Cisco Unified MeetingPlace, Release 7.0 -- How to Configure LDAP Authentication

From DocWiki

Jump to: navigation, search

Main page: Cisco Unified MeetingPlace, Release 7.0

Up one level: Configuration



LDAP authentication compares user login information against the profile database on an LDAPv2-compliant directory server. After users are authenticated by the LDAP server, they are automatically logged in to Cisco Unified MeetingPlace as long as their LDAP user IDs also exist in Cisco Unified MeetingPlace. You can also authenticate users against a multiple LDAP forest configuration.


With LDAP authentication, the following restrictions apply:

  • Cisco Unified MeetingPlace Web Conferencing supports only unencrypted LDAP, that is, queries to the LDAP server are in clear text.
  • Users cannot log in with their Cisco Unified MeetingPlace passwords for their same LDAP user names.
  • LDAP profiles are used for authentication; Cisco Unified MeetingPlace profiles are ignored.
  • Cisco Unified MeetingPlace enforces e-mail format validation when you have LDAP synchronization configured. If an e-mail address for a particular user does not conform to the standard e-mail format, the user is skipped during the LDAP synchronization process and not imported into the MeetingPlace database. Standard e-mail format expressions include: ^([\\w-_.'])*\\w+@([\\da-zA-Z-]+\\.)+[\\da-zA-Z]{2,6}$"


Note: To authenticate the web conferencing application against the LDAP server, make sure that the LDAP server directory is designed to have all users in one container rather than broken into multiple containers (each representing a child OU).


Contents

Configuring LDAP Authentication

Before You Begin

Read Restrictions: User Authentication and Load Balancing.


Procedure
  1. Sign in to the end-user web interface.
  2. Click Admin.
  3. Click Web Server.
  4. Click the name of the Web Server that you want to configure in the "View" section of the page.
  5. Scroll to the Web Authentication section.
  6. Select LDAP for "Step 1: Directory".
  7. Enter the LDAP hostname in the field provided.
    Example: ldap.domain.com
  8. Enter the Distinguished Name (DN) information for your directory in the field provided noting the following considerations:
    • Cisco Unified MeetingPlace user profile login names are limited to 17 characters; therefore, the LDAP match must be 17 characters or less.
    • You can only enter one value for the LDAP Distinguished Name (DN) field. If your users are segregated into multiple organizational units (OUs), you can work around this issue by using either the DOMAIN\USER or user@ou.domain.com format for the DN. When configuring the LDAP Distinguished Name field, enter just %USERNAME%, without specifying an OU, DC, or other parameter.
    Note: All users in the LDAP server directory must be in one container rather than broken into multiple containers each representing a child OU.
    • %USERNAME% is the username that the user enters when logging in.
    • Before sending the request to the LDAP server %USERNAME% is replaced with the username that the user enters in the login username field. No additional modifications are made to the DN value.
    • %USERNAME% is case-sensitive, that is, all upper case.
    • If you match any of the following circumstances, leave the DN field blank (empty) instead of entering %USERNAME%:
    • You are authenticating against a multiple LDAP forest configuration. Example: CN=%USERNAME%, OU=People, DC=mydomain, DC=com
    • The LDAP server you are using is the LDAP interface on a Microsoft Active Directory server. If this is the case, you must leave the DN field blank for authentication to work. When configured in this manner, the format of the usernames that the user enters must be DOMAIN\USER or user@ou.domain.com.
    • You want to send user passwords as protected (that is, not as clear text). Entering a value for the DN field sends passwords as clear text.
    Note: If you choose to enter a value for the DN field, it is your responsibility to establish a secure connection between the Cisco Unified MeetingPlace web server and the LDAP server. This is not the same as configuring SSL configuration on the web server. The SSL feature in Cisco Unified MeetingPlace protects traffic between the client and web server. You will require a secure connection between the web server and the LDAP server.
    • Consult your LDAP expert for your DN information.
  9. Select how you want user names transformed for "Username Conversion Function."
    Selecting None applies no transformation to the original user ID string.
  10. Select one of the following for "Step 2: Login Method."
    • Select Web Page Form to see an HTML-based Cisco Unified MeetingPlace login window.
    • Select HTTP Basic Authentication to see a login window rendered by your web browser.
  11. Click Submit and wait five minutes for the new configuration to take effect.


Troubleshooting Tips

If you chose HTTP Basic Authentication as your login method, restart the Cisco Unified MeetingPlace Web Conferencing service after configuring your LDAP authentication. If you do not, users who change their passwords in LDAP will be able to log in to Cisco Unified MeetingPlace by using both their old and new passwords until the Cisco Unified MeetingPlace Web Conferencing service is restarted or after approximately 60 minutes.

NOTE: When you restart the Web Server, all manual changes made to the registry are lost.


What to Do Next

Based on your configuration, proceed to one of the following topics:



Verifying the LDAP Authentication Configuration by Using the Web Page Form

Use a Cisco Unified MeetingPlace end-user profile when completing this procedure.


Before You Begin

Complete Configuring LDAP Authentication.


Procedure
  1. Open a web browser and navigate to Cisco Unified MeetingPlace.
  2. Verify the following end-user behaviors:
    • If you have a Cisco Unified MeetingPlace profile, you can log in with your LDAP password.
    • You cannot log in as a profiled user without a password.



Verifying the LDAP Authentication Configuration by Using the HTTP Form

Use a Cisco Unified MeetingPlace end-user profile when completing this procedure.


Before You Begin

Complete Configuring LDAP Authentication.


Procedure
  1. Open a web browser and navigate to Cisco Unified MeetingPlace.
  2. Verify the following end-user behaviors:
    • When you access the Cisco Unified MeetingPlace home page, you see an Enter Network Password window.
    • After you enter your LDAP profile user ID and password, you are authenticated to the Cisco Unified MeetingPlace Application Server.
    • The Welcome page displays your name in firstname, lastname order.
    • Sign In and Sign Out links do not display.

Rating: 0.0/5 (0 votes cast)

Personal tools