Thursday, January 15, 2009

LDAP Integration with CUPS

There's no GUI on CUPS to configure "LDAP Integration".

CUPS synchronizes users from CUCM.  CUPS does not sychronize with LDAP.

How about "CUPS Admin > Application > Cisco Unified Personal Communicator > LDAP server"?  Well, as the menu inidcated, it's a configuration for CUPC.  It's not a configuration for CUPS.  CUPC download this configuration upon login and use that to query LDAP (for contact search).

Even though LDAP integration is not configurable on CUPS, it might affect CUPS in an unexpected way.

Scenario 1: CUCM is using LDAP authentication.  CUPC user not able to login.

When CUPC users try to login, the username/password was authenticated aginst CUPS (via SOAP).  In turn, CUPS will authenticated the username/password against LDAP (because CUCM is using LDAP authentication).  If for whatever reason, CUPS having problem with LDAP, authentication would failed.

Reason A: Access-list blocked traffic between CUPS and LDAP.  Access-list allow traffic between CUCM and LDAP.  Access-list allow traffic between CUPS and CUCM.

In this case, CUPS would synchronize CUCM users over.  But those users won't be able to log into CUPC.  Because CUPS cannot talk to LDAP.

Reason B: CUCM was configured to use LDAP over SSL (LDAPS).  Certificates were uploaded to CUCM but not to CUPS.

In this case, CUPS won't be able to set up the LDAPS connection because the certificates were missing.

Frequently asked questions:
Do I need CUCM/LDAP integration to use CUPS/CUPC?

Answer: No.  But there are some catchas.  CUCM/LDAP integration is highly recommended.

Explanation:

1) Without LDAP, adding contacts to CUPC would be a pain.  Because CUPC cannot search CUCM for contacts.  (there's no such a thing called "CUCM native directory")

2) If you use LDAP with CUPC but not CUCM, potential problem is on the way.  If you search LDAP from CUPC and add that contact to CUPC contact list, user ID in LDAP would be used as "presence user ID".  If the "presence user ID" is different with the user ID in CUCM, you won't be able to see your contact's presence (your contact would always be offline).

Workarounds:

1) Make sure the user ID in LDAP matches the user ID in CUCM.

or

2) If the CUCM ID happens to be the phone extension number.  And you happen to have the phone extension number configured in LDAP.  You may go to "CUPS Admin > Application > Cisco Unified Personal Communicator > Settings" to map the LDAP phone attribute to the CUPC "user ID" attribute.

23 comments:

  1. Is LDAP necessary for a Presence 7 install? Is there any way in this version to search the user database out of call manager?

    ReplyDelete
  2. CUPS (Presence) cannot search user database out of CallManager.

    Without LDAP, you'll have to add contacts manually. You'll have to enter details (such as phone number, email) manually.

    ReplyDelete
  3. Basically, LDAP is only being used to populate the buddy list and no more?

    If we are not using LDAP on CUCM, is it preferred not to use LDAP on CUPS?

    ReplyDelete
  4. LDAP plays a critical part in CUPC (note: not CUPS).

    Without LDAP, you will lose the following features on CUPC:

    1. You wouldn't be able to "search and add" contacts. All contact details (name, phone number, email, etc.) have to be added manually.

    2. Name resolution would fail. Which means, when you got a call, it will display as 408-555-1212 instead of "John Doe".

    3. Because of 3, web conference session won't popup automatically on computer.

    Michael

    ReplyDelete
  5. Thanks for the information. Another question that I put on the forum as well:

    Can Presence 6.0 look inside of groups for its search? In testing, I was able to pull users from the Users container, but when I changed my context string to pull from a group, it did not work.

    So, is it possible or do I have the incorrect context?

    Below are the strings I used (both returned no results):

    &(objectcategory=person)(memberof=Presence Users,OU=Company Groups,DC=blah,DC=blah,DC=net))

    CN=Presence Users,OU=Company Groups,DC=blah,DC=blah,DC=net

    ReplyDelete
  6. Hi
    I can't integrated CUCM7 with CUP6.3. Because "Cisco UP Sync Agent" Service can't Start so user have no import to CUP.
    At CUP Admin->Application->Cisco Unified Personal Communicator->CTI Gateway Server: have not generated automatically synchronize "cti_tcp_host_synced_000" occurs.
    I installed CUCM7 and CUP6.3 on VMWare. I used Demo license.

    Please suggest to me. Thank you.

    ReplyDelete
  7. Follow this pic
    http://i89.servimg.com/u/f89/13/49/74/62/cisco_10.jpg

    ReplyDelete
  8. sorry my brother
    I checked CUPS compatibility that CUPS 6.0.3 can not compatible with CUCM 7.0

    ReplyDelete
  9. My customer has CUCM 6.0, CUPS 7.0. They want to pilot CUPC. CUCM is not integrated with LDAP.

    Why does all the documentation mention that LDAP integration is "Highly Recommended"?
    It looks like it's a pre-requisite. Without this how can I manually add users and see the users status?
    Many thanks.

    ReplyDelete
  10. LDAP is highly recommended because:

    1) CUCM does not have a LDAP (or "directory") interface for external applications.

    2) CUCM end user table is not as flexible and extensive as LDAP (such as Active Directory).

    3) Because of 1 & 2, some application (like CUPC) won't query CUCM for user info. They will query LDAP only.

    If CUCM is not integrated with LDAP, you may go to CUPS End User Options page to add contacts. Those contacts will show up in CUPC contact list.

    ReplyDelete
  11. Hi Michael

    About the ldap search for the CUPC. It is posible to configure an ldap search filter? Currently ldap search is displaying everything including PC accounts.

    Thanks
    - Alex
    PS: Very good your book. Down to earth.

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete
  13. Hi Michael

    What are the main differences between this book release and the old release?

    Thanks
    - Ale

    ReplyDelete
  14. Hi Michael

    By the way the filter worked flawlessly.

    Thanks!

    Happy new year!

    - Alex

    ReplyDelete
  15. Hi Michael,

    I am building UC lab at my home. I am trying CUCM & CUPS & CUPC and running well without LDAP and DNS. Call control, IPPM, phone presence work fine. I have problem with contact presence & change contact details on CUPC.

    1. If i add contact manually through CUPC GUI (contacts>add new contact) along with the attributes (display name, first & last name, work phone, email, etc), i cannot see the contact presence status and cannot initiate chat (chat icon is gray). I only can make call and email.

    2. If i add contact from chat window (by trigerred from IP Phone using IPPM to send IM to CUPC), I can see this contact presence & phone status but cannot make call to this contact because phone icon is gray. Make changes to contact attributes is not retained every time i save it.

    Is that a normal behavior?

    i am using:
    - CUCM 7.0.2.20000-5,
    - CUPS 7.0.2.10000-37,
    - CUPC 7.0(2.13496)

    Thanks & appreciate your answer,
    -edi

    ReplyDelete
  16. Yes, that's a normal behavior due to software limitation. Hopefully they'll fix it in 8.0

    ReplyDelete
  17. Thanks for quick response Michael. One short question, is IPPM popup alert working when IP Phones fallback to CUCM sub? (CUCM pub is down). I faced this issue, but other features work fine.

    -edi

    ReplyDelete
  18. Correct me if Im wrong but data which were previously held in other types of data stores are sometimes moved to LDAP directories. For example a buy kamagra directory, or Unix user and group information can be stored in LDAP and accessed via PAM and NSS modules. LDAP is often used by other services for authentication.

    ReplyDelete
  19. Can you create LDAP filters for the searching of ldap from CUPC? I see this question was already asked but the answer was removed. I am using CUPS 8.6.1 & CUPC 8.5.3.

    ReplyDelete
    Replies
    1. I am also wondering the same thing as Brian. I need to filter contact search results only based on a specific field. Any thoughts?

      Delete
  20. I'm wondering about the CUPC filter as well. It is returning everything as well as test accounts.

    ReplyDelete
  21. Hi Michael,


    what happens in CUCM/CUPS/CUPC/Jabber in a case of an AD users password change policy every X Days ?
    As the LDAP Sync start at minimum every 6 hours, do I need to make a manual sync every time a user in a compagny changes the pw ?

    Does it significate that CUPC/Jabber will (in a worst case) not be able to login during 6 hours ?

    Can CUPS/CUPC block a users account in this case by trying to authenticate with an old password (I've seen it) ??

    Jacky

    ReplyDelete
  22. LDAP Sync does NOT sync password. Thus manual sync after pw change is pointless.

    LDAP Auth is handled by LDAP server itself.

    ReplyDelete