Cisco Unified MeetingPlace Release 6.1 -- Configuring Cisco Unified MeetingPlace Directory Services

From DocWiki

Jump to: navigation, search

Cisco Unified MeetingPlace Release 6.1 > Cisco Unified MeetingPlace Directory Services




This page describes how to create the MetaLink agreements needed to synchronize Cisco Unified MeetingPlace Directory Services with your Cisco Unified MeetingPlace Audio Server and corporate directory server, in both basic single-server and multiserver (master-slave or dual-master) systems.



Contents

Restrictions for Configuring Cisco Unified MeetingPlace Directory Services

Cisco Unified MeetingPlace Directory Services does not support the use of load-balancing software for directory access and synchronization. You must create synchronization agreements by using the actual hostname or IP address of the corporate directory server.


About Configuring Cisco Unified MeetingPlace Directory Services

Before you configure Directory Services, you should understand the following concepts:


MetaLink Agreements

Directory Services provides default MetaLink agreement and configuration files that you modify as needed to configure Directory Services. Each MetaLink agreement usually requires the following two files:

  • MetaLink agreement file, mp-sync.mmu
  • MetaLink configuration file, mp-sync.cfg


For more concept information about MetaLink agreements, see the Meta-Directory and the MetaLink Agreement.


Default MetaLink Configuration File

Directory Services provides default configuration files for the MetaLink agreement that synchronizes Directory Services with your corporate directory server.


Before starting the synchronization, you will need to customize the attribute mappings, filters, and other parameters that are contained in the configuration file to meet the needs of your specific business rules.


See the following sections for information about configuration file sections and examples:

  • LDAP Filters -- Contains conditions to filter out entries based on attributes.
  • DCDPersonMapping -- Allows you to register standard and BootStrap attribute mappings and correlation rules.
  • ImportCorrelation -- Contains the default correlation rule, which can be modified to include additional attribute mappings.
  • ConversionFunctions -- Allows you to register plug-in functions so that you can apply them to standard and BootStrap attribute mappings.
  • LDAPObjectClass -- Contains the list of classes that will be mapped.
  • BootStrapPersonMap -- Contains the list of BootStrap attribute mappings.
  • ImportPersonMap -- Contains the list of standard attribute mappings.


LDAP Filters

The LDAP Filters section of the configuration file lists the directory entries that you want to import. By default, Directory Services imports all entries whose objectClass attribute has a value of person, as described in the LDAPFilters section:

[LDAPFilters]

Abs_Person = &attrHasValue(*objectClass, "person")


You can modify the default LDAPFilters section to include additional conditions that will be applied when Directory Services synchronizes with the corporate LDAP directory.


Example

This entry checks whether a directory entry meets all the following requirements:

  • Persontype is "employee"
  • Attribute employeenumber exists
  • Attribute termflag not equal to "T"
  • Attribute termflag not equal to "Pendinghire"

Abs_Person = &AND(&attrHasValue(*persontype, "employee"), employeenumber,

&FilterBuiltin(&Trim(termflag), "T"), &FilterBuiltin(&Trim(termflag), "Pendinghire"))


Example

This entry checks whether an Active Directory entry meets all the following requirements:

  • Is Active (initialization only)
  • employeenumber exists
  • objectclass is "user"

Abs_Person = &AND(&attrHasValue(&BitMask(userAccountControl,"2"), "0"),

&attrHasValue(*objectClass, "user"), employeeNumber)


Note: If a corporate directory entry does not meet all specified requirements, the entry is either not imported or is deleted from the Cisco Unified MeetingPlace system if there is an existing correlated profile.


Directory Services can also use plug-in functions within the LDAP filter to execute logical expressions; for example, the logical AND function (&AND), or the check attribute value existing function (&attrHasValue). For a complete list of plug-in functions, see Cisco Unified MeetingPlace Directory Services Plug-In Functions.


Note: Before you can use a plug-in function, you must declare the function in the Conversion Functions section of the configuration file. For more information, see Synchronizing a Single-Server Cisco Unified MeetingPlace Directory Services System with a Corporate Directory Server.


DCDPersonMapping

The DCDPersonMapping section allows you to register standard and BootStrap attribute mappings and correlation rules. You must register mappings and rules before you can use them.


Example

StandardMapping = ImportPersonMap


ImportCorrelation

The ImportCorrelation section of the configuration file contains correlation rules, which determine how directory entries are mapped to each other. You can modify the default correlation rule to include additional attribute mappings or add new correlation rules.


Normally, a unique identifier in the corporate directory, such as samaccountname in Active Directory or uid in the corporate LDAP directory, is correlated with the Cisco Unified MeetingPlace username, which is unique for the Cisco Unified MeetingPlace profile.

  • If the correlation rule determines that there is no such profile in Cisco Unified MeetingPlace the MetaLink uses the configuration in the BootStrapPersonMap section to create a new Cisco Unified MeetingPlace profile.
  • If there is an existing profile in Cisco Unified MeetingPlace the MetaLink uses the standard attribute mapping rules in the ImportPersonMap section to update the profile.


Example

To synchronize a Cisco Unified MeetingPlace username with an Active Directory user login name, include the following correlation rule:

if FullDistName = SAMAccountName


Example

The following mapping correlates fullDistName (meetingplace username) with lowercase samaccountname in the Active Directory:

[ImportCorrelation]

fullDistName ="/o=comp.com/ou=people/nm=""" + &Caselow(SAMAccountName) +""""


Example

The following attribute correlates Vuname (Cisco Unified MeetingPlace profile number) with the right four digits of the corporate directory attribute Telephone-Office1, and correlates FaxNum with five digits from the corporate directory attribute Telephone-Fax, starting at the third number from the left:

[ImportCorrelation]

Vuname = &StringRightN(Telephone-Office1, "4")

FaxNum = &midString(Telephone-Fax, "3", "5")


ConversionFunctions

Plug-in functions give you flexibility when correlating directory data during a MetaLink synchronization. Before you can use a plug-in function, you must register it by entering the function and its corresponding .dll in the Conversion Functions section of the configuration file. Once a function is registered, you can use it in any mapping in the configuration file.


There are approximately 30 plug-in functions available for manipulating data. For example, you can use plug-in functions to filter out unwanted entries or to extract the first three digits of a phone number to create a profile number. For a full list of plug-in functions, see Cisco Unified MeetingPlace Directory Services Plug-In Functions. For the correct syntax for declaring a specific function, see Plug-In Guidelines.


Example

This entry shows the registration of the functions AND and attrHasValue:

[Conversion Functions]

AND = dcmlkcnv.dll,mlkAMapAND

attrHasValue = dcmlkcnv.dll,mlkAMapAttrHasValue


LDAPObjectClass

LDAPObjectClass section contains the list of classes that will be mapped.


Example

LDAPPerson = top,person,inetOrgPerson,organizationPerson,yourcompanyOrgPerson


BootStrapPersonMap

The BootStrapPersonMap section of the configuration file contains attribute mappings between the corporate directory and the Cisco Unified MeetingPlace directory that are made when a new profile is created in Cisco Unified MeetingPlace. By default, Cisco Unified MeetingPlace users take values from the guest profile when the attributes that are specified in the configuration file have "NOVALUE", such as

GroupName = """NOVALUE"""


To ensure that the MetaLink agreement meets the needs of your organizational directory information, you can add, modify, and delete BootStrap attribute mappings, as shown in the following examples:


Example

To import Cisco Unified MeetingPlace users with different values than those of the guest profile, you can create a group in the Cisco Unified MeetingPlace system and specify the attribute value in the mapping section, for example after creating a group called "MeetingPlace user":

GroupName = "MeetingPlace user"


Example

If a particular Cisco Unified MeetingPlace attribute has no corresponding attribute in the corporate directory, you can substitute the default value from the Guest user profile in the Cisco Unified MeetingPlace system by specifying """NOVALUE""" in the attribute mapping line, for example:

BillCode = """NOVALUE"""

OutdialPhone = """NOVALUE"""


Example

In the following example, the mapping directs that the Lastname field in Cisco Unified MeetingPlace will use the value of the sn attribute in the Corporate LDAP Directory:

LastName = sn


Example

In the following example, the mapping populates the Cisco Unified MeetingPlace attribute Emailadd1 with the mail attribute in the corporate director y and the Groupname attribute with an employee type attribute pulled in from a flat file:

Emailadd1 = mail

Groupname = &mapString(employeetype,"E:\Cisco Systems\MeetingPlace Directory Services\config\group.txt")


Note: For a list of Cisco Unified MeetingPlace attributes, see Cisco Unified MeetingPlace Attributes for Directory Services.


ImportPersonMap

Standard attribute mappings are placed in the ImportPersonMap section of the configuration file and apply to entries that correlate between the two directories. These mappings indicate which attributes in existing Cisco Unified MeetingPlace entries will be updated with which attributes in the corporate directory.


You can specify that an attribute must have a value for the attribute to be propagated to the Cisco Unified MeetingPlace system. A percent (%) sign preceding an attribute specifies that a value is mandatory.


Example

You can map  %LastName = sn so that the last name attribute on the source server is mapped to the sn attribute on the destination server.


The % sign guarantees that the last name attribute must have a value to be propagated to the Cisco Unified MeetingPlace system. If the attribute does not have a value, an error is written to the suspense file, and the MetaLink agreement proceeds to the next entry in the directory.


Example

In the following example, the mapping uses the plug-in functions BitMask and Caselow, plus a flat file, to populate the Cisco Unified MeetingPlace attributes IsActive and FlexField1:

IsActive = &mapString(&BitMask(userAccountControl, "2"),"d:\Cisco Systems\MeetingPlace

Directory Services\config\active.txt")

FlexField1 = &Caselow(&Trim(location))


Tip: You can comment out the attribute mapping so that the MetaLink agreement will not read it during subsequent MetaLinks. To create a comment line, enter a semicolon (;) before the attribute mapping line, as shown in the following example:  ;lastname = sn


Synchronizing a Single-Server Cisco Unified MeetingPlace Directory Services System with a Corporate Directory Server

Figure: Single-Server Synchronization with One-Way and Two-Way MetaLink Agreements shows the MetaLink agreements that are needed for a basic single-server Directory Services system synchronization.

Figure: Single-Server Synchronization with One-Way and Two-Way MetaLink Agreements

92546.jpg


1

A two-way MetaLink agreement synchronizes user profiles between the Cisco Unified MeetingPlace Audio Server system and the Directory Services server.

2

A one-way MetaLink agreement synchronizes Cisco Unified MeetingPlace user profiles between the Cisco Unified MeetingPlace Directory Services server and your corporate directory server.


Note: This synchronization can occur in real time or periodic intervals.



To synchronize a single-server Directory Services system with a corporate directory server, do the following procedures:

  1. To Enable the Changelog Feature for Netscape/SunOne/iPlanet LDAP Directory
  2. To Configure Cisco Unified MeetingPlace Directory Services Changelog Access Control
  3. To Prepare Active Directory for Synchronization with Directory Services
  4. To Create a MetaLink Agreement Between the Audio Server and the Directory Services Server
  5. To Monitor the MetaLink Agreement
  6. To Verify That Entries Have Been Propagated to Cisco Unified MeetingPlace Directory Services
  7. To Modify the MetaLink Agreement File
  8. To Monitor the MetaLink Agreement
  9. To Verify That Entries Have Been Propagated to Cisco Unified MeetingPlace Directory Services
  10. To Modify the MetaLink Agreement File
  11. To Modify the MetaLink Configuration File
  12. To Modify the MetaLink Configuration File for Cisco Unified MeetingPlace for Outlook Authentication
  13. To Run the MetaLink Agreement File
  14. To Monitor the Corporate Directory MetaLink Agreement
  15. Modify the corporate LDAP directory MetaLink agreement by doing one of the following:


To Enable the Changelog Feature for Netscape/SunOne/iPlanet LDAP Directory

Netscape/SunOne/iPlanet directory servers support a changelog feature that Directory Services uses to synchronize data. When the changelog feature is enabled, these directory products automatically maintain a log of modifications to the system. During the synchronization process, the changelog is examined to determine which entries have changed on the system.


The changelog records changes in the order that the changes occur; each change is assigned an index number. Directory Services tracks these index numbers to determine the state of the corporate directory server each time a MetaLink agreement is run, ensuring that the latest version of the corporate directory is synchronized with your Cisco Unified MeetingPlace system user profiles.


  1. To start the Netscape Console, choose Programs > Netscape Server Family > Netscape Console from the Windows Start menu.
  2. Log in as a user with administrative permissions, for example, cn=Directory Manager.
  3. Expand the hostname node to display the Server Group folder.
  4. Expand the Server Group folder.
  5. Double-click the directory server that will be used with the MetaLink agreement.
    The Netscape Directory Server window for that selected server appears.
  6. Choose the Configuration tab.
  7. For Netscape/iPlanet 4.x and for iPlanet/SunOne 5.x, do the following steps:
    1. Highlight the Replication Agreements node.
    2. Choose the Supplier Server Settings tab.
    3. Click Use Default; then, click Save.
  8. For iPlanet/SunOne 5.x, do the following steps:
    1. Expand the Plug-ins folder.
    2. Choose Retro Changelog Plug-in.
    3. Check the Enable Plug-in check box.
  9. To activate the changelog, stop and restart the directory server.


To Configure Cisco Unified MeetingPlace Directory Services Changelog Access Control

For Directory Services to access the changelog, you must create an account with the required permissions.


  1. In the Netscape Directory Server window, click the Directory tab.
  2. Right-click Changelog; then, choose Set Access Permissions > New.
    Note: If changelog does not appear in the left window, you do not have changelogs turned on. See the To Enable the Changelog Feature for Netscape/SunOne/iPlanet LDAP Directory for instructions; then, proceed to Step 3.
  3. So that changelog can be used by the MetaLink, edit the access control rule as shown in Figure: Editing the Access Control Rule.
    Note: In this example, the username and password configured in the LDAP Live Sync agreement are uid=MetaLink,ou=People,o=datacon.co.uk.
Figure: Editing the Access Control Rule

92552.jpg

4. Click OK.


Preparing Microsoft Active Directory for Synchronization with Cisco Unified MeetingPlace Directory Services

To connect to Microsoft Active Directory, Directory Services requires an Active Directory user account. You must create a user account in Active Directory and assign this user account rights that allow Directory Services to monitor the directory for new, deleted, or modified user entries. Assigning rights enables Directory Services to search the Active Directory domain but does not enable the user or application to write information to Active Directory.


Note: Directory Services neither writes information nor stores data on the Active Directory server.


The user account that you create for synchronization with Active Directory is different than the service user account that you use to install and run Directory Services. This user account is used to synchronize with Active Directory, and the service user account is used to run the application service on the Directory Services server.


Restrictions
  • Cisco Unified MeetingPlace Directory Services must synchronize changes from one dedicated Active Directory Domain Controller. For more information, see your Microsoft documentation.
  • Do not use the same user account for both Active Directory synchronization and to run the application service on the Directory Services server.


Synchronization Process

Directory Services sets up a synchronization link with the Active Directory change log on the dedicated domain controller by using the following process:

  1. The synchronization link uses the filter in the MetaLink configuration file to find the user objects in Active Directory for the user objects that Directory Services needs to be synchronized with.
  2. Directory Services creates an internal index table of the user objects that it found.
  3. The synchronization link uses the attribute mappings in the MetaLink configuration file to copy into Directory Services the applicable attributes of these user objects.
  4. The state of the synchronization with Active Directory is stored in a data element cookie that is saved in the Directory Services database.
    For subsequent synchronizations, the synchronization link provides the data element cookie to Active Directory, which provides reads only the incremental changes from the change logs.
    Note: Directory Services synchronization is not related to and does not cause Active Directory domain synchronization.


To Prepare Active Directory for Synchronization with Directory Services
  1. Start the Active Directory Users and Computers console.
  2. Click View on the console toolbar and check Advanced Features.
  3. Right-click the extracting Active Directory Domain and choose Properties from the context menu.
  4. On the Security tab, add the Cisco Unified MeetingPlace Directory Services account and assign the user account Replicating Directory Changes rights.
  5. For this user account, ensure that the Allow check box is checked for the Read permission and that the Deny check box is checked for the Write permission.
  6. Ensure that the Directory Services server has permission to log on to one of the Active Directory Domain Controllers.
  7. If you plan to configure Directory Services to synchronize user object deletion activities in the Active Directory, set up the Read and List right to the Deleted Object Container by completing the instructions in the Microsoft article How to Let Non-Administrators View the Active Directory Deleted Objects Container in Windows Server 2003 and in Windows 2000 Server, at the following URL: http://support.microsoft.com/default.aspx?scid=kb;en-us;892806.


Creating a MetaLink Agreement Between the Cisco Unified MeetingPlace Audio Server and the Directory Services Server

This MetaLink agreement synchronizes Cisco Unified MeetingPlace system user profiles between the Cisco Unified MeetingPlace Audio Server system and the Directory Services server and requires the mp-sync.mmu agreement file and the mp-sync.cfg configuration file.


The mp-sync.cfg configuration file is preconfigured and does not typically require modification. You will need to modify the mp-sync.mmu file.


Prerequisites


To Create a MetaLink Agreement Between the Audio Server and the Directory Services Server
  1. By using Notepad, open the mp-sync.mmu agreement file, which is located in the directory C:\Program Files\Cisco Systems\MeetingPlace Directory Services\config.
    The file contains the following entries:
    Module MPML
    Action Add
    AgrName MeetingPlace-LiveSync-Agreement
    TimeInterval OnChange
    AgreementScope /o=comp.com/ou=people
    ConfigRecord @C:\Program Files\Cisco Systems\MeetingPlace
    Directory Services\config\mp-sync.cfg
    SuspensePath C:\mpdslogs\mp_sync\
    SuspenseLimit 100000
  2. Ensure that the path in ConfigRecord points to the mp-sync.cfg configuration file, located in the same directory as mp-sync.mmu.
  3. Save the mp-sync.mmu file.
  4. In the suspense file directory that was created during installation (C:\mpdslogs), create a subdirectory called mp-sync to match the SuspensePath setting in the mp-sync.mmu agreement file.
    Note: The mp-sync subdirectory must exist when you attempt to create the synchronization process, or the MetaLink agreement will fail.
  5. From the Windows Start menu, choose Run.
  6. To open a command prompt window, enter cmd.
  7. Change the current directory to C:\Program Files\Cisco Systems\MeetingPlace Directory Services\config.
  8. To activate the Cisco Unified MeetingPlace MetaLink agreement, enter dcdmmu process mp-sync.mmu.


To Monitor the MetaLink Agreement

Monitor the progress and outcome of the MetaLink agreement by using one of the following methods:

  • By using Notepad, open the file mp-sync.mmu.out, which is located in the directory C:\Program Files\Cisco Systems\MeetingPlace Directory Services\config. The message "Agreement Added Successfully" appears at the top of the file if the MetaLink was successfully created.
  • Open the Cisco Unified MeetingPlace Gateway System Information Manager (GWSIM) eventlog to monitor real-time transactions between Cisco Unified MeetingPlace and Directory Services. On the Windows desktop, right-click the Cisco Unified MeetingPlace icon in the system tray; then, choose Eventlog.
  • Open the Windows Event Viewer Application Log to check the synchronization process. Choose Start >Run, enter eventvwr, and choose Application Log. The informational messages "Import Sequence Is Finished" and "Export Sequence Is Finished" appear in the Application event log when the synchronization is complete.
    Note: Remember that Cisco Unified MeetingPlace MetaLink is a two-way synchronization between Directory Services and the Cisco Unified MeetingPlace directory.
  • In the suspense file directory (C:\mpdslogs), the following two real-time transaction logs track the MetaLink agreement:
    • MPML-export.log for entries exported from Directory Services to the Cisco Unified MeetingPlace system
    • MPML-import.log for entries imported from the Cisco Unified MeetingPlace system.
By using Notepad, open the logs to display import and export activity.


To Verify That Entries Have Been Propagated to Cisco Unified MeetingPlace Directory Services

After synchronization is complete, you can verify how many profiles have been propagated from the Cisco Unified MeetingPlace Audio Server system to Directory Services.


  1. From the Windows Start menu, choose Programs > DC Directory Administrator.
  2. On the first Log on to Cisco Unified MeetingPlace Directory Services Admin window, click Next.
  3. On the second Log on to Cisco Unified MeetingPlace Directory Services Admin window, enter the username /o=comp.com/cn=Admin and the password that you specified in the Completing the Installation Worksheet. Click Finish.
  4. In the DC Directory Admin window, look at the status area at the bottom of the window to see the number of entries that were propagated to Cisco Unified MeetingPlace Directory Services.


Troubleshooting Tips

If you find that certain profiles have not been imported into Cisco Unified MeetingPlace Directory Services, check for synchronization errors by following the instructions in Monitoring Cisco Unified MeetingPlace Directory Services.


Creating a MetaLink Agreement Between the Cisco Unified MeetingPlace Directory Services Server and a Corporate Directory Server

After synchronizing profiles between the Cisco Unified MeetingPlace Audio Server and the Directory Services server, create the MetaLink agreement between the Directory Services server and your corporate directory server.


Note: If you have replicated directory servers in your network, you can set up redundant synchronization links with a single Directory Services server to allow synchronization to occur with the second directory server if the first is unavailable. Create redundant links only if your directory is replicated on multiple servers. Creating multiple synchronization agreements with a single directory server will not create redundant links and should be avoided for performance reasons.


To create a MetaLink agreement between the Directory Services server and your corporate directory server, do the following tasks:

  1. To Modify the MetaLink Agreement File
  2. To Modify the MetaLink Configuration File
  3. To Modify the MetaLink Configuration File for Cisco Unified MeetingPlace for Outlook Authentication
  4. To Run the MetaLink Agreement File
  5. To Monitor the Corporate Directory MetaLink Agreement


To Modify the MetaLink Agreement File
  1. For Netscape/SunOne/iPlanet corporate directories, locate the ldap-import.mmu agreement file in the C:\Program Files\Cisco Systems\MeetingPlace Directory Services\config directory.
    or
    For Microsoft Active Directory, locate the ad-import.mmu agreement file in the C:\Program Files\Cisco Systems\MeetingPlace Directory Services\config directory.
  2. Use a text editor such as Notepad to open the agreement file.
  3. Use the sample values in Table 1-1 as a reference to modify the lines in the agreement file for your system.


Table: Agreement File Keywords
Keyword Description Example Required

Module

LDAP

LDAP

Yes

Action

Add, Modify, Delete

Add

Yes

AgrName

Agreement name

LDAP-Sync-to-MS-Active-Directory (AD)1

LDAP-Sync-to-Netscape (NS)2

Yes

TimeInterval

Frequency in seconds that the MetaLink agreement tracks changes in the corporate directory

TimeInterval Automatic TimeInterval 3600

No

AgreementScope

Cisco Unified MeetingPlace Directory Services subtree used to synchronize user data

/o=comp.com/ou=people

Yes

ConfigRecord

Path to the configuration file for this MetaLink. Must be preceded by an "@" and should include the complete path

@C:\ProgramFiles\Cisco Systems\MeetingPlace Directory Services\config\ad-import.cfg (AD) @C:\ProgramFiles\Cisco Systems\ MeetingPlace Directory Services\config\ldap-import.cfg (NS)

Yes

ADHostName (AD) NSHostName (NS)

Hostname or IP address of your corporate directory server

ad-server.cisco.com (AD)


ns-directory.cisco.com (NS)

Yes

UserName

Login username for your corporate directory

ad\mpds (AD) cn=latsync,cn=users,dc=cisco,dc=com (AD)


ns-user (NS) uid=latsync,ou=people,o=acme.com (NS)

No

Password 3

Password for username

cisco

No

DomainPartition

DN of the domain level entry in the Active Directory server

dc=cisco, dc=com

Yes

LDAPSubtree

LDAP server subtree below which all entries will be synchronized

ou=myorg,dc=cisco,dc=com

Yes

UIDManaged (NS)

True or False, depending on whether the UID is managed by the MetaLink


See the UID attribute.

False

Yes

UIDAttr 4 (NS)

UID attribute name

uid employeenumber

Yes

SuspensePath

Path to folder storing suspense files. Create a folder matching this parameter in the C:\mpdslogs directory.

C:\mpdslogs\ad-import (AD)

Yes

SuspenseLimit

Maximum amount of disk space the MetaLink can use for suspense files for this synchronization agreement

0 (no disk limit)

No

LDAPSizeLimit

Maximum number of entries returnable in one search from the Netscape Server. Use 0 for unlimited searching.

LDAPSizeLimit 800

No

LDAPTimeOut

Maximum time in seconds that the MetaLink waits for an LDAP search to finish

0 (unlimited search time, unless your LDAP directory has a specific setting)

No

PortNumber

LDAP port number

389 (default)

No

Footnote 1: AD denotes a keyword or example that is specific to the MetaLink agreement file for Microsoft Active Directory (ad-import.mmu).
Footnote 2: NS denotes a keyword or example that is specific to the MetaLink agreement file for Netscape Directory (ldap-import.mmu).
Footnote 3: Although you enter the password here, you can delete the agreement file after you create the MetaLink to prevent the password being exposed.
Footnote 4: An Active Directory MetaLink uses ObjectGUID in the Active Directory as the default UIDAttr.


4. Save the agreement file.


To Modify the MetaLink Configuration File

Note: We recommend that you modify the MetaLink configuration file with the help of a Cisco Unified MeetingPlace Directory Service support engineer.


  1. For Netscape/SunOne/iPlanet corporate directories, locate the ldap-import.cfg configuration file in the C:\Program Files\Cisco Systems\MeetingPlace Directory Services\config directory.
    or
    For Microsoft Active Directory, locate the ad-import.cfg configuration file in the C:\Program Files\Cisco Systems\MeetingPlace Directory Services\config directory.
  2. Use a text editor such as Notepad to open the configuration file.
  3. Modify the mappings in the configuration file for your corporate directory by adding filters and attribute mappings as necessary to meet the business requirements of your profile synchronization. Follow these guidelines:
    • For each mapping, the Cisco Unified MeetingPlace attribute must be on the left side of the equal sign, and the Corporate LDAP directory attribute must be on the right side, for example:
    MeetingPlace attribute = LDAP attribute
    • To create a comment line that will be ignored when the MetaLink is activated, begin the line with a a semicolon, for example:
     ;FaxNum=&midString(Telephone-Fax, "3", "5")
     ;Active Directory MetaLink Configuration for <companyname>
    • Use plug-in functions to enable more complex attribute mappings.
    See the Cisco Unified MeetingPlace Directory Services Plug-In Functions appendix for more information.
    See the Default MetaLink Configuration File for mapping examples.
  4. Save the configuration file.


To Modify the MetaLink Configuration File for Cisco Unified MeetingPlace for Outlook Authentication

If your organization has Cisco Unified MeetingPlace for Outlook and you want to authenticate its users via Cisco Unified MeetingPlace Directory Services, do the following procedure.


Note: You must also configure Cisco Unified MeetingPlace for Outlook to support this functionality. See Configuring and Managing Cisco Unified MeetingPlace for Outlook.


  1. Use a text editor to open the ad-import.cfg configuration file in the C:\Program Files\Cisco Systems\MeetingPlace Directory Services\config directory.
  2. In the [BootStrapPersonMap] section, add the following line:
    NetworkCredentials = "<your domain>\5C"+SAMAccountName
    Replace <your domain> with your actual domain.
  3. Add the same line to the [ImportPersonMap] section.
  4. Save the file.


To Run the MetaLink Agreement File

After modifying the agreement file and corresponding configuration file for your corporate directory MetaLink agreement, run the agreement file to initiate the synchronization between the Directory Services server and your corporate directory server.


Note: Allow this process to finish running before testing the MetaLink agreement.


  1. From the Windows Start menu, choose Run.
  2. Open a command prompt window by entering cmd.
  3. Change the current directory to C:\Program Files\Cisco Systems\MeetingPlace Directory Services\config.
  4. Start the synchronization process by entering dcdmmu PROCESS <filename>, where <filename> is the name of the MMU script, such as ldap-import.mmu or ad-import.mmu.


To Monitor the Corporate Directory MetaLink Agreement

Monitor the progress and outcome of the corporate directory MetaLink agreement by using one of the following methods:

  • Use Notepad to open either the ad-import.mmu.out or ldap-import.mmu.out file, which are located in the same directory as the corresponding .mmu agreement files. The message "Agreement Added Successfully" appears at the top of the file if the MetaLink was successfully created.
  • Open the Windows Application log to check the link process. The informational message "Ended Total Refresh Export Sequence" appears immediately in the Application event log because Directory Services does not export any information to the corporate directory. An Import sequence is finished message is generated when the MetaLink agreement completes the synchronization.
Note: Remember that the corporate directory MetaLink agreement is a one-way synchronization.
  • Open the Windows Task Manager by entering Ctrl + Alt + Del, then click the Processes tab in Task Manager. Monitor the DCX500.exe process. During the initial synchronization, this process will occupy most of the CPU power and memory. When synchronization is completed, this process becomes idle.
  • Open the Cisco Unified MeetingPlace Directory Services Admin console and monitor new entries as they are added. In the initial synchronization process, the Directory Services Admin console may not display imported profiles until after the Import sequence is finished message displays in the Windows application log.


Modifying the Corporate LDAP Directory MetaLink Agreement

After creating the initial corporate directory MetaLink agreement, you can modify it by making changes to the mappings in the MetaLink configuration file.


Once you have updated the configuration file, you can modify the existing MetaLink agreement by using either of the following methods:


To Upload a New Configuration File by Using the Cisco Unified MeetingPlace Directory Services GUI
  1. From the Windows Start menu, choose Programs > DC Directory Administrator.
  2. Log in as Admin. The main directory administration window appears.
  3. Choose Manage > Domain to display the Cisco Unified MeetingPlace server icon.
  4. Double-click the server name to display the Server Management window.
  5. Choose Server > MetaLink to display the MetaLink list for the server.
  6. Double-click the LDAP Live Sync Module icon to expand it. The MetaLink icon appears under the module.
  7. Right-click the MetaLink you need to modify and choose Properties.
  8. In the Agreement Details dialog box, click the Configuration tab.
  9. Click Import, then choose the new configuration file that you saved.
  10. Click Apply, then click OK to upload the new configuration file.
    This MetaLink will now use the new configuration to update the profiles in the Cisco Unified MeetingPlace system.
    Note: If you want to use the new configuration to resynchronize (completely refresh) profiles from the corporate LDAP directory, you must delete the current MetaLink and create a new MetaLink by using the new configuration file. For details, see the Repopulating the Cisco Unified MeetingPlace Directory Services Database.


To Modify the Current MetaLink Agreement File by Using the Command-Line Interface

You can modify the current MetaLink by editing the .mmu agreement file. You can add an instruction to the file to update the MetaLink, which will activate the new configuration file.


  1. Modify and save the configuration file by using the instructions in To Modify the MetaLink Configuration File.
  2. Use Notepad to open the ldap-import.mmu.out file.
  3. In the file, locate the agreement ID for this MetaLink, such as AgreementID 4, and make a note of this value.
  4. Use Notepad to open the ldap-import.mmu file agreement file, which is similar to the following sample file:
    Module LDAP
    Action Add
    AgrName LDAP-Sync-to-Netscape
    TimeInterval Automatic
    AgreementScope /o=comp.com/ou=people
    ConfigRecord @C:\Program Files\Cisco Systems\MeetingPlace Directory
    Services\config\ldap-import.cfg
    NSHostName its4.companyname.com
    UserName uid=MeetingPlaceou=applications,o=companyname.com
    Password mp147sy
    LDAPSubtree ou=People,o=companyname.com
    SuspensePath C:\mpdslog\suspense_LDAP\
    SuspenseLimit 100000
    SuspenseDaily FALSE
    UIDManaged FALSE
    UIDAttr uid
  5. Change the Action Add line to Action Modify.
  6. In the next line, add the Agreementid #ID that you located in Step 3 after AgrName LDAP-Sync-to-Netscape.
  7. Verify that the ConfigRecord @ line points to the correct configuration file.
  8. Save the modified file under a new name, such as ldap_modify.mmu, in the same directory.
  9. From the Windows Start menu, choose Run.
  10. Open a command prompt window by entering cmd.
  11. Change the current directory to C:\Program Files\Cisco Systems\MeetingPlace Directory Services\config.
  12. Modify the current MetaLink to use the new configuration file by entering dcdmmu PROCESS ldap_modify.mmu.
    An output text file, called ldap_modify.mmu.out, is generated. Open this file with Notepad to verify whether the modification was successful or to see any errors that may have occurred.


Synchronizing a Multi-Server Cisco Unified MeetingPlace Directory Services System with a Corporate Directory Server

The following figure shows the MetaLink agreements that are needed to synchronize a multi-server system, consisting of two Cisco Unified MeetingPlace Audio Servers, two Directory Services servers, and a corporate directory.


In this type of system, one Directory Services server and one Cisco Unified MeetingPlace Audio Server are called the master servers, and the second Directory Services server and Audio Server are called the slave servers. We recommend that you designate the Directory Services server with the most recent data as the master server.

Figure: Synchronizing a Multiple Cisco Unified MeetingPlace Directory Services Server System

92547.jpg


To configure a multi-server Cisco Unified MeetingPlace Directory Services system to synchronize with a corporate directory server, do the following tasks:

  1. If you have a Netscape/SunOne/iPlanet corporate directory, do To Enable the Changelog Feature for Netscape/SunOne/iPlanet LDAP Directory and To Configure Cisco Unified MeetingPlace Directory Services Changelog Access Control.
  2. If you have Microsoft Active Directory, complete To Prepare Active Directory for Synchronization with Directory Services.
  3. Create a MetaLink agreement between the master Directory Services server and the master Audio Server. See Creating a MetaLink Agreement Between the Cisco Unified MeetingPlace Audio Server and the Directory Services Server.
    Note: We recommend that you designate the Directory Services server with the most recent data as the master server.
  4. Create a MetaLink agreement between the slave Directory Services server and the slave Audio Server. See Creating a MetaLink Agreement Between the Cisco Unified MeetingPlace Audio Server and the Directory Services Server.
  5. If the master and slave servers contain identical data or if the slave server does not contain any profiles, proceed to 7.
    Or,
    Create an export (one-way) MetaLink agreement from the master Directory Services server to the slave Directory Services server. See Creating an Export MetaLink Agreement from the Cisco Unified MeetingPlace Directory Services Master Server to the Slave Server.
  6. Delete the export (one-way) MetaLink agreement. See Deleting the One-Way Export MetaLink Agreement.
  7. Add a changelog agreement to the slave Directory Services server: See Enabling Changelogs on the Slave Server.
  8. Create a two-way MetaLink agreement between the master and slave Directory Services servers. See Creating a Two-Way MetaLink Agreement on the Master Cisco Unified MeetingPlace Directory Services Server.
  9. Create a MetaLink agreement between the Directory Services master server and your corporate directory server. See Creating a MetaLink Agreement Between the Cisco Unified MeetingPlace Directory Services Server and a Corporate Directory Server.


Creating an Export MetaLink Agreement from the Cisco Unified MeetingPlace Directory Services Master Server to the Slave Server

Note: The one-way export MetaLink between master and slave Directory Services servers is not required if the two servers contain identical profile information or if the slave server contains no profiles. In this situation, proceed to Enabling Changelogs on the Slave Server.


A one-way export MetaLink from a master Cisco Unified MeetingPlace Directory Services server to a slave Directory Services server synchronizes profiles from the master system to the slave system.


Prerequisites
  • Directory Services is installed and attached to each Cisco Unified MeetingPlace system.
  • A Cisco Unified MeetingPlace MetaLink has been created so that each Directory Services server contains profiles from its attached Cisco Unified MeetingPlace system.
  • If two Cisco Unified MeetingPlace systems do contain different profile data, you must create a one-way export MetaLink between the servers before you create a two-way synchronization. This ensures that the most accurate user profile data will overwrite data in the slave system, and guarantees data integrity on both Cisco Unified MeetingPlace systems.

Caution! If this prerequisite is not met, a subsequent two-way synchronization may produce inaccurate data. For example, if user A in system A has the password meeting1, and user A in system B has the password meeting2, a two-way synchronization will not identify the correct information.


Note: You can create multiple export MetaLink agreements if you have more than one slave Directory Services server. You must create export MetaLinks one at a time, rather than simultaneously.


To Create a One-Way Export MetaLink Agreement
  1. In the C:\Program Files\Cisco Systems\MeetingPlace Directory Services\config directory, open the mpds-export.mmu agreement file, which contains the following entries:
    Module LDAP
    Action Add
    AgrName LDAP-Sync-to-DC-Directory
    TimeInterval Automatic
    LDAPTimeOut 0
    AgreementScope /o=comp.com/ou=people
    ConfigRecord @C:Program Files\Cisco Systems\MeetingPlace
    Directory Services\config\mpds-export.cfg
    DCDHostName mpds.cisco.com
    portnumber 389
    UserName cn=Admin,o=comp.com
    Password Cisco
    LDAPSubtree /o=comp.com/ou=people
    SuspensePath D:\mpdslog\mpds-export
    SuspenseLimit 100000
    UIDManaged TRUE
    UIDAttr Custom5
  2. Verify that ConfigRecord points to the correct configuration file, mpds-export.cfg.
    Note: Mpds-export.cfg is the default configuration file for an export MetaLink from a master Directory Services server to a slave Directory Services server. This configuration file synchronizes all attributes-including password, username, and profile number-from master to slave system.
  3. Change DCDHostName to the hostname or IP address of the slave Directory Services server.
  4. Change Password to the slave Directory Services server console Admin password. Unless you created a different name during server installation, the slave Directory Services server default UserName is cn=admin,o=comp.com.
  5. In the C:\mpdslogs directory, create a suspense file folder for this MetaLink agreement that matches the folder name in the SuspensePath attribute.
  6. Save the mpds-export.mmu file.
  7. From the Windows Start menu, choose Run.
  8. Open a command prompt window by entering cmd.
  9. Change to the directory that contains mpds-export.mmu.
  10. Enter dcdmmu process mpds-export.mmu.


Deleting the One-Way Export MetaLink Agreement

After the synchronization process is complete between the master and slave Directory Services servers, delete the one-way export MetaLink agreement before creating the two-way synchronization MetaLink agreement.


To Delete the One-Way Export MetaLink Agreement
  1. By using Notepad, open the mpds-export.mmu.out file, which is located in the C:\ Program Files\Cisco Systems\MeetingPlace Directory Services\config directory.
  2. Write down the agreement ID for the MetaLink agreement, such as AgreementID 4.
  3. From the Windows Start menu, choose Programs > DC Directory Administrator.
  4. Log in as Admin. The main directory administration window appears.
  5. To display the Cisco Unified MeetingPlace Directory Services Domain window, choose Manage > Domain.
  6. To display the Server Management window, double-click the server name in the window.
  7. To display MetaLink list, choose Server > MetaLink.
  8. Expand the LDAP Live Sync Module and locate the LDAP-Sync-to-DC-Directory: <AgreementID> that corresponds to the agreementID that you wrote down in Step 2.
  9. Right-click the AgreementID; to delete the entry from the MetaLink list, choose Delete.


Enabling Changelogs on the Slave Server

The changelog on a Directory Services server records changes to server data, allowing other Directory Services servers to synchronize the changes.


To enable the changelog on the slave Cisco Unified MeetingPlace Directory Services server, do the following procedures:


To Create a Changelog Object on the Slave Cisco Unified MeetingPlace Directory Services Server
  1. From the Windows Start menu, choose Programs > DC Directory Administrator.
  2. Log in as Admin. The main directory administration window displays.
  3. Display the Directory Services server by choosing Manage > Domain.
  4. Display the Server Management window by double-clicking the server name.
  5. Choose File > New Admin Area. In the New Admin Area dialog box, enter cn=changelog in the Directory Name field and click OK.
    In the Ambiguous Object Class dialog box, a default object class appears for the changelog.
  6. To accept the default, click OK.
    At the main administration console, a new Changelog folder appears under the Directory folder in the left panel.


To Create a Changelog Agreement on the Slave Cisco Unified MeetingPlace Directory Services Server
  1. Use Notepad to open the changelog.mmu agreement file, which located in the C:\Program Files\Cisco Systems\MeetingPlace Directory Services\config directory.
    The file contains these entries:
    Module CHNGLG
    Action Add
    AgrName ChangeLog-Export-Agreement
    TimeInterval OnChange
    AgreementScope /o=comp.com/ou=people
    MaxChanges 60000
  2. For MaxChanges, enter the number of changes that you want to store in the Directory Services server.
    Note: We recommend that this value be less than 35,000.
  3. Save and close the changelog.mmu file.
  4. From the Windows Start menu, choose Run.
  5. Open a command prompt window by entering cmd.
  6. Change to the directory that contains changelog.mmu.
  7. Enter dcdmmu process changelog.mmu.
    A changelog agreement on the slave Directory Services server is created.


Creating a Two-Way MetaLink Agreement on the Master Cisco Unified MeetingPlace Directory Services Server

After you create the changelog on the slave Directory Services server, create a MetaLink agreement on the master Directory Services server to synchronize profiles in both directions between the servers.


Note: You can create multiple two-way MetaLink agreements if you have more than one set of paired Directory Services servers. You must create MetaLinks one at a time, rather than simultaneously.


Prerequisites


Note: The following procedures refer to the second Directory Services server as the slave server, but both servers can also be described as masters.


To Create a Two-Way MetaLink Agreement on the Master Directory Services Server
  1. Use Notepad to open the mpds-repl.mmu agreement file, which is located in the C:\Program Files\Cisco Systems\MeetingPlace Directory Services\config directory on the master server.
    The file contains the following entries:
    Module LDAP
    Action Add
    AgrName LDAP-Sync-to-DC-Directory
    TimeInterval Automatic
    LDAPTimeOut 0
    AgreementScope /o=comp.com/ou=people
    ConfigRecord @C:\Program Files\Cisco Systems\MeetingPlace
    Directory Services\config\mpds-repl.cfg
    DCDHostName mpds.cisco.com
    portnumber 389
    UserName cn=Admin,o=comp.com
    Password Cisco
    LDAPSubtree /o=comp.com/ou=people
    SuspensePath C:\mpdslog\mpds-repl
    SuspenseLimit 100000
    SuspenseDaily FALSE
    UIDManaged TRUE
    UIDAttr Custom5
  2. Verify that ConfigRecord points to the mpds-repl.cfg configuration file.
    Note: This is the default configuration file for a two-way synchronization MetaLink agreement between master Directory Services servers. This configuration file synchronizes all attributes, including passwords, user names, and profile numbers, between two Cisco Unified MeetingPlace systems.
  3. Change DCDHostName to the hostname or IP address of the slave Directory Services server with changelog enabled.
  4. Change Password to the slave Directory Services server console Admin password. On the pair Cisco Unified MeetingPlace Directory Services server, the default UserName is cn=admin,o=comp.com.
  5. In the C:\mpdslogs directory, create a suspense file folder for this MetaLink agreement that matches the folder name in the SuspensePath attribute.
  6. Save the mpds-repl.mmu file.
  7. From the Windows Start menu, choose Run.
  8. Open a command prompt window by entering cmd.
  9. Change to the directory containing mpds-repl.mmu.
  10. Enter dcdmmu process mpds-repl.mmu.
    A two-way synchronization MetaLink agreement between the paired Directory Services servers is created.


Synchronizing Cisco Unified MeetingPlace Directory Services with the Cisco Unified CallManager Database

Note: If your implementation of Cisco Unified CallManager connects to an external LDAP directory or Microsoft Active Directory, you cannot use Directory Services to synchronize user information with Cisco Unified MeetingPlace. You can configure Directory Services to synchronize with the Cisco Unified CallManager database only if you are using the Cisco Unified CallManager internal user directory to store user information.

Note: Cisco Unified MeetingPlace Directory Services does not support Cisco Unified Communications Manager Release 5.x or Release 6.1 synchronization. For those releases, synchronize directly with Active Directory.


Cisco Unified CallManager is the software-based call-processing component of the Cisco IP telephony solution. If you have an IP telephony environment that includes Cisco Unified CallManager, you can use Directory Services to synchronize the user information that is stored in the Cisco Unified CallManager database with your Cisco Unified MeetingPlace user information.


For information about which releases of Cisco Unified CallManager are supported by Cisco Unified MeetingPlace Directory Services, see System Requirements.


Creating a MetaLink Agreement with Cisco Unified CallManager 4.X

Synchronizing user data with the Cisco Unified CallManager server is similar to synchronizing data with an external LDAP directory except that synchronization requires an export MetaLink agreement on the Cisco Unified CallManager server rather than an import agreement on the Directory Services server. The export MetaLink agreement exports user data as it is added, modified, or deleted from the Cisco Unified CallManager database.


Note: Although it is possible to use an import agreement to synchronize user data from Cisco Unified CallManager, the performance impact on the Cisco Unified CallManager server will increase because of the additional overhead involved in maintaining a changelog on the Cisco Unified CallManager user directory. We recommend and support only an export synchronization agreement when synchronizing Directory Services with Cisco Unified CallManager.


Directory Services provides default MetaLink agreement and configuration files specifically designed for synchronization with Cisco Unified CallManager. These files are located in the config directory, which is in the location where you installed Directory Services.


Prerequisites
  • Synchronize Directory Services with your Cisco Unified MeetingPlace Audio Server system. See the Creating a MetaLink Agreement Between the Cisco Unified MeetingPlace Audio Server and the Directory Services Server.
  • For Cisco Unified CallManager Release 4.0.x or earlier releases: The SuspenseDaily parameter must have a value of False, which is the default value.
  • For Cisco Unified CallManager or Communications Manager Release 4.1.x or later releases: The SuspenseDaily parameter must not be present in the ccm-export.mmu file; comment out the line that contains this parameter.


To Create a MetaLink Agreement with Cisco Unified CallManager
  1. Modify the ccm-export.cfg configuration file according to your business requirements by adding attribute mapping rules and configuring any needed plug-in functions.
  2. Copy the ccm-export.mmu agreement and ccm-export.cfg configuration files from your Directory Services server to the Cisco Unified CallManager server. Create a folder for the files if one does not exist, such as <drive>:\mpds-export.
  3. Use Notepad to modify the fields in the ccm-export.mmu file so that it contains the following information:
    • ConfigRecord-Enter the full path to the configuration file (ccm-export.cfg). The path must start with an at "@" sign.
    • Password-Enter the Directory Services database password.
    • DCDHostName-Enter the IP address or hostname of the Directory Services server.
  4. Create a directory on the Cisco Unified CallManager server for the synchronization process suspense files, such as <drive>:\mpds-export\suspense\.
  5. From the Windows Start menu, choose Run.
  6. Open a command prompt window by entering cmd.
  7. Change to the directory on the Cisco Unified CallManager server where you copied the agreement and configuration files.
  8. Enter dcdmmu process ccm-export.mmu.
    A text output file named ccm-export.mmu.out is created.
  9. Open the ccm-export.mmu.out file and check the contents to verify that the MetaLink agreement was successfully created.
  10. If there are any errors, about which the ccm-export.mmu.out file contains descriptions, resolve them; then, reenter dcdmmu process ccm-export.mmu.


To Stop the Synchronization Process Between Cisco Unified CallManager and Directory Services

Delete the MetaLink agreement by doing Deleting the One-Way Export MetaLink Agreement.

Rating: 0.0/5 (0 votes cast)

Personal tools