MeetingPlace_7_LDAP

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Cisco Unified MeetingPlace 7.0 Directory Service Integrations to LDAP and Authentication Methods

Unified Communications Business Unit

August 2008

Update MR1 January 2009


LDAP Profile Synch vs. Authentication

MeetingPlace Applications Server–UC Manager 6.X/7.X LDAP for Profile synchronization (no direct LDAP synch)

– Creates new profiles, modifies and deletes profiles

– If you use CUCM LDAP, then you must configure either UCM or Web Authentication to LDAP as well

–CUCM LDAP Authentication OR MP Web Authentication both are supported

MeetingPlace 7.0 Web Server –Outlook and Lotus Notes Authentication Methods

–6 Authentication Methods for Web Authentication


MeetingPlace 7.0 Profiles and Authentication with Customer LDAP

Method 1: Manually Creating User Profiles

– You can manually define user profiles. This is useful for adding one or a few new users to the database

Method 2: Manual Import User Profiles

– You can import user profiles from any existing database, such as an LDAP directory into a .csv file

Method 3: CUCM 5.X/6.X LDAP Synchronization

– Via CUCM 5.X/6.X ONLY

– MeetingPlace Application Server AXL to CUCM LDAP to Customer LDAP

– Support for all CUCM 5.X/6.X LDAP Systems

– No direct LDAP integration

User Authentication is via various methods:

– Outlook/Notes

– CUCM/LDAP Authentication Option (only option used for WebEx scheduling with MeetingPlace voice only system)

– (6) different MeetingPlace Web Authentication methods


Method 1: Manual Add Profile

• Application Server -> Web Admin Center -> User Configuration->

Add Profile

Only * 6 Fields are Required


Method 2: Import/Export Profiles

Import file must be a comma-delimited ASCII file (an unformatted or flat file with a .csv extension).

All Headers are found in Administrator’s Guide CUMP

Example:“fnm","lnm","uid","prfnum","phnum","ctctuid","grpnme","grpnum“

Exporting User Group Information and User Profile Information first will provide the .CSV Headers automatically

User Group Profile or individual Profile users can be imported from any database extraction

Several fields are automatically populated based on the information in the user’s group defaults.

The only mandatory fields are the user ID (uid), password (EncryptedUserPWD), and profile number (prfnum), group name and number.


Method 3: MeetingPlace/CUCM to LDAP Profile Management

MP Application

Server

AXL AdaptorAXL/SOAP

DB

CUCM 5.X/6.X LDAP Integration

Customer LDAP Directory

• Requires a CUCM 5.X/6.x running with LDAP Integration configured on CUCM (also used for SIP trunking)

• Creates new profiles, deactivates, changes

• Provides Time Zone and Groups Filters to automate users into correct groups

• LDAP Authentication done in MP Web/Outlook/Lotus Notes components


LDAP DirectoriesCisco Unified CM: Directory Synchronization

Cisco Unified CM 6.X ServerWWW

MP Directory ServiceProfile Synch

IMS

DB

UserLookup

Corporate Directory

(Microsoft AD,Netscape/iPlanet)

DirSync

User DataSynchronization

DirSync tool pulls main user attributes

from directory into DBUser passwords are

NOT sync’ed


MeetingPlace 7.0 with CUCM 5.X/6.X Directory Services SupportedCustomer Directory CUCM Directory

ServicesMPDS 5.x

Windows AD 2000 Yes Yes

Windows AD 2003 Yes Yes

Windows AD 2007 Yes No

Windows AD 2008 Yes No

Netscape 4.x Yes Yes

iPlanet 4.x Yes Yes

Sun 5.1 Directory Server Yes No

Sun Java 5.2 Directory Server Yes No

OpenLDAP On roadmap No

IBM Tivoli Directory Services On roadmap No

Novell eDirectory Yes No

SunOne No Yes

Domino Directory No No

Active Directory ADAM server is not supported


LDAP DirectoriesIntegration Approaches: Cisco Unified CM

DB

Corporate LDAPDirectory

Embeddeddatabase

Cisco UnifiedCM 6.X

SyncAgent

UserProvisioning(read only)

UserAuthentication

(read only)

enabledindependently

LD

AP

No data writtento Directory!


LDAP DirectoriesCisco Unified CM: End Users vs. Application Users

Cisco Unified CM users are now divided in two categories:End Users—physical users (can be telephony users or administrators)

Application Users—used for other voice applications (Unified CM Assistant, Attendant Console, IPCC Express, etc.)

Key concept: Application Users are always kept local to CUCM DB and authenticated locally, even when integrating with an external directory

MLA concepts fully integrated in CUCM administration pages (“Roles” and “User Groups”)

Just assign the appropriate Role to End Users to turn them into administrators


LDAP DirectoriesCisco Unified CM: Main Features

Supported corporate directories: Microsoft AD 2000 and 2003

Netscape 4.x, iPlanet 5.1 and Sun ONE 5.2 Built-in redundancy (configure multiple LDAP hosts) Security—Support for LDAP over SSL (LDAPS) Support for multi-tree AD (discontiguous namespaces) Configurable periodic or manual resync Authentication (enabled separately):

End User password can be authenticated against directory

End User PIN’s are authenticated against CUCM DB

Application User passwords are authenticated againstCUCM DB


Directory Service Parameters

Any of these fields that are not available in Cisco Unified Communications Manager (via LDAP) are left blank in the Cisco Unified MeetingPlace user profile. • First name , Last Name, User ID, • Profile number—Unique number based on the Main phone number• User status • E-mail address • Main phone number


MeetingPlace Directory Service Filters The filters are configurable to create profiles based on

Country code or Time Zone based on telephone numbers.

Filters for Time ZoneFiltered by phone number prefix (area code, country code, etc.)

By default, the local time of the Application Server is assigned

Filters for GroupsGroup name—Filtered by department number

By default, the “System” User Group is assigned

Filters for “Profile Number”

1. Configure Filters for Time Zone

2. then do Filters for Groups

3. Configure Profile Number Filters

4. then do Directory Synch last with UC Manager


Profile Number 3 Choices for Filters (7.0.2+)

Use phone number as profile number –The UC Manager User Profile “Telephone Number” field entry is the Profile number

–If the Telephone Number for a user is blank or conflicts with an existing Profile number in MeetingPlace, then the system will instead use a six-digit auto-generated profile number

Use last ‘n’ digits of phone number as profile number –If the Telephone Number for a user is blank, or if applying this method for a user conflicts with an existing Profile number in MeetingPlace, then the system will instead use a six-digit auto-generated profile number.

Use 6 digit auto-generated profile number–The auto-generated profile numbers start from 100001, and they always contain six digits.

–If the Telephone Number field entry for a user is shorter than the configured Number of digits, then the Telephone Number will be used as is as the Profile number.


Profile Number Configuration

Apply the profile number configuration method to new users only

or to each user profile that gets imported

or updated during Directory Service user profile updates

or full synchronizations


MeetingPlace Open SOAP API (MPSA)

If there are “Custom” LDAP requirements, then there is a MeetingPlace API that offers the ability to write a custom program interface from Customer LDAP directly to MP Applications Server via SOAP API

“User Service” Methods

–addUserProfile, addUserProfileFromTemplate, addUserProfileBasic

–deleteUserProfile

–updateUserProfile, updateUserProfileFromTemplate

–getUserProfile, getUniqueUserId

–isProfiledUser, findUserProfileList

–addGroupProfile, deleteGroupProfile, updateGroupProfile, updateGroupProfileFromTemplate, getGroupProfile, findGroupProfileList

Cisco Developer Program Support for MPSA

http://developer.cisco.com/web/mpsa/home


User Authentication Benefits

• Single Sign-On (SSO)—Allows users who have already been authenticated once to have access to all resources and applications on the network without having to re-enter their credentials.

• Centralized user database—Facilitates profile management.

NOTE: For SSO to work, you must ensure that Cisco MeetingPlace user IDs are set up so that they match the corresponding user IDs

used by the third-party authentication software.


MeetingPlace WEB - End User Authentication Methods to Third Party Systems

MeetingPlace and Outlook Integration Authentication (uses Windows Client authentication)

MeetingPlace and Lotus Notes Integration Authentication (uses Domino client authentication)

MeetingPlace Web 7 Authentication Options

1. MeetingPlace Directory Service can be configured to use CUCM/LDAP Authentication method

2. MeetingPlace Profile/password (Default setting)

3. LDAP (Multi-forest support)

4. LDAP, then MeetingPlace (single LDAP Forest)

5. Trust External Authentication

6. HTTP Basic Authentication

7. Windows Integrated Authentication


MeetingPlace with Outlook Integration Authentication

MeetingPlace for Outlook supports stored cookie at the client desktop

User has to enter password the first time they click on the MeetingPlace tab (plugin) in Outlook

This password is:

1. Admin assigned for MP profile if they are a local user

2. LDAP password if profile is created by MP Directory Service (LDAP Authentication must then be enabled)


MeetingPlace with Lotus Notes Integration Authentication Support

The only form of authentication supported by Cisco Unified MeetingPlace for IBM Lotus Notes is Domino authentication with Cisco Unified MeetingPlace Web Conferencing configured to use MeetingPlace authentication.

Configuring Domino authentication with MeetingPlace authentication, refer to the "Cisco Unified MeetingPlace for IBM Lotus Notes Installation and Configuration" chapter of the Administration Guide for Cisco Unified MeetingPlace for IBM Lotus Notes Release 6.0


MeetingPlace Web End User Authentication

Provides the following authentication configuration options:

1. MeetingPlace (Default setting)• This is used when CUCM LDAP Auth is enabled

• CUCM LDAP Auth support multidomain

2. LDAP (supports multi-domain with 2-way trusts)

3. LDAP, then MeetingPlace


5. HTTP Basic Authentication (Domain)

6. Windows Integrated Authentication


1. MeetingPlace “Default” Authentication

Authenticating users against the profile database on the Cisco MeetingPlace Application Server is the default user authentication option.

You have two options when configuring this type of authentication:

Logging in with an HTML-based web page form. This is the default option.

Logging in against a login window rendered by your web browser.

Regardless of the login page users see, user IDs and passwords are sent to the MP Audio Server for authentication.

Both profiles and user passwords must match and Profiles are case-sensitive.


1. Cisco Unified MeetingPlace “Default” Authentication

MP Web

MeetingPlace Application Server

User Profile DB

User ID/Password

Choose one of the following options Login Method": 1. Choose Web Page Form to see an HTML-based Cisco Unified MeetingPlace login window. This is the default authentication method.2. Choose HTTP Basic Authentication to see a login window rendered by your web browser.

Note : If you choose HTTP Basic Authentication, users cannot log in to Cisco Unified MeetingPlace as guests.


2. LDAP Authentication

LDAP authentication compares users’ login information against the profile database on an LDAPv2-compliant directory server.

Once users are authenticated by the LDAP server, users are automatically logged in to Cisco MeetingPlace as long as their LDAP user IDs also exist in Cisco MeetingPlace.

Single Forest or Multiple Forests Supported

[email protected] & [email protected]

Multiple LDAP’s must provide two-way trusts between them

MeetingPlace configuration points to one LDAP

With LDAP authentication, the following restrictions apply:

MeetingPlace Web supports only unencrypted LDAP, that is, queries to the LDAP server are in clear text.

LDAP profiles are used for authentication


2. Cisco Unified MeetingPlace LDAP Authentication

MP Web

MeetingPlace Application Server

User Profile DB

LDAP Distinguished Name (DN) Single DN=CN=%USERNAME%, OU=People, DC=mydomain, DC=com

Or multiple Forests CN=%USERNAME%Users Login “Domain/userID” format

Corporate LDAP Directory (AD, Netscape and SunOne)

User Profiles

CUCM


3. LDAP then MeetingPlace Authentication

This authentication mode attempts to authenticate users against two directories if the need arises. This behavior allows a company to give non-LDAP users, such as guests or contractors, access to Cisco MeetingPlace

When users first log in, they are authenticated against the LDAP directory. (Single Domain only)

If this authentication fails, the login information is sent to the Cisco MeetingPlace Audio Server for a possible match.

If a match is made in the LDAP database, the user must provide the proper LDAP password. Three attVideots with the incorrect password will lock the user’s LDAP profile.

Only users who are not found in the LDAP directory are eligible for authentication through the Cisco MeetingPlace directory.



Trust External Authentication represents a broad-range of enterprise security software that provides functions like authentication, resource access authorization, Single Sign On (SSO), and intrusion detection.

Typically, this software protects your web server by installing a DLL plug-in into the web server service, for example IIS. This DLL plug-in, also called ISAPI Filter, intercepts user login credentials and passes them to a corporate authentication and authorization server.

For MeetingPlace Web Authentication to work with this software, the software must be able to output user IDs in the HTTP header so that they can be passed to Cisco MeetingPlace for authentication.


5. HTTP Basic Authentication (Domain)

The HTTP basic authentication method is a widely used industry-standard method for collecting user ID and password information.

1. Users are prompted by a pop-up login window that is rendered by their web browser.

2. Users enter valid domain user IDs and passwords. Cisco MeetingPlace profile passwords are ignored and not used in the authentication operation.

3. If the web servers accept the login credentials and the user IDs also exist in Cisco MeetingPlace profile databases, users are logged in automatically to Cisco MeetingPlace and are granted access to the Cisco MeetingPlace home page.


5. HTTP Basic Authentication (Domain) Cont.

The advantage of HTTP Basic Authentication is that it is part of the HTTP specification and is supported by most browsers.

The disadvantage is that the password is Base64 encoded before being sent over the network. Since Base64 is not a true encryption, it can be easily deciphered.

You can mitigate this security issue by implementing Secure Socket Layer (SSL) on the web server.


6. Windows Integrated Authentication (WIA) Windows Integrated Authentication (WIA) uses an algorithm

to generate a hash based on the credentials and computers that users are using.

WIA then sends this hash to the server; user passwords are not sent to the server.

If WIA fails for some reason, such as improper user credentials, users are prompted by their browsers to enter their user IDs and passwords.

The Windows logon credentials are encrypted before being passed from the client to the web server.


Although Windows Integrated Authentication (WIA) is secure, it does have the following limitations:

• Only Microsoft Internet Explorer version 4.0 or later versions support this authentication method.

• WIA does not work across proxy servers or other firewall applications

• WIA works only under the browser's Intranet Zone connections and for any trusted sites you have configured.

6. Windows Integrated Authentication (WIA) Cont.


WIA is best suited for an intranet environment where both users and the web server are in the same domain and where administrators can ensure that every user has Microsoft Internet Explorer. The web server must be in a Windows domain.

To further ensure or verify that your network supports WIA, refer to Microsoft online documentation at http://support.microsoft.com.

An example of suggested documentation includes the following: http://support.microsoft.com/kb/q264921/

6. Windows Integrated Authentication (WIA) Cont.


Resources

Cisco Unified MeetingPlace 7 System Requirements Document

Cisco Unified MeetingPlace 7 Configuration Guide

Directory Service Configuration section

UC Manager LDAP Configuration section

End User Authentication Section (MP Web)

MeetingPlace_7_LDAP

Documents

Transcript of MeetingPlace_7_LDAP