Cisco Unified Presence, Release 7.x -- How to Integrate the LDAP Directory with Cisco Unified Personal Communicator
Main page: Cisco Unified Presence, Release 7.x
These topics describe how to configure the LDAP settings on Cisco Unified Presence to allow Cisco Unified Personal Communicator users to search and add contacts from the LDAP directory.
Before you perform the configuration described here, fully integrate the Cisco Unified Personal Communicator client with Cisco Unified Communications Manager and Cisco Unified Presence.
Rules for a Displayed Contact Name
When you are configuring the user fields in the LDAP attribute map, note the following rules that determine how names are displayed as contacts in Cisco Unified Personal Communicator:
- If the user edits a contact name in Cisco Unified Personal Communicator, display this name. This is the Nickname LDAP attribute in Cisco Unified Presence.
- If you configured an LDAP user field for DisplayName, display this name.
- If you configured an LDAP user field for Nickname, display this name with the last name.
- Otherwise, display the configured LDAP user fields for the first and last names in the Contact pane. If there is a first name but no last name, display the first name. If there is a last name but no first name, display the last name.
- If you do not configure LDAP user fields for the FirstName and LastName, display the LDAP UserID or the Cisco Unified Presence user ID in the Contact pane.
- If a user adds a non-LDAP contact, the contact details in Cisco Unified Personal Communicator allow the user to edit the Display As name, the first name, and the last name.
Fetch Contact Pictures from a Web Server
You can configure a parameterized URL string in the Photo field in the LDAP attribute map so that Cisco Unified Personal Communicator can fetch pictures from a web server instead of from the LDAP server. The URL string must contain an LDAP attribute with a query value containing a piece of data that uniquely identifies the photo of the user. We recommend you use the User ID attribute. However, you can use any LDAP attribute whose query value contains a piece of data that uniquely identifies the photo of the user.
We recommend you use %%<userID>%% as the substitution string, for example:
The double percent symbols are required, and they must enclose the name of the LDAP attribute to substitute. Cisco Unified Personal Communicator removes the percent symbols and replaces the parameter inside with the results of an LDAP query for the user whose photo is to be resolved.
For example, if a query result contains the attribute "uid" with a value of "johndoe," then a template such as http://mycompany.com/photos/%%uid%%.jpg creates the URL http://mycompany.com/photos/johndoe.jpg. Cisco Unified Personal Communicator attempts to fetch the photo.
This substitution technique works only if Cisco Unified Personal Communicator can use the results of the query and can insert it into the template specified above to construct a working URL that fetches a JPG photo. If the web server where photos are hosted in a company requires a POST (for example, the name of the user is not in the URL) or uses some other cookie name for the photo instead of the username, this technique does not work.
- The URL length is limited to 50 characters.
- Cisco Unified Personal Communicator does not support authentication for this query; the photo must be retrievable from the web server without credentials.
Configuring the LDAP Attribute Map
You must configure the LDAP attribute map on Cisco Unified Presence where you enter LDAP attributes for your environment and map them to the given Cisco Unified Personal Communicator attributes.
If you want to use LDAP to store your employee profile photos, you must either use a third-party extension to upload the photo files to the LDAP server, or extend the LDAP directory server schema by other means to create an attribute which can be associated with an image. For Cisco Unified Personal Communicator to display the profile photo, in the LDAP attribute map, you must map the Cisco Unified Personal Communicator "Photo" value to the appropriate LDAP attribute. By default, Cisco Unified Personal Communicator uses the jpegPhoto LDAP attribute to display the user photo, which is present in the Windows 2003 and 2007 Active Directory schema. Note that Windows 2000 Active Directory uses the thumbnailPhoto attribute.
Before You Begin
Make sure that you install and set up the LDAP server before configuring the LDAP attribute map on Cisco Unified Presence.
- The UPC UserID setting in the LDAP attribute map must match the Cisco Unified Communications Manager user ID. This mapping is required for a contact in LDAP to be added to the Contact list in Cisco Unified Personal Communicator. This field associates the LDAP user with the associated user on Cisco Unified Communications Manager and Cisco Unified Presence.
- You can map an LDAP field to only one Cisco Unified Personal Communicator field.
- Select Cisco Unified Presence Administration > Application > Cisco Unified Personal Communicator > Settings
- Select a supported LDAP server from Directory Server Type.
- The LDAP server populates the LDAP attribute map with Cisco Unified Personal Communicator user fields and LDAP user fields.
- If necessary, make modifications to the LDAP field to match your specific LDAP directory. The values are global to all LDAP server hosts. Note the following LDAP directory product mappings:
Product LastName Mapping UserID Mapping
Microsoft Active Directory
Sun ONE, Netscape, or OpenLDAP
4. Select Save.
- If you want to stop using the current attribute mappings and use the factory default settings, select Restore Defaults.
- You can see the LDAP attribute mappings in the Server Health window in Cisco Unified Personal Communicator (Help > Show Server Health on Windows).
- For information on faster LDAP searches, see the Troubleshooting Guide for Cisco Unified Personal Communicator:
What To Do Next
Configuring LDAP Server Names and Addresses
The LDAP interface is used for LDAP authentication whenCisco Unified Personal Communicator users signin. You can provision one or more LDAP servers. Subsequently, these servers can be added to an LDAP profile that enables you to partition users on different LDAP servers.
Before You Begin
- Configure the LDAP attribute map.
- Obtain the hostnames or IP addresses of the LDAP directories.
If you are specifying more than one LDAP directory for failover support in Cisco Unified Personal Communicator, the LDAP directory servers must all be of the same product type (all Microsoft Active Directory, all Sun One or Netscape Directory, or all OpenLDAP Directory). The LDAP attribute schema must be the same on all directories.
1. Complete one of the following actions:
If you want to: Action
Add an LDAP server
- Select Application > Cisco Unified Personal Communicator > LDAP Server.
- Select Add New.
Update an LDAP server
- Find the record. See the Finding a Network Component topic for instructions.
- Edit the record as required.
2. Enter the LDAP settings as described in the table below.
Specifies the name of the LDAP server.
Provides a general description of the LDAP server.
Specifies the IP address or a Fully Qualified Domain Name (FQDN) of the LDAP server.
Specifies the port number used by the LDAP server.
Default port number: 389
Note: Check the LDAP directory documentation or the LDAP directory configuration for this information.
Specifies the protocol to use when the LDAP server is contacted. Select one of the following values:
3. Select Save.
- If you are integrating with Microsoft Active Directory and if the server is Global Catalog, configure the following values:
- Enter 3268 as the port number.
- Select TCP as the protocol type.
- The jpegPhoto attribute is not available in Microsoft Active Directory Global Catalog server, and it is not indexed (http://msdn2.microsoft.com/en-us/library/ms676813.aspx). If your LDAP configuration uses Global Catalog port 3268, the jpegPhoto is not retrievable. Instead, change the LDAP directory configuration to TCP and port 389. The photo is retrieved when you sign in to Cisco Unified Personal Communicator again.
- If an application dial rule is configured, create proper directory lookup dialing rules in Cisco Unified Communications Manager to make sure that a picture displays both when you place a call to a contact and in the contact details. When you add a contact in Cisco Unified Personal Communicator, the directory lookup returns a 10-digit number (for example, 1234567890). If the user places the call by dialing only four digits (for example, 7890), the picture does not display because 7890 is not a match for 1234567890. Create the following rules to fix this problem:
- Outbound rule to remove the area code. The picture displays in the contact details.
- Inbound rule for directory lookup to prefix the area code (translate the 4-digit extension number into the 10-digit DID number stored in AD). The picture displays when you place a call.
- You can see LDAP server information in the server health window in Cisco Unified Personal Communicator (Help > Show Server Health on Windows).
- Configuring the LDAP Attribute Map
- Configuring the Cisco Unified Personal Communicator Client
- Getting More Information
What To Next
Creating LDAP Profiles and Adding Users to the Profile
Cisco Unified Personal Communicator connects to an LDAP server on a per-search basis. If the connection to the primary server fails, Cisco Unified Personal Communicator tries the first backup LDAP server, and if it is not available, it then tries the second backup server. Cisco Unified Personal Communicator also periodically tries to return to the primary LDAP server. An LDAP query that is in process when the system fails over to a secondary server is processed on the next available server.
Connection status information is updated in the Server Health window (Help > Show Server Health on Windows). If Cisco Unified Personal Communicator cannot connect to any of the LDAP servers, it reports the failure in the System Diagnostics window.
Before You Begin
- Specify the LDAP server names and addresses.
- You must create the LDAP profile before you can add Cisco Unified Personal Communicator licensed users to the profile.
- Select Cisco Unified Presence Administration > Application > Cisco Unified Personal Communicator > LDAP Profile.
- Select Add New.
- Enter information into the fields.
Enter the profile name limited to 128 characters.
Enter a description limited to 128 characters.
Bind Distinguished Name
Enter the administrator-level account information limited to 128 characters. This is the distinguished name with which you bind for authenticated bind.
The syntax for this field depends on the type of LDAP server you deploy. For details, see the LDAP server documentation.
Uncheck this option to use the user credentials to sign in to this LDAP server.
For non-anonymous bind operations, Cisco Unified Personal Communicator receives one set of credentials. These credentials must be valid on the backup LDAP servers, if they are configured.
Note: If you check Anonymous Bind, users can sign in anonymously to the LDAP server with read-only access. Anonymous access might be possible on your directory server, but it is not recommended. Instead, create a user with read-only privileges on the same container where the users to be searched are located. Specify the directory number and password in Cisco Unified Presence for Cisco Unified Personal Communicator to use.
Enter the LDAP bind password limited to 128 characters. This is the password for the administrator-level account that you provided in the Bind Distinguished Name string that allows users to access this LDAP server.
Enter the same password as the one entered in the Password field.
After configuring Cisco Unified Presence for authenticated bind with the LDAP server, configure the LDAP server for anonymous permissions and anonymous login so that all directory information (name, number, mail, fax, home number, and so forth) is passed to the Cisco Unified Personal Communicator client.
Enter the location where all LDAP users are configured. This location is a container or directory. The name is limited to 256 characters. Only a single OU/LDAP search context is supported.
Note: If integrating with Microsoft Active Directory:
- Set O and OU (OU must contain users; for example, ou=users,dc=cisco,dc=com).
- For example, cn=users,DC=EFT-LA,DC=cisco,DC=com
- The search base should include all users of Cisco Unified Personal Communicator.
Check to perform a recursive search of the directory starting at the search base.
Primary LDAP Server and Backup LDAP Server
Select the primary LDAP server and optional backup servers.
Make this the Default LDAP Profile for the System
(Optional) Check so that any new users who are added to the system are automatically placed into this default profile.
Users who are already synchronized with Cisco Unified Presence from Cisco Unified Communications Manager are not added to the default profile. However, once the default profile is created, any users synchronized after that are added to the default profile.
Add Users to Profile
Select the button to open the Find and List Users window.
Select Find to populate the search results fields, or search for a specific user, and then select Find.
Select users, and add them to this profile by selecting Add Selected.
4. Select Save.
You can see the LDAP profile information in the server health window in Cisco Unified Personal Communicator (Help > Show Server Health on Windows).