping Parameters
Directory Connection Parameters
Directory Query Parameters
Contact Photo Parameters
Directory Server Configuration Examples

Configure Directory Integration in a Service Profile

With Cisco Unified Communications Manager version 9 and higher, you can provision users with service profiles and deploy the _cisco-uds SRV record on your internal domain name server.

The client can then automatically discover Cisco Unified Communications Manager and retrieve the service profile to get directory integration configuration.

To configure directory integration in a service profile, do the following:

Procedure

Step 1

Open the Unified CM Administration interface.

Step 2

Add a directory service.

Select User Management > User Settings > UC Service. The Find and List UC Services window opens.
Select Add New. The UC Service Configuration window opens.
Select Directory from the UC Service Type menu and then select Next.
Set all appropriate values for the directory service and then select Save.

Step 3

Apply the directory service to a service profile.

Select User Management > User Settings > Service Profile. The Find and List Service Profiles window opens.
Select Add New. The Service Profile Configuration window opens.
Add the directory services to the directory profile.
Select Save.

There is no need to check Use UDS for Contact Resolution and Use Logged On User Credential boxes.

When both the directory profile and jabber-config.xml file are used at the same time, the configuration in the directory profile have the higher priority and will be used except manual sign-in and service discovery.

When manually sign in, Username and Password from the directory profile will be used to connect to LDAP server for contact search.

For service discovery, Username, Password, Search Base, and Primary server in the directory profile will be used to connect to LDAP server for contact search.

To make it work consistently, it is highly recommended that Username and Password in both directory profile and jabber-config.xml are exactly the same.

Directory Profile Parameters

The following table lists the configuration parameters you need to set in the directory profile:

Directory Service Configuration

Description

Primary server

Specifies the address of the primary directory server.

This parameter is required for manual connections where the client cannot automatically discover the directory server.

Username

Lets you manually specify a shared username that the client can use to authenticate with the directory server. You should use this parameter only in deployments where you cannot authenticate with the directory server using Microsoft Windows credentials.

If you must use this parameter, you should use only a well-known or public set of credentials. The credentials should also be linked to an account that has read-only permissions.

Password

Lets you manually specify a shared password that the client can use to authenticate with the directory server. You should use this parameter only in deployments where you cannot authenticate with the directory server using Microsoft Windows credentials.

If you must use this parameter, you should use only a well-known or public set of credentials. The credentials should also be linked to an account that has read-only permissions.

Search Base 1

Specifies a location in the directory server from which searches begin. In other words, a search base is the root from which the client executes a search.

By default, the client searches from the root of the directory tree. You can specify the value of up to three search bases in your OU to override the default behavior.

Active Directory does not typically require a search base. You should specify search bases for Active Directory only for specific performance requirements.

You must specify a search base for directory servers other than Active Directory to create bindings to specific locations in the directory.

Tip

Specify an OU to restrict searches to certain user groups.

For example, a subset of your users have instant messaging capabilities only. Include those users in an OU and then specify that as a search base.

Attribute Mappings

It is not possible to change the default attribute mappings in a service profile. If you plan to change any default attribute mappings, you must define the required mappings in a client configuration file.

Related References

Directory Server Configuration Examples

Summary of Directory Integration Configuration Parameters

This topic lists all the parameters you can specify to configure directory integration.

The following table lists the parameters you can use for attribute mapping:

Attribute Mapping Parameters
BDICommonName BDIDisplayName BDIFirstname BDILastname BDIEmailAddress BDISipUri BDIPhotoSource BDIBusinessPhone BDIMobilePhone BDIHomePhone BDIOtherPhone	BDITitle BDICompanyName BDIUserAccountName BDIDomainName BDILocation BDINickname BDIPostalCode BDICity BDIState BDIStreetAddress

The following table lists the parameters you can use to connect to a directory server:

Directory Server Connection Parameters
BDILDAPServerType BDIPresenceDomain BDIPrimaryServerName BDIServerPort1	BDIConnectionUsername BDIConnectionPassword BDIEnableTLS

The following table lists the parameters you can use for contact resolution and directory queries:

Contact Resolution and Directory Query Parameters
BDIBaseFilter BDIUseANR BDIPredictiveSearchFilter BDISearchBase1	BDIPhotoUriSubstitutionEnabled BDIPhotoUriSubstitutionToken BDIPhotoUriWithToken BDIUseSIPURIToResolveContacts BDIUriPrefix

Attribute Mapping Parameters

The following table describes the parameters for mapping directory attributes:

Parameter	Directory Attribute	Exists in Global Catalog by Default	Is Indexed by Default	Set for Ambiguous Name Resolution (ANR) by Default
BDICommonName	cn	Yes	Yes	No
BDIDisplayName	displayName	Yes	Yes	Yes
BDIFirstname	givenName	Yes	Yes	Yes
BDILastname	sn	Yes	Yes	Yes
BDIEmailAddress	mail	Yes	Yes	Yes
BDISipUri	msRTCSIP-PrimaryUserAddress	Yes	Yes	Yes
BDIPhotoSource	thumbnailPhoto	No	No	No
BDIBusinessPhone	telephoneNumber	Yes	No	No
BDIMobilePhone	mobile	Yes	No	No
BDIHomePhone	homePhone	Yes	No	No
BDIOtherPhone	otherTelephone	Yes	No	No
BDITitle	title	Yes	No	No
BDICompanyName	company	Yes	Yes	No
BDIUserAccountName	sAMAccountName	Yes	Yes	Yes
BDIDomainName	userPrincipalName	Yes	Yes	No
BDILocation	co	Yes	No	No
BDINickname	displayName	Yes	Yes	Yes
BDIPostalCode	postalCode	Yes	No	No
BDICity	l	Yes	Yes	No
BDIState	st	Yes	Yes	No
BDIStreetAddress	streetAddress	Yes	No	No

Attributes on the Directory Server

Attributes on the Directory Server

You must index attributes on your directory server so that the client can resolve contacts.

If you use the default attribute mappings, ensure the following attributes are indexed:

sAMAccountName
displayName
sn
name
proxyAddresses
mail
department
givenName
telephoneNumber
Additionally, ensure you index the following attributes for secondary number queries:
- otherTelephone
- mobile
- homePhone
msRTCSIP-PrimaryUserAddress You should index msRTCSIP-PrimaryUserAddress for intradomain federation only.

Directory Connection Parameters

The following table describes parameters for configuring your directory connection:

Parameter	Value	Description
BDILDAPServerType	AD OpenLDAP	Specifies the type of LDAP directory server to which the client connects. AD Connect to Active Directory. This is the default value. OpenLDAP Connect to OpenLDAP.
BDIPresenceDomain	Domain of the presence server	Specifies the domain of the presence server. The client appends this domain to the user ID to create an IM address. For example, a user named Adam McKenzie has the following user ID: amckenzie. You specify example.com as the presence server domain. When the user logs in, the client constructs the following IM address for Adam McKenzie: amckenzie@example.com.
BDIPrimaryServerName	IP address FQDN	Specifies the address of the primary directory server. This parameter is required for manual connections where the client cannot automatically discover the directory server.
BDIServerPort1	Port number	Specifies the port for the primary directory server.
BDIConnectionUsername	Username	Lets you manually specify a shared username that the client can use to authenticate with the directory server. Important: The client transmits and stores this username as plain text. If you must use this parameter, you should use only a well-known or public set of credentials. The account that you use for integration should have read-only permissions to the directory.
BDIConnectionPassword	Password	Lets you manually specify a shared password that the client can use to authenticate with the directory server. Important: The client transmits and stores this password as plain text. If you must use this parameter, you should use only a well-known or public set of credentials. The account that you use for integration should have read-only permissions to the directory.
BDIEnableTLS	true false	Use TLS to secure directory connections. true Use TLS. false Do not use TLS. This is the default value.

Directory Query Parameters

The following table describes parameters for configuring how the client queries your directory:

Parameter

Value

Description

BDIBaseFilter

Base filter

Specifies a base filter for Active Directory queries.

Specify a directory subkey name only to retrieve objects other than user objects when you query the directory.

The default value is (&(objectCategory=person)).

Configuration files can contain only valid XML character entity references. Use & instead of & if you specify a custom base filter.

BDIUseANR

true

false

Specifies if Cisco Jabber issues a query using Ambiguous Name Resolution (ANR) when it peforms a predictive search.

true

Use ANR for predictive search. This is the default value.

false

Do not use ANR for predictive search.

You should set the value to false if you integrate with a directory source other than Active Directory.

Important:

You must configure your directory server to set attributes for ANR if you want the client to search for those attributes.

BDIPredictiveSearchFilter

Search filter

Defines filters to apply to predictive search queries.

You can define multiple, comma-separated values to filter search queries.

Note

This key is only used when BDIUseANR is set to false. And if BDIPredictiveSearchFilter is not set, the default search filter will be used.

BDISearchBase1

Searchable organizational unit (OU) in the directory tree

Specifies a location in the directory server from which searches begin. In other words, a search base is the root from which the client executes a search.

By default, the client searches from the root of the directory tree. You can specify the value of up to five search bases in your OU to override the default behavior.

Active Directory does not typically require a search base. You should specify search bases for Active Directory only for specific performance requirements.

You must specify a search base for directory servers other than Active Directory to create bindings to specific locations in the directory.

Tip

Specify an OU to restrict searches to certain user groups.

For example, a subset of your users have instant messaging capabilities only. Include those users in an OU and then specify that as a search base.

Base Filter Examples

Base Filter Examples

The following are example base filters you can use to look up specific locations or objects.

Find only specific groups:

(&amp;(objectClass=user)(memberOf=cn=group-name,ou=Groups,dc=example,dc=com))

Find a nested group within a group:

(&amp;(objectClass=user)(memberOf:search-oid:=cn=group-name,ou=Groups,dc=example,dc=com))

Find only enabled accounts and non-administrator accounts:

(&amp;(objectCategory=person)(objectClass=user)(!(userAccountControl:search-oid:=2))
(!(sAMAccountName=*_dbo))(!(sAMAccountName=*-admin)))

Contact Photo Parameters

The following table describes parameters for configuring how the client retrieves contact photos:

Parameter	Value	Description
BDIPhotoUriSubstitutionEnabled	true false	Specifies if photo URI substitution is enabled. true Photo URI substitution is enabled. false Specifies if photo URI substitution is disabled. This is the default value.
BDIPhotoUriSubstitutionToken	Directory attribute	Specifies a directory attribute to insert in the photo URI; for example, sAMAccountName.
BDIPhotoUriWithToken	URI	Specifies a photo URI with a directory attribute as a variable value; for example, http://staffphoto.example.com/sAMAccountName.jpg. To configure photo URI substitution, you set the directory attribute as the value of BDIPhotoUriSubstitutionToken. Restriction: The client must be able to retrieve the photos from the web server without credentials.

Parameter

Value

Description

BDIPhotoUriSubstitutionEnabled

true

false

Specifies if photo URI substitution is enabled.

true: Photo URI substitution is enabled.
false: Specifies if photo URI substitution is disabled. This is the default value.

BDIPhotoUriSubstitutionToken

Directory attribute

Specifies a directory attribute to insert in the photo URI; for example, sAMAccountName.

BDIPhotoUriWithToken

URI

Specifies a photo URI with a directory attribute as a variable value; for example, http://staffphoto.example.com/sAMAccountName.jpg.

To configure photo URI substitution, you set the directory attribute as the value of BDIPhotoUriSubstitutionToken.

Restriction:

The client must be able to retrieve the photos from the web server without credentials.

Contact Photo Retrieval with BDI
Contact Photo Formats and Dimensions

Contact Photo Retrieval with BDI

Cisco Jabber retrieves and displays contact photos with the following methods:

URI substitution

Cisco Jabber dynamically builds a URL to contact photos with a directory attribute and a URL template.

To use this method, set the following values in your configuration file:

Specify true as the value of the BDIPhotoUriSubstitutionEnabled parameter.
Specify a directory attribute to use as a dynamic token as the value of the BDIPhotoUriSubstitutionToken parameter; for example,
```
<BDIPhotoUriSubstitutionToken>sAMAccountName</BDIPhotoUriSubstitutionToken>
```
Specify the URL and the dynamic token as the value of the BDIPhotoUriWithToken parameter; for example,
```
<BDIPhotoUriWithToken>http://staffphoto.example.com/sAMAccountName.jpg</BDIPhotoUriWithToken>
```

With the example values in the preceding steps, the sAMAccountName attribute might resolve to msmith in your directory. Cisco Jabber then takes this value and replaces the token to build the following URL: http://staffphoto.example.com/msmith.jpg.

Binary objects

Cisco Jabber retrieves the binary data for the photo from your database.

To use this method to retrieve contact photos, specify the attribute that contains the binary data as the value of the BDIPhotoSource parameter in the configuration; for example,

<BDIPhotoSource>thumbnailPhoto</BDIPhotoSource>

Contact Photo Formats and Dimensions

To achieve the best result with Cisco Jabber, your contact photos should have specific formats and dimensions. Review supported formats and optimal dimensions. Learn about adjustments the client makes to contact photos.

Contact Photo Formats
Contact Photo Dimensions
Contact Photo Adjustments

Contact Photo Formats

Cisco Jabber supports the following formats for contact photos in your directory:

Important:

Cisco Jabber does not apply any modifications to enhance rendering for contact photos in GIF format. As a result, contact photos in GIF format might render incorrectly or with less than optimal quality. To obtain the best quality, you should use PNG format for your contact photos.

Contact Photo Dimensions

Tip

The optimum dimensions for contact photos are 128 pixels by 128 pixels with an aspect ratio of 1:1.

The following table lists the different dimensions for contact photos in Cisco Jabber:

Location	Dimensions
Audio call window	128 pixels by 128 pixels
Invitations and reminders, for example: Incoming call windows Meeting reminder windows	64 pixels by 64 pixels
Lists of contacts, for example: Contact lists Participant rosters Call history Voicemail messages	32 pixels by 32 pixels

Contact Photo Adjustments

Cisco Jabber adjusts contact photos as follows:

Resizing

If contact photos in your directory are smaller or larger than 128 pixels by 128 pixels, the client automatically resizes the photos. For example, contact photos in your directory are 64 pixels by 64 pixels. When Cisco Jabber retrieves the contact photos from your directory, it resizes the photos upwards to 128 pixels by 128 pixels.

Tip

Resizing contact photos can result in less than optimal resolution. For this reason, you should use contact photos that are 128 pixels by 128 pixels so that the client does not automatically resize them.

Cropping

Cisco Jabber automatically crops non-square contact photos to a square aspect ratio, or an aspect ratio of 1:1 where the width is the same as the height.

Portrait orientation

If contact photos in your directory have portrait orientation, the client crops 30 percent from the top and 70 percent from the bottom.

For example, if contact photos in your directory have a width of 100 pixels and a height of 200 pixels, Cisco Jabber needs to crop 100 pixels from the height to achieve an aspect ratio of 1:1. In this case, the client crops 30 pixels from the top of the photos and 70 pixels from the bottom of the photos.

Landscape orientation

If contact photos in your directory have landscape orientation, the client crops 50 percent from each side.

For example, if contact photos in your directory have a width of 200 pixels and a height of 100 pixels, Cisco Jabber needs to crop 100 pixels from the width to achieve an aspect ratio of 1:1. In this case, the client crops 50 pixels from the right side of the photos and 50 pixels from the left side of the photos.

Rounding

Cisco Jabber rounds the corners of contact photos after retrieving them from your directory.

Directory Server Configuration Examples

This section describes supported integration scenarios and provides example configurations.

Simple Authentication
Simple Authentication with SSL
OpenLDAP Integration

Simple Authentication

Simple authentication lets you connect to a directory server using simple binds, as in the following example configuration:

<BDIEnableTLS>False</BDIEnableTLS>
<BDIConnectionUsername>username</BDIConnectionUsername>
<BDIConnectionPassword>password</BDIConnectionPassword>

This configuration specifies that the client:

Does not use SSL.
Uses simple authentication.
Uses custom credentials.

As a result of the simple bind, the client transmits the credentials in the payload of the bind request in plain text.

Simple Authentication with SSL

Enable SSL in directory server connections with the BDIEnableTLS parameter. You can use SSL to encrypt credentials when you use simple authentication, as in the following example configuration:

<BDIEnableTLS>True</BDIEnableTLS>
<BDIConnectionUsername>username</BDIConnectionUsername>
<BDIConnectionPassword>password</BDIConnectionPassword>

This configuration specifies that the client:

Uses SSL.
Uses simple authentication.
Uses custom credentials.

As a result, the client uses SSL to encrypt the credentials in the client configuration.

OpenLDAP Integration

You can integrate with OpenLDAP using anonymous binds or authenticated binds.

Anonymous Binds
Authenticated Binds

Anonymous Binds

To integrate with OpenLDAP using anonymous binds, set the following parameters:

Parameter	Value
BDILDAPServerType	OpenLDAP
BDIPrimaryServerName	IP address Hostname
BDIEnableTLS	True
BDISearchBase1	Root of the directory service or the organizational unit (OU)
BDIUserAccountName	Unique identifier such as uid or cn
BDIBaseFilter	Object class that your directory service uses; for example, inetOrgPerson.
(Optional) BDIPredictiveSearchFilter	uid or other search filter

The following is an example configuration:

<Directory>
  <BDILDAPServerType>OpenLDAP</BDILDAPServerType>
  <BDIPrimaryServerName>11.22.33.456</BDIPrimaryServerName>
  <BDIEnableTLS>True</BDIEnableTLS>
  <BDISearchBase1>ou=people,dc=cisco,dc=com</BDISearchBase1>
  <BDIUserAccountName>uid</BDIUserAccountName>
  <BDIBaseFilter>(&amp;(objectClass=inetOrgPerson)</BDIBaseFilter>
  <BDIPredictiveSearchFilter>uid</BDIPredictiveSearchFilter>
</Directory>

Authenticated Binds

To integrate with OpenLDAP using authenticated binds, set the following parameters:

Parameter	Value
BDILDAPServerType	OpenLDAP
BDIPrimaryServerName	IP address Hostname
BDIEnableTLS	False
BDISearchBase1	Root of the directory service or the organizational unit (OU)
BDIUserAccountName	Unique identifier such as uid or cn
BDIBaseFilter	Object class that your directory service uses; for example, inetOrgPerson.
(Optional) BDIPredictiveSearchFilter	uid or other search filter
BDIConnectionUsername	Username
BDIConnectionPassword	Password

The following is an example configuration:

<Directory>
  <BDILDAPServerType>OpenLDAP</BDILDAPServerType>
  <BDIPrimaryServerName>11.22.33.456</BDIPrimaryServerName>
  <BDIEnableTLS>False</BDIEnableTLS>
  <BDISearchBase1>ou=people,dc=cisco,dc=com</BDISearchBase1>
  <BDIUserAccountName>uid</BDIUserAccountName>
  <BDIBaseFilter>(&amp;(objectClass=inetOrgPerson)</BDIBaseFilter>
  <BDIPredictiveSearchFilter>uid</BDIPredictiveSearchFilter>
  <BDIConnectionUsername>cn=administrator,dc=cisco,dc=com</BDIConnectionUsername>
  <BDIConnectionPassword>password</BDIConnectionPassword>
</Directory>

Federation

Federation lets Cisco Jabber users communicate with users who are provisioned on different systems and who are using client applications other than Cisco Jabber.

Interdomain Federation
Intradomain Federation

Interdomain Federation

Interdomain federation enables Cisco Jabber users in an enterprise domain to share availability and send instant messages with users in another domain.

Cisco Jabber users must manually enter contacts from another domain.
Cisco Jabber supports federation with the following:
- Microsoft Office Communications Server
- Microsoft Lync
- IBM Sametime
- XMPP standard-based environments such as Google Talk
- AOL Instant Messenger

You configure interdomain federation for Cisco Jabber on Cisco Unified Presence or Cisco Unified Communications Manager IM and Presence. See the appropriate server documentation for more information.

Related Information

Integration Guide for Configuring Cisco Unified Presence Release 8.6 for Interdomain Federation

Interdomain Federation for IM and Presence Service on Cisco Unified Communications

Intradomain Federation

Intradomain federation enables users within the same domain to share availability and send instant messages between Cisco Unified Presence and Microsoft Office Communications Server, Microsoft Live Communications Server, or other presence server.

Intradomain federation allows you to migrate users to Cisco Unified Presence or Cisco Unified Communications IM and Presence from a different presence server. For this reason, you configure intradomain federation for Cisco Jabber on the presence server. See the following documents for more information:

Cisco Unified Presence: Integration Guide for Configuring Partitioned Intradomain Federation for Cisco Unified Presence Release 8.6 and Microsoft LCS/OCS
Cisco Unified Communications IM and Presence: Partitioned Intradomain Federation for IM and Presence Service on Cisco Unified Communications Manager

Configure Intradomain Federation
Intradomain Federation Example

Configure Intradomain Federation

In addition to configuring intradomain federation on the presence server, you might need to specify some configuration settings in the Cisco Jabber configuration files.

To resolve contacts during contact search or retrieve contact information from your directory, Cisco Jabber requires the contact ID for each user. Cisco Unified Presence uses a specific format for resolving contact information that does not always match the format on other presence servers such as Microsoft Office Communications Server or Microsoft Live Communications Server.

Procedure

Step 1

Set the value of the BDIUseSIPURIToResolveContacts parameter to true.

Step 2

Specify an attribute that contains the contact ID that Cisco Jabber uses to retrieve contact information as the value of the BDISipUri parameter. The default value is msRTCSIP-PrimaryUserAddress.

Step 3

Specify any text that prefixes each contact ID as the value of the BDIUriPrefix parameter.

The prefix is any text that exists before the username in the contact ID.

For example, you specify msRTCSIP-PrimaryUserAddress as the value of BDISipUri. In your directory the value of msRTCSIP-PrimaryUserAddress for each user has the following format: sip:username@domain.

The following XML snippet provides an example of the resulting configuration:

<Directory>
  <BDIUseSIPURIToResolveContacts>true</BDIUseSIPURIToResolveContacts>
  <BDISipUri>non-default-attribute</BDISipUri>
  <BDIUriPrefix>sip:</BDIUriPrefix>
</Directory>

Related References

Intradomain Federation Example

This topic provides an example of intradomain federation contact resolution using the BDISipUri, BDIUseSIPURIToResolveContacts, and BDIUriPrefix parameters.

In this example, your configuration has the following settings:

The value of the BDISipUri parameter is msRTCSIP-PrimaryUserAddress.
The value of the BDIUseSIPURIToResolveContacts parameter is true.
The value of the BDIUriPrefix parameter is sip:.
The directory contains sip:msmith@domain.com as the value of the msRTCSIP-PrimaryUserAddress attribute for a user named Mary Smith.

Cisco Jabber connects to your directory to resolve contact information

Your presence server passes msmith@domain.com to Cisco Jabber.
Cisco Jabber appends sip: to msmith@domain.com and then queries your directory.
sip:msmith@domain.com matches the value of the msRTCSIP-PrimaryUserAddress attribute.
Cisco Jabber retrieves contact information for Mary Smith.

Cisco Jabber users search for Mary Smith

Cisco Jabber removes the prefix of sip: from sip:msmith@domain.com and gets the contact ID of msmith@domain.com.

Related Tasks

Configure Intradomain Federation

Cisco Jabber for iPhone and iPad 9.6 Installation and Configuration Guide

Bias-Free Language

Results

Chapter: Integrate with Directory Sources

Integrate with Directory Sources

Set Up Directory Synchronization and Authentication

Synchronize with the Directory Server

Enable Synchronization

Populate User ID and Directory URI

Specify an LDAP Attribute for the User ID

Specify an LDAP Attribute for the Directory URI

Perform Synchronization

Authenticate with the Directory Server

Contact Sources

Basic Directory Integration

Authentication with Contact Sources

Specify LDAP Directory Configuration on Cisco Unified Presence

Specify LDAP Directory Configuration on Cisco Unified Communications Manager

Set Credentials in the Client Configuration

Use Anonymous Binds

Client Configuration for Directory Integration

Configure Directory Integration in a Service Profile

Directory Profile Parameters

Attribute Mappings

Summary of Directory Integration Configuration Parameters

Attribute Mapping Parameters

Attributes on the Directory Server

Directory Connection Parameters

Directory Query Parameters

Base Filter Examples

Contact Photo Parameters

Contact Photo Retrieval with BDI

Contact Photo Formats and Dimensions

Contact Photo Formats

Contact Photo Dimensions

Contact Photo Adjustments

Directory Server Configuration Examples

Simple Authentication

Simple Authentication with SSL

OpenLDAP Integration

Anonymous Binds

Authenticated Binds

Federation

Interdomain Federation

Intradomain Federation

Configure Intradomain Federation

Intradomain Federation Example

Was this Document Helpful?

Contact Cisco