Cisco Unified Communications Manager System Guide, Release 9.0(1)
Directory overview
Download this chapter
Directory overviewDirectory overview
Download the complete book
Cisco Unified Communications Manager System Guide, Release 9.0(1)Cisco Unified Communications Manager System Guide, Release 9.0(1) (PDF - 9 MB)
 Feedback

Directory overview

This chapter provides information about directories which comprise specialized databases that are optimized for a high number of reads and searches and occasional writes and updates. Directories typically store data that does not change often, such as employee information, user privileges on the corporate network, and so on.

Because directories are extensible, you can modify and extend the type of information that is stored in them. The term directory schema refers to the type of stored information and the rules that it obeys. Many directories provide methods for extending the directory schema to accommodate information types that different applications define. This capability enables enterprises to use the directory as a central repository for user information.

The Lightweight Directory Access Protocol (LDAP) provides applications with a standard method for accessing and potentially modifying the information that is stored in the directory. This capability enables companies to centralize all user information in a single repository that is available to several applications with a reduction in maintenance costs through the ease of adds, moves, and changes.

This chapter covers the main principles for synchronizing Cisco Unified Communications Manager with a corporate LDAP directory. The chapter also discusses the administrator choice not to synchronize with a corporate LDAP directory and the consequences of that choice of configuration. The chapter also summarizes considerations for providing Cisco Unified Communications endpoints, such as Cisco Unified IP Phones and Cisco IP Softphone, with access to a corporate LDAP directory.

The following list summarizes the changes in directory functionality from previous releases of Cisco Unified Communications Manager:

  • Decoupling the directory component from Cisco Unified Communications Manager ensures high Cisco Unified Communications Manager availability independent of the corporate directory.
  • Cisco Unified Communications Manager and related applications store all application data in the local database instead of in an embedded directory. The embedded directory gets removed, and Cisco Unified Communications Manager supports synchronization with the customer directory.

Configure LDAP directory

If you want to do so, you can add users from your corporate directory to the Cisco Unified Communications Manager database by synchronizing the user data to the database. Cisco Unified Communications Manager allows synchronization from the following directories to the database:

  • Microsoft Active Directory 2000
  • Microsoft Active Directory 2003
  • Microsoft Active Directory 2008
  • Microsoft Active Directory Application Mode 2003
  • Microsoft Lightweight Directory Services 2008
  • iPlanet Directory Server 5.1
  • Sun ONE Directory Server 5.2
  • Sun ONE Directory Server 6.x
  • OpenLDAP 2.3.39
  • OpenLDAP 2.4

Note

Microsoft Active Directory Application Mode support is limited to those directory topologies already supported with a native Active Directory connection. No additional topologies, such as multi-forest, multi-tree single forest, or global catalog are supported.

Cisco Unified Communications Manager supports the following types of synchronization:

  • Automatic synchronization, which synchronizes the data at regular intervals.
  • Manual synchronization, which allows forcing the synchronization.
  • Stop synchronization, which stops the current synchronization. If synchronization is in progress, check for agreement.

The general steps and guidelines for configuring LDAP directory information are as follows.

Procedure
    Step 1   Activate the DirSync service to synchronize with the customer corporate LDAP directory.

    Cisco Unified Serviceability Administration Guide

    Step 2   Access the LDAP System Configuration window to configure LDAP system settings.
    Step 3   If you want to use LDAP filters, access the LDAP Filter Configuration window to create LDAP filters.
    Step 4   Access the LDAP Directory window to configure LDAP directory settings.
    Step 5   Access the LDAP Authentication window to configure LDAP authentication settings.

    Authentication

    Step 6   After the LDAP user gets synchronized in Cisco Unified Communications Manager, you must manually create the user in Cisco Unity Connection Administration. To manually create the user, perform one of the following tasks:
    • Import the user into Cisco Unity Connection by configuring Cisco Unity Connection Administration, as described in the User Moves, Adds, and Changes Guide for Cisco Unity Connection.
    • Choose User Management > End User in Cisco Unified Communications Manager Administration and create the Cisco Unity Connection mailbox.

    User Moves, Adds, and Changes Guide for Cisco Unity Connection

    Cisco Unified Communications Manager and the corporate LDAP directory

    In Cisco Unified Communications Manager Administration, you can access directory information about end users from the End User Configuration window (User Management > End User). If you do not enable LDAP synchronization, you use this window to add, update, and delete user information such as user ID, password, and device association. If you enable LDAP synchronization, you cannot add an end user, delete an end user, or change some existing user information, including user IDs, in the End User Configuration windows.

    Applications and Services That Use the Database

    The following Cisco Unified Communications Manager applications and services use the database for user and other types of information:

    • Bulk Administration Tool (BAT)
    • Cisco Unified Communications Manager Auto-Register Phone Tool
    • AXL
    • Cisco Extension Mobility
    • Cisco Unified CM User Options
    • Cisco Conference Connection
    • CTIManager
    • Cisco Unified Communications Manager CDR Analysis and Reporting
    • Cisco Unified Communications Manager Assistant
    • Cisco Customer Response Solutions (CRS)
    • Cisco Emergency Responder (CER)
    • Cisco Unified IP Phone Services
    • Personal Address Book (PAB)
    • FastDials
    • Cisco Web Dialer
    • Cisco IP Communicator

    Directory access

    The following definition applies throughout this chapter:

    • Directory access refers to the ability of Cisco Unified Communications endpoints, such as Cisco Unified IP Phones and Cisco IP Softphone, to access a corporate LDAP directory.
    Figure 1. Directory Access for Cisco Unified Communications Endpoints



    The previous figure illustrates directory access as it is defined in this chapter. In this example, a Cisco Unified IP Phone gets access. The client application performs a user search against an LDAP directory, such as the corporate directory of an enterprise, and receives several matching entries. The Cisco Unified IP Phone user can then select one entry and use it to dial the corresponding person from the Cisco Unified IP Phone.


    Note

    Directory access, as defined here, involves only read operations on the directory and does not require that you make any directory schema extensions or other configuration changes.

    DirSync service

    The Cisco Unity Connection directory comes from Cisco Unified Communications Manager; that is, components in Cisco Unity Connection synchronize directory updates from Cisco Unified Communications Manager to Cisco Unity Connection. If you enable LDAP synchronization and activate the DirSync service in Cisco Unified Serviceability, the DirSync service in Cisco Unified Communications Manager synchronizes corporate directory data for Cisco Unified Communications Manager and Cisco Unity Connection to the Cisco Unified Communications Manager database.

    After you activate the DirSync service in Cisco Unified Serviceability, you configure LDAP related information in the following windows in Cisco Unified Communications Manager Administration:

    • LDAP System Configuration (System > LDAP System)
    • Find and List LDAP Directories (System > LDAP > LDAP Directory)

    DirSync allows you to synchronize the data from corporate directories to Cisco Unified Communications Manager. For information about which directories are supported for synchronization, see the Configure LDAP directory.


    Note

    When you configure a user in the corporate directory, ensure that you configure a last name for the user. After you configure LDAP synchronization in Cisco Unified Communications Manager Administration, users without last names in the corporate directory do not synchronize with the Cisco Unified Communications Manager database. No error displays in Cisco Unified Communications Manager Administration, but the log file indicates which users did not synchronize.


    Note

    A DirSync that is invoked for Microsoft Active Directory performs a complete (total) synchronization of data.

    DirSync allows the following options:

    • Automatic synchronization, which synchronizes the data at regular intervals.
    • Manual synchronization, which allows forcing the synchronization.
    • Stop synchronization, which stops the current synchronization. If synchronization is in progress, check for agreement.

    Note

    When directory synchronization is enabled, Cisco Unified Communications Manager Administration cannot update any user information that is synchronized from the customer corporate directory.

    Configure DirSync service parameters

    You can configure service parameters for the DirSync service. Choose System > Service Parameters in Cisco Unified Communications Manager Administration. In the window that displays, choose a server in the Server drop-down list box. Choose the Cisco DirSync service in the Service drop-down list box. The Service Parameter Configuration window allows configuration of the DirSync service parameters.


    Note

    For specific information on how to activate the DirSync service, see the Cisco Unified Serviceability Administration Guide.

    Authentication

    The authentication process verifies the identity of the user by validating the user ID and password/PIN before granting access to the system. Verification takes place against the Cisco Unified Communications Manager database or the LDAP corporate directory.

    You can only configure LDAP authentication if you enable LDAP synchronization.

    When both synchronization and LDAP authentication are enabled, the system always authenticates application users and end user PINs against the Cisco Unified Communications Manager database. End user passwords get authenticated against the corporate directory; thus, end users need to use their corporate directory password.

    When only synchronization is enabled (and LDAP authentication is not enabled), end users get authenticated against the Cisco Unified Communications Manager database. In this case, the administrator can configure a password in the End User Configuration window in Cisco Unified Communications Manager Administration.

    Use the Cisco Unified Communications Manager database

    Two options exist for using directory information:

    • To use the Cisco Unified Communications Manager database for users, create users in the End User Configuration window to add to the database (password, names, device association, and so forth). Authentication takes place against the information that is configured in Cisco Unified Communications Manager Administration. End users and administrators can make password changes if this method is used. This method does not entail LDAP synchronization. The Cisco Unity Connection directory comes from Cisco Unified Communications Manager; that is, components in Cisco Unity Connection synchronize directory updates from Cisco Unified Communications Manager to Cisco Unity Connection.
    • To use the Corporate LDAP directory, the following steps must take place:
      • For users to use their LDAP corporate directory passwords, you must configure LDAP authentication (System > LDAP > LDAP Authentication).
      • You cannot configure LDAP authentication unless you first configure LDAP synchronization. Doing so blocks further end user configuration in Cisco Unified Communications Manager Administration.
      • After the LDAP user synchronizes to Cisco Unified Communications Manager, you must manually create the user for Cisco Unity Connection.

    Tip

    Keep in mind that configuring authentication is optional. If authentication is not enabled, administrators and end users have two passwords, a corporate directory password and a Cisco Unified Communications Manager password.

    Directory access for Cisco Unified Communications endpoints

    The guidelines in this section apply regardless of whether Cisco Unified Communications Manager or other Cisco Unified Communications applications have been synchronized with a corporate directory. The end-user perception in both cases remains the same because the differences affect only how applications store their user information and how such information is kept consistent across the network.

    The following sections summarize how to configure corporate directory access to any LDAPv3-compliant directory server for XML-capable phones such Cisco Unified IP Phones 7940, 7960, and so on.


    Note

    Cisco IP Softphone, Release 1.2 and later, includes a built-in mechanism to access and search LDAP directories, as does the Cisco IP Communicator. See the product documentation for details on how to configure this feature.

    Directory Access for Cisco Unified IP Phones

    XML-capable Cisco Unified IP Phones, such as 7940 and 7960, can search a corporate LDAP directory when a user presses the Directories button on the phone. The IP phones use HyperText Transfer Protocol (HTTP) to send requests to a web server. The responses from the web server must contain some specific Extensible Markup Language (XML) objects that the phone can interpret and display. In the case of a corporate directory search, the web server operates as a proxy by receiving the request from the phone and translating it into an LDAP request, which is in turn sent to the corporate directory server. After the response is encapsulated in the appropriate XML objects, the response gets interpreted and sent back to the phone.

    Figure 2. Message Exchange for Cisco Unified IP Phone Corporate Directory Access Without Directory Synchronization. This figure illustrates a deployment where Cisco Unified Communications Manager has not been synchronized with the corporate directory. In this scenario, the message exchange does not involve Cisco Unified Communications Manager.



    You can configure the proxy function that the web server provided by using the Cisco Unified IP Phone Services Software Development Kit (SDK) version 2.0 or later, which includes the Cisco LDAP Search Component Object Model (COM) server.

    In addition, directory access for Cisco Unified IP Phones includes the following characteristics:

    • The system supports all LDAPv3-compliant directories.
    • Cisco Unified Communications Manager user preferences (speed dials, call forward all, personal address book) do not get synchronized with the corporate LDAP directory. Therefore, users have a separate login and password to access the Cisco Unified CM User Options window.