The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter provides information about directories which comprise specialized databases that are optimized for a high number of reads and searches and occasional writes and updates. Directories typically store data that does not change often, such as employee information, user privileges on the corporate network, and so on.
Because directories are extensible, you can modify and extend the type of information that is stored in them. The term directory schema refers to the type of stored information and the rules that it obeys. Many directories provide methods for extending the directory schema to accommodate information types that different applications define. This capability enables enterprises to use the directory as a central repository for user information.
The Lightweight Directory Access Protocol (LDAP) provides applications with a standard method for accessing and potentially modifying the information that is stored in the directory. This capability enables companies to centralize all user information in a single repository that is available to several applications with a reduction in maintenance costs through the ease of adds, moves, and changes.
This chapter covers the main principles for synchronizing Cisco Unified Communications Manager with a corporate LDAP directory. The chapter also discusses the administrator choice not to synchronize with a corporate LDAP directory and the consequences of that choice of configuration. The chapter also summarizes considerations for providing Cisco Unified Communications endpoints, such as Cisco Unified IP Phones and Cisco IP Softphone, with access to a corporate LDAP directory.
The following list summarizes the changes in directory functionality from previous releases of Cisco Unified Communications Manager:
Decoupling the directory component from Cisco Unified Communications Manager ensures high Cisco Unified Communications Manager availability independent of the corporate directory.
Cisco Unified Communications Manager and related applications store all application data in the local database instead of in an embedded directory. The embedded directory gets removed, and Cisco Unified Communications Manager supports synchronization with the customer directory.
If you want to do so, you can add users from your corporate directory to the Cisco Unified Communications Manager database by synchronizing the user data to the database. Cisco Unified Communications Manager allows synchronization from the following directories to the database:
Note | Microsoft Active Directory Application Mode support is limited to those directory topologies already supported with a native Active Directory connection. No additional topologies, such as multi-forest, multi-tree single forest, or global catalog are supported. |
Cisco Unified Communications Manager supports the following types of synchronization:
The general steps and guidelines for configuring LDAP directory information are as follows.
In Cisco Unified Communications Manager Administration, you can access directory information about end users from the End User Configuration window ( ).
The following Cisco Unified Communications Manager applications and services use the database for user and other types of information:
Cisco Unified Communications Manager Auto-Register Phone Tool
AXL
Cisco Unified Communications Self Care Portal
Cisco Conference Connection
CTIManager
Cisco Unified Communications Manager CDR Analysis and Reporting
Cisco Customer Response Solutions (CRS)
Cisco Emergency Responder (CER)
Personal Address Book (PAB)
FastDials
The following definition applies throughout this chapter:
Directory access refers to the ability of Cisco Unified Communications endpoints, such as Cisco Unified IP Phones and Cisco IP Softphone, to access a corporate LDAP directory.
The previous figure illustrates directory access as it is defined in this chapter. In this example, a Cisco Unified IP Phone gets access. The client application performs a user search against an LDAP directory, such as the corporate directory of an enterprise, and receives several matching entries. The Cisco Unified IP Phone user can then select one entry and use it to dial the corresponding person from the Cisco Unified IP Phone.
Note | Directory access, as defined here, involves only read operations on the directory and does not require that you make any directory schema extensions or other configuration changes. |
The Cisco Unity Connection directory comes from Cisco Unified Communications Manager; that is, components in Cisco Unity Connection synchronize directory updates from Cisco Unified Communications Manager to Cisco Unity Connection. If you enable LDAP synchronization and activate the DirSync service in Cisco Unified Serviceability, the DirSync service in Cisco Unified Communications Manager synchronizes corporate directory data for Cisco Unified Communications Manager and Cisco Unity Connection to the Cisco Unified Communications Manager database.
After you activate the DirSync service in Cisco Unified Serviceability, you configure LDAP related information in the following windows in Cisco Unified Communications Manager Administration:
DirSync allows you to synchronize the data from corporate directories to Cisco Unified Communications Manager. For information about which directories are supported for synchronization, see the Configure LDAP Directory.
Note | A DirSync that is invoked for Microsoft Active Directory performs a complete (total) synchronization of data. |
DirSync allows the following options:
Automatic synchronization, which synchronizes the data at regular intervals.
Manual synchronization, which allows forcing the synchronization.
Stop synchronization, which stops the current synchronization. If synchronization is in progress, check for agreement.
Note | When directory synchronization is enabled, Cisco Unified Communications Manager Administration cannot update any user information that is synchronized from the customer corporate directory. |
You can configure service parameters for the DirSync service. Choose in Cisco Unified Communications Manager Administration. In the window that displays, choose a server in the Server drop-down list box. Choose the Cisco DirSync service in the Service drop-down list box. The Service Parameter Configuration window allows configuration of the DirSync service parameters.
Note | For specific information on how to activate the DirSync service, see the Cisco Unified Serviceability Administration Guide. |
The authentication process verifies the identity of the user by validating the user ID and password/PIN before granting access to the system. Verification takes place against the Cisco Unified Communications Manager database or the LDAP corporate directory.
You can only configure LDAP authentication if you enable LDAP synchronization.
When both synchronization and LDAP authentication are enabled, the system always authenticates application users and end user PINs against the Cisco Unified Communications Manager database. End user passwords for LDAP synchronized users get authenticated against the corporate directory; thus, LDAP synchronized end users need to use their corporate directory password. Local end users get authenticated against the Cisco Unified Communications Manager database.
When only synchronization is enabled (and LDAP authentication is not enabled), end users get authenticated against the Cisco Unified Communications Manager database. In this case, the administrator can configure a password in the End User Configuration window in Cisco Unified Communications Manager Administration.
Two options exist for using directory information:
To use the Cisco Unified Communications Manager database for users, create users in the End User Configuration window to add to the database (password, names, device association, and so forth). Authentication takes place against the information that is configured in Cisco Unified Communications Manager Administration. End users and administrators can make password changes if this method is used. This method does not entail LDAP synchronization.
The Cisco Unity Connection directory comes from Cisco Unified Communications Manager; that is, components in Cisco Unity Connection synchronize directory updates from Cisco Unified Communications Manager to Cisco Unity Connection.
To use the Corporate LDAP directory, the following steps must take place:
For users to use their LDAP corporate directory passwords, you must configure LDAP authentication (
).You cannot configure LDAP authentication unless you first configure LDAP synchronization. Doing so blocks further end user configuration in Cisco Unified Communications Manager Administration.
After the LDAP user synchronizes to Cisco Unified Communications Manager, you must manually create the user for Cisco Unity Connection.
The guidelines in this section apply regardless of whether Cisco Unified Communications Manager or other Cisco Unified Communications applications have been synchronized with a corporate directory. The end-user perception in both cases remains the same because the differences affect only how applications store their user information and how such information is kept consistent across the network.
The following sections summarize how to configure corporate directory access to any LDAPv3-compliant directory server for XML-capable phones such Cisco Unified IP Phones 7940, 7960, and so on.
XML-capable Cisco Unified IP Phones, such as 7940 and 7960, can search a corporate LDAP directory when a user presses the Directories button on the phone. The IP phones use HyperText Transfer Protocol (HTTP) to send requests to a web server. The responses from the web server must contain some specific Extensible Markup Language (XML) objects that the phone can interpret and display. In the case of a corporate directory search, the web server operates as a proxy by receiving the request from the phone and translating it into an LDAP request, which is in turn sent to the corporate directory server. After the response is encapsulated in the appropriate XML objects, the response gets interpreted and sent back to the phone.
You can configure the proxy function that the web server provided by using the Cisco Unified IP Phone Services Software Development Kit (SDK) version 2.0 or later, which includes the Cisco LDAP Search Component Object Model (COM) server.
In addition, directory access for Cisco Unified IP Phones includes the following characteristics:
The system supports all LDAPv3-compliant directories.
Cisco Unified Communications Manager user preferences (speed dials, call forward all, personal address book) do not get synchronized with the corporate LDAP directory. Therefore, users have a separate login and password to access the Cisco Unified Communications Self Care Portal.