Discovery 5: Configure and Troubleshoot LDAP Integration in Cisco

Unified Communications Manager

Introduction
LDAP provides applications with a standard method for accessing and potentially modifying the information that is
stored in a directory. This capability enables companies to centralize all user information in a single repository that
is available to several applications, with a remarkable reduction in maintenance costs because adds, moves, and
changes are easier.

You will configure LDAP synchronization between Cisco Unified Communications Manager (HQ-UCM) and the
LDAP server (WIN-SERVER01). Then you will configure LDAP authentication and test the authentication of the
user jdoe against an LDAP directory. You also will configure an LDAP filter to limit your LDAP synchronization to a
subset of users from your LDAP directory. Then you will modify object attributes on the LDAP server and see the
impact on HQ-UCM after resynchronization. Then you will change the LDAP attribute for the user ID from
sAMAccountName to userPrincipalName and see the impact on HQ-CUCM after resynchronization. Finally, you will
troubleshoot a common mistake during the LDAP synchronization process using traces in Cisco Unified
Communications Manager Real-Time Monitoring Tool (Cisco Unified RTMT).

You will not register any endpoints. You will test user account synchronization from HQ-UCM.

This lab will take approximately 1 hour to complete.

Topology

Job Aid
Device Information
Device Description IP Address Credentials

PC-1 PC 1 10.1.5.200 Student, C0ll@B

HQ-UCM Cisco Unified Communications Manager 10.1.5.5 Administrator, C0ll@B

WIN-SERVER01 Windows Server 10.1.5.100 Administrator, C0ll@B

Task 1: Configure LDAP Synchronization

LDAP synchronization helps you provision and configure end users for your system.

You will configure LDAP synchronization between HQ-UCM and the LDAP server.

Activity
Configure LDAP Synchronization
When integrating Cisco Unified Communications Manager with a directory service via LDAP, you can configure the
LDAP integration in two different ways:

No LDAP LDAP LDAP

Integration Synchronization Authentication

Personal and organizational settings:

LDAP (replicated LDAP (replicated
Local
User ID; First, Middle, and Last Name; Manager User ID and Department; to local) to local)
Phone Number and Mail ID

Password Local Local LDAP

Cisco Unified Communications Manager Settings:

Local Local Local
PIN and Digest Credentials; Groups and Roles; Associated PCs; Controlled
Devices; Extension Mobility Profile and CAPF Presence Group and Mobility

With LDAP synchronization, only personal and organizational settings are replicated from LDAP. The password is
independently managed locally.

When configuring LDAP synchronization and LDAP authentication, the password is not managed and stored in
Cisco Unified Communications Manager. Authentication is performed at the LDAP server instead.

With both LDAP integration options, settings that are related to Cisco Unified Communications Manager are always
stored locally in Cisco Unified Communications Manager.

You will configure LDAP synchronization with Microsoft Active Directory.

Step 1
On PC-1, open Google Chrome, navigate to Cisco Unified Serviceability (https://10.1.5.5/ccmservice), and log
in with username Administrator and password C0ll@B.

Step 2
 Select Tools > Service Activation and choose the CUCM-PUB.CLL-COLLAB.INTERNAL-CUCM Voice/Video
server and click Go.

Step 3
Scroll down to the Directory Services section, and select the check box for the Cisco DirSync service; then
click Save. Accept when you are pront to enable other services.

Step 4
From the navigation drop-down menu at the top right, select Cisco Unified Communications Manager
Administration, and click Go.

Step 5
Select System > LDAP > LDAP System, configure it with the following parameters, and click Save:

Enable Synchronizing from LDAP Server: Check this box.

LDAP Server Type: Microsoft Active Directory
LDAP Attribute for User ID: sAMAccountName
Step 6
Select System > LDAP > LDAP Directory. Click Add New; then configure the new LDAP directory with the
following parameters and click Save:

LDAP Configuration Name: LDAP Server

LDAP Manager Distinguished Name: Administrator@cll-collab.internal
LDAP Password: C0ll@B
LDAP User Search Base: cn=Users, dc=cll-collab, dc=internal
Perform a Re-sync Every: 6 HOUR
Cisco Unified Communications Manager User Fields

Middle Name: middleName

Phone Number: ipPhone
Directory URI: mail

Access Control Groups: Standard CCM End Users

Host Name or IP Address for Server: 10.1.5.100

When Cisco Unified Communications Manager LDAP authentication is configured for secure mode (port
636 or 3269), you must upload all LDAP authentication server certificates and Intermediate certificates
as "tomcat-trust" to the IM and Presence Service node.

In this exercise, you are pointing to the root of the domain. This action has the effect of synchronizing all
users in the domain. In a production environment, you will usually point to more granular LDAP
structures or use filters.

In the production environment, you will have a dedicated user in Windows Server for the LDAP Manager
Distinguished Name.

By adding users to the access control group Standard CCM End Users, the user accounts can be used
to access the Cisco Unified Communications Manager end-user pages.
Step 7
Click Perform Full Sync Now and then click OK in the notification window.

Wait a few minutes for the synchronization to be performed. To check if the synchronization has finished,
refresh the page by choosing Back to LDAP Directory Find/List from the Related Links drop-down
menu and then clicking the LDAP Server entry. If the text of the fourth button reads Cancel Sync
Process, then the synchronization is still running. If the text of the fourth button reads Perform Full
Sync Now, then the synchronization has finished.

Step 8
Select User Management > End User and verify that end users have been replicated from the LDAP server.

Step 9
Click the end-user jdoe and note that you cannot change the personal and organizational parameters that are
synchronized with the LDAP server.
Step 10
Verify that the password is still managed locally by setting the Password to C0ll@BTemp and the PIN to 12345.
Then click Save.

Step 11
Log out of Cisco Unified Communications Manager Administration. Then browse to https://10.1.5.5/ucmuser
and log in with the user ID jdoe and password C0ll@BTemp.
Step 12
Log out of the Cisco Unified Communications Self-Care Portal.

Task 2: Configure LDAP Authentication

LDAP authentication allows user authentication against an LDAP directory. When using LDAP authentication,
LDAP manages passwords.

You will change the existing LDAP integration to also use LDAP for authentication.

Activity
LDAP Authentication Overview
With LDAP authentication, Cisco Unified Communications Manager authenticates user credentials against a
corporate LDAP directory. When this feature is enabled, end-user passwords are not stored in the Cisco Unified
Communications Manager database anymore (and are also not replicated to that database) but are stored only in
the LDAP directory.

Personal user data is also managed in LDAP and replicated into the Cisco Unified Communications Manager
database. (LDAP synchronization is mandatory.)

Cisco Unified Communications Manager user data (such as associated PCs or controlled devices) is stored in the
Cisco Unified Communications Manager database for each individual user. As a consequence, the username has
to be known in the Cisco Unified Communications Manager database (to assign Cisco Unified Communications
Manager user settings to the user) and in the LDAP directory (to assign the password to the user). To avoid
separate management of user accounts in these two databases, LDAP synchronization is mandatory with LDAP
authentication.

Step 1
On PC-1, navigate to Cisco Unified Communications Manager Administration (https://10.1.5.5/ccmadmin), and
log in with username Administrator and password C0ll@B.

Step 2
Select System > LDAP > LDAP Authentication, configure it as follows, and click Save:

Use LDAP Authentication for End Users: Check this check box.
LDAP Manager Distinguished Name: Administrator@cll-collab.internal
LDAP Password: C0ll@B
LDAP User Search Base: cn=Users, dc=cll-collab, dc=internal
Host Name or IP Address for Server: 10.1.5.100
Step 3
Log out of Cisco Unified Communications Manager Administration. Then browse to https://10.1.5.5/ucmuser
and log in with the user ID jdoe and password C0ll@BTemp.

The login fails. The password of the user is now checked against the LDAP server. At the LDAP server,
the password of the user is C0ll@B.

Step 4
Log in with the user ID jdoe and password C0ll@B.
Step 5
Log out of the Cisco Unified Communications Self-Care Portal.

Step 6
In Cisco Unified Communications Manager Administration, choose User Management > End Users, click Find,
and then click end-user jdoe. You will see that the Password parameter is not shown on the end-user
configuration page anymore. You cannot change the password in Cisco Unified Communications Manager
because it is now managed via LDAP.

Task 3: Modify Object Attributes on the LDAP Server

You may need to change object attributes on the LDAP server. The behavior of the modification varies in different
deployments.

You will modify user attributes in the Active Directory on the LDAP server.

Activity
Rename the User in Active Directory
You will change the Joe Green user to Joe Brown, synchronize the HQ-UCM with the LDAP server, and observe
the results.

Step 1
 From PC-1 open Remote Desktop Connection from the start menu and connect to the WIN-SERVER01 at IP
address 10.1.5.100. Use cll-collab\Administrator for the username and C0ll@B for the password when
prompted.

Step 2
Open Active Directory Users and Computers from Administrative Tools, right-click Joe Green, and click
rename.Change the user to Joe Brown. In the Rename User window, change the fields according to the
followingparameters and click OK:

Last Name: Brown

Display Name: Joe Brown
User logon name: jbrown

Step 3
Minimize the Remote Desktop Connection window so that PC-1 is in the active window. In Cisco Unified
Communications Manager Administration, choose System > LDAP > LDAP Directory, and choose LDAP
Server.

Step 4
In the LDAP Directory page, click Perform Full Sync Now and then click OK in the notification window.

Account Synchronization with Active Directory

When synchronization is enabled for the first time on a Cisco Unified Communications Manager publisher server,
user accounts that exist in the corporate directory are imported into the Cisco Unified Communications Manager
database. Next, the Cisco Unified Communications Manager end-user accounts are activated and data are
updated, or a new end-user account is created according to the following process:

If end-user accounts exist in the Cisco Unified Communications Manager database and a synchronization
agreement is configured, all pre-existing accounts that were previously synchronized from LDAP are marked as
inactive in Cisco Unified Communications Manager. The configuration of the synchronization agreement specifies a
mapping of an LDAP database attribute to the Cisco Unified Communications Manager User ID. During the
synchronization, accounts from the LDAP database that match a Cisco Unified Communications Manager account
prompt that Cisco Unified Communications Manager account to be marked as active again.

After the synchronization is completed, LDAP synchronized accounts that were not set to active are permanently
deleted from Cisco Unified Communications Manager when the garbage collection process runs. Garbage
collection is a process that runs at the fixed time of 3:15 a.m. (0315), and the time set for garbage collection is not
configurable.

Then, when changes are made in the corporate directory, the synchronization from Microsoft Active Directory
occurs as a full resynchronization at the next scheduled synchronization period.

For Active Directory deployments, the ObjectGUID is used internally in Cisco Unified Communications Manager as
the key attribute of a user. The attribute in Active Directory that corresponds to the Cisco Unified Communications
Manager User ID may be changed in Active Directory. For example, if sAMAccountname is being used, a user can
change their sAMAccountname in Active Directory, and the corresponding user record in Cisco Unified
Communications Manager will be updated.

With all other LDAP platforms, the attribute that is mapped to the user ID is the key for that account in Cisco Unified
Communications Manager. Changing that attribute in LDAP will result in a new user being created in Cisco Unified
Communications Manager, and the original user will be marked as inactive.

Step 5
In Cisco Unified Communications Manager Administration, choose User Management > End User and verify
that the user Joe Green has been updated and is now Joe Brown.
Convert an LDAP Synchronized User to a Local User
User information that is synchronized from the LDAP directory can be converted to local user information so that
the user information can be edited locally on Cisco Unified Communications Manager. Local end users can be
added manually using the Cisco Unified Communications Manager Administration GUI. During an LDAP
synchronization, a local end user is converted to an active LDAP user. If a user with the same user ID is found in
LDAP, the locally configured data is replaced with data from the directory.

You will change the user from LDAP synchronized to a local user. In a production environment, you will make this
change for the most important users.

Step 6
In the Find and List Users page, click the user jdoe, check the Convert LDAP Synchronized User to Local
User check box, and click Save.

Step 7
In the Find and List Users page, click Find and observe the User Status of the user jdoe. Notice it is now
indicating a status of Enabled Local User.

Step 8
Select System > LDAP > LDAP Directory and choose LDAP Server.

Step 9
In the LDAP Directory page, click Perform Full Sync Now and then click OK in the notification window.

Step 10
Select User Management > End User and notice that the User Status for Jdoe is now back to Active Enabled
LDAP Synchronized User.

Task 4: Apply a Different Namespace

When synchronization is enabled with an Active Directory forest containing multiple trees, multiple synchronization
agreements are still needed for the same reasons that were listed previously. Also, Active Directory guarantees
that the UserPrincipalName attribute is unique across the forest and must be chosen as the attribute that is
mapped to the Cisco Unified Communications Manager user ID.

You will change the LDAP attribute for the user ID from sAMAccountName to userPrincipalName in a working
environment and evaluate the impact.

Activity
Use the User Principal Name Namespace
If the Microsoft Active Directory forest has multiple trees, some additional considerations apply. Because a single
LDAP search base cannot cover multiple namespaces, Cisco Unified Communications Manager must use an
alternate mechanism to authenticate users across these discontiguous namespaces.

You will change the LDAP attribute for the user ID to userPrincipalName, perform the synchronization, and see
the difference in the End User configuration page.

You must delete all LDAP directories before making changes in LDAP system information.

Step 1
In Cisco Unified Communications Manager Administration, select System > LDAP > LDAP Directory and delete
the LDAP Server configuration. Click OK in the notification window.

Step 2
Select System > LDAP > LDAP System, configure the LDAP system with the following parameters, and click
Save:

Enable Synchronizing from LDAP Server: Check the box.

LDAP Server Type: Microsoft Active Directory
LDAP Attribute for User ID: userPrincipalName

Step 3
Select System > LDAP > LDAP Directory, click Add New, use the following parameters to configure the new
directory, and then click Save:

LDAP Configuration Name: LDAP Server

LDAP Manager Distinguished Name: Administrator@cll-collab.internal
LDAP Password: C0ll@B
LDAP User Search Base: cn=Users, dc=cll-collab, dc=internal
LDAP Custom Filter for Users: <None>
Perform a Re-sync Every: 6 HOUR
Cisco Unified Communications Manager User Fields

Middle Name: middleName

Phone Number: ipPhone
Directory URI: mail

Access Control Groups: Standard CCM End Users

Host Name or IP Address for Server: 10.1.5.100
Step 4
In the LDAP Directory page, click Perform Full Sync Now and then click OK in the notification window.

Step 5
Select User Management > End User and verify that end users have been replicated from the LDAP server.
You will see that the user ID was changed from sAMAccountName to the User Principal Name.

Task 5: Troubleshoot LDAP Integration

Possible LDAP integration issues include LDAP server misconfiguration, authentication parameter
misconfiguration, or LDAP user search base misconfiguration.

You will troubleshoot an LDAP integration issue between HQ-UCM and the LDAP server. You will configure a
typical LDAP mistake by using the wrong LDAP User Search Base parameters. Then you will use the Cisco Unified
RTMT tool to analyze the Cisco DirSync traces before the issue starts. You must first delete the configured LDAP
directory. Then you will configure the new LDAP directory with the wrong parameters. Finally, you will use the
DirSync service traces in the Cisco Unified RTMT tool again to analyze the errors with LDAP synchronization and
compare them to the normal synchronization process.

Activity
Verify LDAP Synchronization Operation in Cisco Unified RTMT
You will verify LDAP synchronization operation in Cisco Unified RTMT.

Step 1
On PC-1, install Cisco Unified Real-Time Monitoring Tool (RTMT) located in Z:\CcmServRtmtPlugin.exe
by running the installer and following installer steps.Open the Cisco Unified Real-Time Monitoring
Tool from the desktop.

Step 2
Enter the DNS name of the Cisco UCM (1cucm-pub.cll-collab.internal), and accept the Certificate notification.

Step 3
Log in using Administrator for the username and C0ll@B for the password.
Step 4
Leave the Configuration List as Default and click OK.

Step 5
Select System > Tools > Trace & Log Central.
Step 6
In Trace & Log Central, double-click Remote Browse. You can ignore the error message about the connectivity
problems the IMP server, Click OK.

Step 7
Confirm that Trace Files is selected, then click Next.

Step 8
Leave all checkboxes unselected on the Select UCM Services/Applications tab, and click Next.
Step 9
Select the Cisco DirSync; then click Finish.
Step 10
Click Close on the Result window; then double-click Nodes > cucm-pub.cll-collab.internal > System > Cisco
DirSync > log4j.

Step 11
Double-click dirsync00001.log, select the Cisco Generic Viewer, and then click OK.

Step 12
Enter the search string successfully completed full sync, click Search, and then scroll to find the highlighted
text. This string means that the full synchronization has been successfully completed indicating there are no
errors with the LDAP configuration.
Misconfigure and Troubleshoot LDAP Synchronization
You will configure incorrect LDAP User Search Base parameters and troubleshoot the logs in Cisco Unified RTMT
again.

Step 13
Browse to Cisco Unified Communications Manager Administration, select System > LDAP > LDAP
Directory, and delete the LDAP Server configuration.

Step 14
Create an LDAP directory with the following parameters and click Save:

LDAP Configuration Name: LDAP Server

LDAP Manager Distinguished Name: Administrator@cll-collab.internal
LDAP Password: C0ll@B
LDAP User Search Base: cn=User, dc=cll-collab, dc=local
LDAP Custom Filter for Users: <None>
Perform a Re-sync Every: 6 HOUR
Cisco Unified Communications Manager User Fields

Middle Name: middleName

Phone Number: ipPhone
Directory URI: mail

Access Control Groups: Standard CCM End Users

Host Name or IP Address for Server: 10.1.5.100

Step 15
In the LDAP Directory page, click Perform Full Sync Now and then click OK in the notification window.

Step 16
Select User Management > End Users, click Find, and observe the results. You will see that all the users have
the Inactive LDAP Synchronized User status.
Step 17
In the Trace and Log Central tab of Cisco Unified RTMT, click the cucm-pub.cll-collab.internal server, and Click
Refresh All.

Step 18
Double-click cucm-pub.cll-collab.internal > System > Cisco DirSync > log4j, then double-click on the last
modified error log (highest number). Select the Cisco Generic Viewer and click OK.

Step 19
Enter error in the Search String field, and click Search. You will see multiple occurrences of the string error in
the log. The error message includes the search space, which in this case is incorrect, because it should be set to
cn=Users, dc=cll-collab, dc=internal.