Cisco Unity Connection 7.0
Directory Integration TOI
Manoj Agrawal
manoja@cisco.com
© 2008 Cisco Systems, Inc. All rights reserved.
Overview
 One way synchronization of user data from an LDAP directory.
 User authentication against LDAP.
 No schema extensions. All LDAP access is read-only.
 System is functional even when the LDAP server is down.
 Active Directory is supported right now. Sun and Netscape in the
future.
© 2008 Cisco Systems, Inc. All rights reserved.
LDAP Administration pages
© 2008 Cisco Systems, Inc. All rights reserved.
Synchronization
 User information is synchronized using Cisco DirSync.
 Same Cisco DirSync that is used by CUCM.
 All of the same configuration options.
 Service activated from Cisco Unified Serviceability.
 Admin pages nearly identical as well.
 Passwords are not synchronized.
 The list of LDAP attributes that are included in the sync as well as
the mapping to CUC user fields is displayed in the LDAP
Directory Configuration page.
© 2008 Cisco Systems, Inc. All rights reserved.
Synchronization configuration
 LDAP attribute for CUC Alias. This is the LDAP attribute that will
correspond to the Alias of CUC users. It is a global setting and will
apply to all synchronization configs. For AD this is commonly the
sAMAccountName.
 LDAP Manager Distinguished Name and password. This is an
LDAP user that has rights to access the LDAP directory.
 LDAP User Search Base. The container within the directory where
the users are located. Users in child containers are also
synchronized.
© 2008 Cisco Systems, Inc. All rights reserved.
Synchronization configuration (cont)
 LDAP Server Hostname/IP Address and Port.
 Use SSL. This is an option to enable SSL encryption.
 Redundant servers. Multiple LDAP servers (for the same
directory) can be specified for redundancy.
 Multiple sync configurations are allowed.
© 2008 Cisco Systems, Inc. All rights reserved.
LDAP Setup
© 2008 Cisco Systems, Inc. All rights reserved.
LDAP Directory Configuration
© 2008 Cisco Systems, Inc. All rights reserved.
Synchronization schedule
 All syncs are full syncs. Incremental syncs will be available in the future.
 Synchronization can happen on regular intervals or it can be a one-time
synchronization.
 For recurring syncs, the sync interval can be specified in number of
hours, days, weeks or months. The min interval is 6 hours.
 For recurring syncs, the date and time of the next sync can be specified.
 On demand syncs can be initiated at any time as long as a sync is not
already in progress.
© 2008 Cisco Systems, Inc. All rights reserved.
Authentication
 For users that are integrated (synced) with LDAP, web application
passwords are authenticated against LDAP. This applies to
CUCA, CPCA and IMAP access.
 Voice mail passwords (PINs) are always authenticated locally.
 If the LDAP server is unavailable, CUCA, CPCA and IMAP access
will not be available for users that are integrated with LDAP.
However, voice mail access will still be available.
 For users that are not integrated with LDAP, all authentication
occurs locally.
© 2008 Cisco Systems, Inc. All rights reserved.
Authentication configuration
 LDAP authentication needs to be enabled and configured in
addition to LDAP synchronization.
 It can only be enabled if LDAP synchronization is also enabled.
 It is not necessary to enable LDAP authentication in order to use
LDAP synchronization.
© 2008 Cisco Systems, Inc. All rights reserved.
Authentication configuration (cont)
 Even though multiple synchronization configurations are allowed,
only one authentication configuration covers all LDAP users. This
means that there is only one search base for authentication.
 If the system is configured with multiple sync configurations,
authentication must be configured with a search base that is the
parent of the search bases used in the sync configurations.
 Use of the Global Catalog server is recommended for AD and is
required in a multi-domain forest.
© 2008 Cisco Systems, Inc. All rights reserved.
LDAP Authentication
© 2008 Cisco Systems, Inc. All rights reserved.
Importing users
 Users must be manually imported either via the Import Users page or BAT. Users
are not automatically imported from LDAP. (CUCM automatically imports them).
 A user template must be selected during the import.
 The user’s extension is grabbed from LDAP and displayed on the Import Users
page. It can be overridden during the import.
 The extension that is displayed on the Import Users page can be processed
through a regular expression in order to select only a portion of the string. Using
[0-9]{4}$ would only grab the last 4 digits from LDAP. For more information on
Java regular expressions, please see
http://java.sun.com/docs/books/tutorial/essential/regex/index.html.
 The extension regular expression can be modified on the Advanced LDAP
Settings page.
© 2008 Cisco Systems, Inc. All rights reserved.
Import page
© 2008 Cisco Systems, Inc. All rights reserved.
More about users
 If a user has been imported from LDAP, the user’s page in CUCA
will say “Active User imported from LDAP Directory”.
 Standalone users (non-LDAP integrated users) can be added to a
system that has LDAP enabled.
 If the LDAP user object (account) for an LDAP integrated user is
deleted from LDAP, after a grace period, the user will be
converted to a standalone user.
 AXL integrated users can also be added to a system that has
LDAP enabled.
© 2008 Cisco Systems, Inc. All rights reserved.
User management with BAT

BAT can be used to import LDAP users in bulk. The steps are:
1. Export “Users from LDAP directory” into a CSV file.
2. Modify CSV file (update Extensions or remove users).
3. Create new “Users with Mailbox” using the CSV file.

BAT can also be used to convert existing AXL and standalone
users into LDAP integrated users. The steps are:
1. Export “Users from LDAP directory” into a CSV file.
2. Modify the CSV file to only include the users you want to
convert.
3. Use BAT to update existing users using the CSV file.
© 2008 Cisco Systems, Inc. All rights reserved.
Bulk Export and Import
© 2008 Cisco Systems, Inc. All rights reserved.
Co-res
 Directory integration on a co-res system is handled entirely by
CUCM. The feature works exactly like it would on a standalone
CUCM system.
 All of the configuration occurs in the CUCM admin pages.
 User data is synchronized with LDAP and LDAP authentication
occurs for all users (other than the default CUC users).
 Due to the co-res integration, the CUC side of the product is
completely unaware of the fact that the system is integrated to a
corporate directory.
© 2008 Cisco Systems, Inc. All rights reserved.
Steps to configure and use LDAP
1. Enable Cisco DirSync.
2. Select the LDAP server type and LDAP attribute for
Alias.
3. Configure the LDAP synchronization details.
4. Initiate a manual (on demand) sync.
5. Configure LDAP authentication.
6. Import users.
© 2008 Cisco Systems, Inc. All rights reserved.
Troubleshooting

Manual syncs can be initiated from the sync configuration page.

Diagnostic trace files from two components are helpful:

Cisco DirSync

Connection CM Database Event Listener (CuCmDbEventListener)

The DirSync diagnostic trace files are saved to the
/var/log/active/cm/trace/dirsync/log4j directory. The filename
format is dirsyncxxxxx.log.

The CuCmDbEventListener diagnostics trace files are saved to
the /var/opt/cisco/connection/log directory. The filename format
is diag_CuCmDbEventListener_xxxxxxxx.uc
© 2008 Cisco Systems, Inc. All rights reserved.
Troubleshooting cont

DirSync diagnostics can be enabled from Cisco Unified
Serviceability. In Trace -> Configuration:
1. Select Directory Services for the Service Group and click Go.
2. Then select DirSync for the Service and click Go.
3. Change the Debug Trace Level to Debug and click Save.

CuCmDbEventListener diagnostics can be enabled from Cisco
Unity Connection Serviceability. In Trace -> Micro Traces:
1. Select CuCmDbEventListener for the Micro Trace and click
Go.
2. Select levels 00, 01, 03 and 04 and then click Save.
© 2008 Cisco Systems, Inc. All rights reserved.
© 2008 Cisco Systems, Inc. All rights reserved.
© 2008 Cisco Systems, Inc. All rights reserved.
More Information
Contacts
Manoj Agrawal (manoja@cisco.com)
Jennifer Bui (jbui@cisco.com)
CUC directory integration (cuc-ldap@cisco.com)
CUCM directory integration (userprefs-team@cisco.com)
Documents
FFS (EDCS-603726)
CUCM 6 Directory Configuration Admin Guide
Unity Connection 7.0 Design Guide: LDAP Directory Integration
(http://zed.cisco.com/confluence/display/CUC/Technical+
Marketing)
© 2008 Cisco Systems, Inc. All rights reserved.
Q&A
Q&A
© 2008 Cisco Systems, Inc. All rights reserved.
© 2008 Cisco Systems, Inc. All rights reserved.