-
null
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Lightweight Directory Access Protocol (LDAP) provides applications like Cisco Unity Connection with a standard method for accessing user information that is stored in the corporate directory. Companies that centralize all user information in a single repository that is available to multiple applications can reduce maintenance costs by eliminating redundant adds, moves, and changes.
Integrating Unity Connection with an LDAP directory provides several benefits:
Unity Connection uses standard LDAPv3 for accessing data in an LDAP directory. For a list of the LDAP directories that are supported by Unity Connection for synchronization, see the “Requirements for an LDAP Directory Integration” section in the System Requirements for Cisco Unity Connection Release 10.x, at http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/requirements/10xcucsysreqs.html#pgfId-593033.
This chapter covers the main design issues of integrating Cisco Unity Connection 10.x with a corporate LDAP directory. See the following sections:
LDAP synchronization uses an internal tool called Cisco Directory Synchronization (DirSync) to synchronize a small subset of Cisco Unity Connection user data (first name, last name, alias, phone number, and so on) with the corresponding data in the corporate LDAP directory. To synchronize user data in the Unity Connection database with user data in the corporate LDAP directory, do the following tasks:
1. Configure LDAP synchronization, which defines the relationship between data in Unity Connection and data in the LDAP directory. See the “Configuring LDAP Synchronization” section.
2. Create new Unity Connection users by importing data from the LDAP directory and/or linking data on existing Unity Connection users with data in the LDAP directory. See the “Creating Cisco Unity Connection Users” section.
For additional control over which LDAP users are imported into Unity Connection, you can create one or more LDAP filters before you create Unity Connection users. See the “Filtering LDAP Users” section.
When you configure LDAP directory synchronization, you can create up to 20 LDAP directory configurations for each Cisco Unity Connection server or cluster. Each LDAP directory configuration can support only one domain or one organizational unit (OU); if you want to import users from five domains or OUs, you must create five LDAP directory configurations.
A Unity Connection networking site also supports up to 20 LDAP directory configurations for each Unity Connection server or cluster joined to the site. For example, if you have a site with ten servers, you can import users from up to 200 domains.
In each LDAP directory configuration, you specify:
Note The user search bases that are specified in the LDAP directory configurations on a Unity Connection server must include no more than a total of 120,000 LDAP users. Importing large numbers of LDAP users who will not become Unity Connection users reduces the amount of disk space available for messages, slows database performance, and causes upgrades to take longer.
If you are using an LDAP directory other than Microsoft Active Directory, and if you create a Unity Connection LDAP directory configuration that specifies the root of the directory as the user search base, Unity Connection will import data for every user in the directory. If the root of the directory contains subtrees that you do not want Unity Connection to access (for example, a subtree for service accounts), you should do one of the following:
– Create two or more Unity Connection LDAP directory configurations, and specify search bases that omit the users that you do not want Unity Connection to access.
– Create one or more LDAP search filters. For more information, see the “Filtering LDAP Users in Cisco Unity Connection 10.x” section in the “LDAP” chapter of the System Administration Guide for Cisco Unity Connection Release 10.x, at https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/administration/guide/10xcucsagx/10xcucsag120.html. For directories other than Active Directory, you should specify user search bases that include the smallest possible number of users to speed synchronization, even when that means creating multiple configurations.
If you are using Active Directory and if a domain has child domains, you must create a separate configuration to access each child domain; Unity Connection does not follow Active Directory referrals during synchronization. The same is true for an Active Directory forest that contains multiple trees—you must create at least one configuration to access each tree. In this configuration, you must map the UserPrincipalName (UPN) attribute to the Unity Connection Alias field; the UPN is guaranteed by Active Directory to be unique across the forest. For additional considerations on the use of the UPN attribute in a multi-tree AD scenario, see the “Additional Considerations for Authentication and Microsoft Active Directory” section.
If you are using intrasite or intersite networking to network two or more Unity Connection servers that are each integrated with an LDAP directory, do not specify a user search base on one Unity Connection server that overlaps a user search base on another Unity Connection server, or you will have user accounts and mailboxes for the same Unity Connection user on more than one Unity Connection server.
Note You can eliminate the potential for duplicate users by creating LDAP filters on one or more Unity Connection servers. See the “Filtering LDAP Users” section in the “LDAP” chapter of the System Administration Guide for Cisco Unity Connection Release 10.x, at http://www.cisco.com/en/US/docs/voice_ip_comm/connection/10x/administration/guide/10xcucsagx/10xcucsag120.html.
If you create more than one configuration, you should create one administrator account for each configuration and give that account permission to read all user objects only within the corresponding subtree. When creating the configuration, you enter the full distinguished name for the administrator account; therefore the account can reside anywhere in the LDAP directory tree.
Note Not all LDAP directories support specifying additional LDAP directory servers to act as backup in case the LDAP directory server that Unity Connection accesses for synchronization becomes unavailable. For information on whether your LDAP directory supports specifying multiple directory servers, see the “Requirements for an LDAP Directory Integration” section in the System Requirements for Cisco Unity Connection Release 10.x, at http://www.cisco.com/en/US/docs/voice_ip_comm/connection/10x/requirements/10xcucsysreqs.html.
– Confirm that every user that you want to import from the LDAP directory into Unity Connection has a unique value for that attribute.
– If there are already users in the Unity Connection database, confirm that none of the users that you want to import from the directory has a value in that attribute that matches the value in the Alias field for an existing Unity Connection user.
Note that for every user that you want to import from the LDAP directory into Unity Connection, the LDAP sn attribute must have a value. Any LDAP user for whom the value of the sn attribute is blank will not be imported into the Unity Connection database.
To protect the integrity of data in the LDAP directory, you cannot use Unity Connection tools to change any of the values that you import. Unity Connection-specific user data (for example, greetings, notification devices, conversation preferences) is managed by Unity Connection and stored only in the local Unity Connection database.
Note that no passwords or PINs are copied from the LDAP directory to the Unity Connection database. If you want Unity Connection users to authenticate against the LDAP directory, see the “LDAP Authentication” section.
When clustering (active/active high availability) is configured, all user data, including data imported from the LDAP directory, is automatically replicated from the Unity Connection publisher server to the subscriber server. In this configuration, the Cisco DirSync service runs only on the publisher server.
Note Extension field are not updated with changes to the LDAP phone number. As a result, you can change the LDAP phone number as required, including specifying a completely different number, and the extension will not be overwritten the next time that Connection synchronizes data with the LDAP directory.
On a Cisco Unity Connection system that is integrated with an LDAP directory, you can create Unity Connection users by importing data from the LDAP directory, converting existing Unity Connection users to synchronize with the LDAP directory, or both. Note the following:
You may want additional control over which LDAP users you import into Cisco Unity Connection for a variety of reasons. For example:
– If organizational units are set up according to an organizational hierarchy but users are mapped to Unity Connection by geographical location, there might be little overlap between the two.
– If all users in the directory are in one tree or domain but you want to install more than one Unity Connection server, you need to do something to prevent users from having mailboxes on more than one Unity Connection server.
In these cases, you may want to use create filters to provide additional control over user search bases. Note the following:
1. Deactivate and reactivate the Cisco DirSync service. In Cisco Unified Serviceability, select Tools > Service Activation. Uncheck the check box next to Cisco DirSync, and select Save to deactivate the service. Then check the check box next to Cisco DirSync, and select Save to reactivate the service.
2. In Unity Connection Administration, in the LDAP directory configuration that accesses the filter, perform a full synchronization (select Perform Full Sync Now).
A Unity Connection deployment using a multi-forest LDAP infrastructure can be supported using Active Directory Lightweight Directory Services (AD LDS) as a single forest view integrating with the multiple disparate forests. The integration also requires the use of LDAP filtering. For more information, refer to the document on “How to Configure Unified Communications Manager Integration Directory Integration in a Multi-Forest Environment” available at http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_configuration_example019186a0080b2b103.html.
Some companies want the convenience of single sign-on credentials for their applications. To authenticate sign-ins to Unity Connection web applications against user credentials in an LDAP directory, you must synchronize Unity Connection user data with user data in the LDAP directory as described in the “LDAP Synchronization” section.
Only passwords for Unity Connection web applications (Cisco Unity Connection Administration for administration, Cisco Personal Communications Assistant for end users), and for IMAP email applications that are used to access Unity Connection voice messages, are authenticated against the corporate directory. You manage these passwords using the administration application for the LDAP directory. When authentication is enabled, the password field is no longer displayed in Cisco Unity Connection Administration.
For telephone user interface or voice user interface access to Unity Connection voice messages, numeric passwords (PINs) are still authenticated against the Unity Connection database. You manage these passwords in Unity Connection Administration; users manage PINs using the phone interface or the Messaging Assistant web tool.
The LDAP directories that are supported for LDAP authentication are the same as those supported for synchronization. See the “Requirements for an LDAP Directory Integration” section in the System Requirements for Cisco Unity Connection Release 10.x, at http://www.cisco.com/en/US/docs/voice_ip_comm/connection/10x/requirements/10xcucsysreqs.html.
See the following sections for additional details:
Configuring LDAP authentication is much simpler than configuring synchronization. You specify only the following:
When LDAP synchronization and authentication are configured in Cisco Unity Connection, authenticating the alias and password of a user against the corporate LDAP directory works as follows:
1. A user connects to the Cisco Personal Communications Assistant (PCA) via HTTPS and attempts to authenticate with an alias (for example, jsmith) and password.
2. Unity Connection issues an LDAP query for the alias jsmith. For the scope for the query, Unity Connection uses the LDAP search base that you specified when you configured LDAP synchronization in Cisco Unity Connection Administration. If you chose the SSL option, the information that is transmitted to the LDAP server is encrypted.
3. The corporate directory server replies with the full Distinguished Name (DN) of user jsmith, for example, “cn=jsmith, ou=Users, dc=vse, dc=lab”.
4. Unity Connection attempts an LDAP bind using this full DN and the password provided by the user.
5. If the LDAP bind is successful, Unity Connection allows the user to proceed to the Cisco PCA.
If all of the LDAP servers that are identified in a Unity Connection LDAP directory configuration are unavailable, authentication for Unity Connection web applications fails, and users are not allowed to access the applications. However, authentication for the phone and voice user interfaces will continue to work, because these PINs are authenticated against the Unity Connection database.
When the LDAP user account for a Unity Connection user is disabled or deleted, or if an LDAP directory configuration is deleted from the Unity Connection system, the following occurs:
1. Initially, when Unity Connection users try to sign in to a Unity Connection web application, LDAP authentication fails because Unity Connection is still trying to authenticate against the LDAP directory.
If you have multiple LDAP directory configurations accessing multiple LDAP user search bases, and if only one configuration was deleted, only the users in the associated user search base are affected. Users in other user search bases are still able to sign in to Unity Connection web applications.
2. At the first scheduled synchronization, users are marked as “LDAP inactive” in Unity Connection.
Attempts to sign in to Unity Connection web applications continue to fail.
3. At the next scheduled synchronization that occurs at least 24 hours after users are marked as “LDAP inactive,” all Unity Connection users whose accounts were associated with LDAP accounts are converted to Unity Connection standalone users.
For each Unity Connection user, the password for Unity Connection web applications and for IMAP email access to Unity Connection voice messages becomes the password that was stored in the Unity Connection database when the user account was created. (This is usually the password in the user template that was used to create the user.) Unity Connection users do not know this password, so an administrator must reset it.
The numeric password (PIN) for the telephone user interface and the voice user interface remains unchanged.
Note the following regarding Unity Connection users whose LDAP user accounts were disabled or deleted, or who were synchronized via an LDAP directory configuration that was deleted from Unity Connection:
Note LDAP phone numbers are converted to Unity Connection extensions only once, when you first synchronize Unity Connection data with LDAP data. On subsequent, scheduled synchronizations, values in the Connection Extension field are not updated with changes to the LDAP phone number. As a result, you can change the LDAP phone number as required, including specifying a completely different number, and the extension will not be overwritten the next time that Connection
When you enable LDAP authentication with Active Directory, you should configure Unity Connection to query an Active Directory global catalog server for faster response times. To enable queries against a global catalog server, in Unity Connection Administration, specify the IP address or host name of a global catalog server. For the LDAP port, specify either 3268 if you are not using SSL to encrypt data that is transmitted between the LDAP server and the Unity Connection server, or 3269 if you are using SSL.
Using a global catalog server for authentication is even more efficient if the users that are synchronized from Active Directory belong to multiple domains, because Unity Connection can authenticate users immediately without having to follow referrals. For these cases, configure Unity Connection to access a global catalog server, and set the LDAP user search base to the top of the root domain.
A single LDAP user search base cannot include multiple namespaces, so when an Active Directory forest includes multiple trees, Unity Connection must use a different mechanism to authenticate users. In this configuration, you must map the LDAP userPrincipalName (UPN) attribute to the Unity Connection Alias field. Values in the UPN attribute, which look like email addresses (username@companyname.com), must be unique in the forest.
Note When an Active Directory forest contains multiple trees, the UPN suffix (the part of the email address after the @ symbol) for each user must correspond to the root domain of the tree where the user resides. If the UPN suffix does not match the namespace of the tree, Unity Connection users cannot authenticate against the entire Active Directory forest. However, you can map a different LDAP attribute to the Unity Connection Alias field and limit the LDAP integration to a single tree within the forest.
For example, suppose an Active Directory forest contains two trees, avvid.info and vse.lab. Suppose also that each tree includes a user whose samAccountName is jdoe. Unity Connection authenticates a sign-in attempt for jdoe in the avvid.info tree as follows:
1. The user jdoe connects to the Cisco Personal Communications Assistant (PCA) via HTTPS and enters a UPN (jdoe@avvid.info) and password.
2. Unity Connection performs an LDAP query against an Active Directory global catalog server using the UPN. The LDAP search base is derived from the UPN suffix. In this case, the alias is jdoe and the LDAP search base is “dc=avvid, dc=info.”
3. Active Directory finds the Distinguished Name corresponding to the alias in the tree that is specified by the LDAP query, in this case, “cn=jdoe, ou=Users, dc=avvid, dc=info.”
4. Active Directory responds via LDAP to Unity Connection with the full Distinguished Name for this user.
5. Unity Connection attempts an LDAP bind using the Distinguished Name and the password initially entered by the user.
6. If the LDAP bind is successful, Unity Connection allows the user to proceed to the Cisco PCA.
An alternative to integrating Unity Connection with an LDAP directory is to create users by importing data from Cisco Unified Communications Manager as described in the “Importing Users from Cisco Unified Communications Manager 5.x and Later” section of the “Users” chapter of the System Administration Guide for Cisco Unity Connection, Release 10.x, available at https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/administration/guide/10xcucsagx/10xcucsag040.html
Note that when you add users to the LDAP directory, you still need to manually import them into Unity Connection; automatic synchronization only updates the Unity Connection database with new data for existing users, not new data for new users.