meetingplace_7_ldap
DESCRIPTION
MeetingPlace_7_LDAPTRANSCRIPT
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Cisco Unified MeetingPlace 7.0 Directory Service Integrations to LDAP and Authentication Methods
Unified Communications Business Unit
August 2008
Update MR1 January 2009
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
LDAP Profile Synch vs. Authentication
MeetingPlace Applications Server–UC Manager 6.X/7.X LDAP for Profile synchronization (no direct LDAP synch)
– Creates new profiles, modifies and deletes profiles
– If you use CUCM LDAP, then you must configure either UCM or Web Authentication to LDAP as well
–CUCM LDAP Authentication OR MP Web Authentication both are supported
MeetingPlace 7.0 Web Server –Outlook and Lotus Notes Authentication Methods
–6 Authentication Methods for Web Authentication
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
MeetingPlace 7.0 Profiles and Authentication with Customer LDAP
Method 1: Manually Creating User Profiles
– You can manually define user profiles. This is useful for adding one or a few new users to the database
Method 2: Manual Import User Profiles
– You can import user profiles from any existing database, such as an LDAP directory into a .csv file
Method 3: CUCM 5.X/6.X LDAP Synchronization
– Via CUCM 5.X/6.X ONLY
– MeetingPlace Application Server AXL to CUCM LDAP to Customer LDAP
– Support for all CUCM 5.X/6.X LDAP Systems
– No direct LDAP integration
User Authentication is via various methods:
– Outlook/Notes
– CUCM/LDAP Authentication Option (only option used for WebEx scheduling with MeetingPlace voice only system)
– (6) different MeetingPlace Web Authentication methods
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Method 1: Manual Add Profile
• Application Server -> Web Admin Center -> User Configuration->
Add Profile
Only * 6 Fields are Required
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
Method 2: Import/Export Profiles
Import file must be a comma-delimited ASCII file (an unformatted or flat file with a .csv extension).
All Headers are found in Administrator’s Guide CUMP
Example:“fnm","lnm","uid","prfnum","phnum","ctctuid","grpnme","grpnum“
Exporting User Group Information and User Profile Information first will provide the .CSV Headers automatically
User Group Profile or individual Profile users can be imported from any database extraction
Several fields are automatically populated based on the information in the user’s group defaults.
The only mandatory fields are the user ID (uid), password (EncryptedUserPWD), and profile number (prfnum), group name and number.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Method 3: MeetingPlace/CUCM to LDAP Profile Management
MP Application
Server
AXL AdaptorAXL/SOAP
DB
CUCM 5.X/6.X LDAP Integration
Customer LDAP Directory
• Requires a CUCM 5.X/6.x running with LDAP Integration configured on CUCM (also used for SIP trunking)
• Creates new profiles, deactivates, changes
• Provides Time Zone and Groups Filters to automate users into correct groups
• LDAP Authentication done in MP Web/Outlook/Lotus Notes components
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
LDAP DirectoriesCisco Unified CM: Directory Synchronization
Cisco Unified CM 6.X ServerWWW
MP Directory ServiceProfile Synch
IMS
DB
UserLookup
Corporate Directory
(Microsoft AD,Netscape/iPlanet)
DirSync
User DataSynchronization
DirSync tool pulls main user attributes
from directory into DBUser passwords are
NOT sync’ed
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
MeetingPlace 7.0 with CUCM 5.X/6.X Directory Services SupportedCustomer Directory CUCM Directory
ServicesMPDS 5.x
Windows AD 2000 Yes Yes
Windows AD 2003 Yes Yes
Windows AD 2007 Yes No
Windows AD 2008 Yes No
Netscape 4.x Yes Yes
iPlanet 4.x Yes Yes
Sun 5.1 Directory Server Yes No
Sun Java 5.2 Directory Server Yes No
OpenLDAP On roadmap No
IBM Tivoli Directory Services On roadmap No
Novell eDirectory Yes No
SunOne No Yes
Domino Directory No No
Active Directory ADAM server is not supported
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
LDAP DirectoriesIntegration Approaches: Cisco Unified CM
DB
Corporate LDAPDirectory
Embeddeddatabase
Cisco UnifiedCM 6.X
SyncAgent
UserProvisioning(read only)
UserAuthentication
(read only)
enabledindependently
LD
AP
No data writtento Directory!
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
LDAP DirectoriesCisco Unified CM: End Users vs. Application Users
Cisco Unified CM users are now divided in two categories:End Users—physical users (can be telephony users or administrators)
Application Users—used for other voice applications (Unified CM Assistant, Attendant Console, IPCC Express, etc.)
Key concept: Application Users are always kept local to CUCM DB and authenticated locally, even when integrating with an external directory
MLA concepts fully integrated in CUCM administration pages (“Roles” and “User Groups”)
Just assign the appropriate Role to End Users to turn them into administrators
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
LDAP DirectoriesCisco Unified CM: Main Features
Supported corporate directories: Microsoft AD 2000 and 2003
Netscape 4.x, iPlanet 5.1 and Sun ONE 5.2 Built-in redundancy (configure multiple LDAP hosts) Security—Support for LDAP over SSL (LDAPS) Support for multi-tree AD (discontiguous namespaces) Configurable periodic or manual resync Authentication (enabled separately):
End User password can be authenticated against directory
End User PIN’s are authenticated against CUCM DB
Application User passwords are authenticated againstCUCM DB
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
Directory Service Parameters
Any of these fields that are not available in Cisco Unified Communications Manager (via LDAP) are left blank in the Cisco Unified MeetingPlace user profile. • First name , Last Name, User ID, • Profile number—Unique number based on the Main phone number• User status • E-mail address • Main phone number
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
MeetingPlace Directory Service Filters The filters are configurable to create profiles based on
Country code or Time Zone based on telephone numbers.
Filters for Time ZoneFiltered by phone number prefix (area code, country code, etc.)
By default, the local time of the Application Server is assigned
Filters for GroupsGroup name—Filtered by department number
By default, the “System” User Group is assigned
Filters for “Profile Number”
1. Configure Filters for Time Zone
2. then do Filters for Groups
3. Configure Profile Number Filters
4. then do Directory Synch last with UC Manager
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Profile Number 3 Choices for Filters (7.0.2+)
Use phone number as profile number –The UC Manager User Profile “Telephone Number” field entry is the Profile number
–If the Telephone Number for a user is blank or conflicts with an existing Profile number in MeetingPlace, then the system will instead use a six-digit auto-generated profile number
Use last ‘n’ digits of phone number as profile number –If the Telephone Number for a user is blank, or if applying this method for a user conflicts with an existing Profile number in MeetingPlace, then the system will instead use a six-digit auto-generated profile number.
Use 6 digit auto-generated profile number–The auto-generated profile numbers start from 100001, and they always contain six digits.
–If the Telephone Number field entry for a user is shorter than the configured Number of digits, then the Telephone Number will be used as is as the Profile number.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Profile Number Configuration
Apply the profile number configuration method to new users only
or to each user profile that gets imported
or updated during Directory Service user profile updates
or full synchronizations
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
MeetingPlace Open SOAP API (MPSA)
If there are “Custom” LDAP requirements, then there is a MeetingPlace API that offers the ability to write a custom program interface from Customer LDAP directly to MP Applications Server via SOAP API
“User Service” Methods
–addUserProfile, addUserProfileFromTemplate, addUserProfileBasic
–deleteUserProfile
–updateUserProfile, updateUserProfileFromTemplate
–getUserProfile, getUniqueUserId
–isProfiledUser, findUserProfileList
–addGroupProfile, deleteGroupProfile, updateGroupProfile, updateGroupProfileFromTemplate, getGroupProfile, findGroupProfileList
Cisco Developer Program Support for MPSA
http://developer.cisco.com/web/mpsa/home
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
User Authentication Benefits
• Single Sign-On (SSO)—Allows users who have already been authenticated once to have access to all resources and applications on the network without having to re-enter their credentials.
• Centralized user database—Facilitates profile management.
NOTE: For SSO to work, you must ensure that Cisco MeetingPlace user IDs are set up so that they match the corresponding user IDs
used by the third-party authentication software.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
MeetingPlace WEB - End User Authentication Methods to Third Party Systems
MeetingPlace and Outlook Integration Authentication (uses Windows Client authentication)
MeetingPlace and Lotus Notes Integration Authentication (uses Domino client authentication)
MeetingPlace Web 7 Authentication Options
1. MeetingPlace Directory Service can be configured to use CUCM/LDAP Authentication method
2. MeetingPlace Profile/password (Default setting)
3. LDAP (Multi-forest support)
4. LDAP, then MeetingPlace (single LDAP Forest)
5. Trust External Authentication
6. HTTP Basic Authentication
7. Windows Integrated Authentication
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
MeetingPlace with Outlook Integration Authentication
MeetingPlace for Outlook supports stored cookie at the client desktop
User has to enter password the first time they click on the MeetingPlace tab (plugin) in Outlook
This password is:
1. Admin assigned for MP profile if they are a local user
2. LDAP password if profile is created by MP Directory Service (LDAP Authentication must then be enabled)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
MeetingPlace with Lotus Notes Integration Authentication Support
The only form of authentication supported by Cisco Unified MeetingPlace for IBM Lotus Notes is Domino authentication with Cisco Unified MeetingPlace Web Conferencing configured to use MeetingPlace authentication.
Configuring Domino authentication with MeetingPlace authentication, refer to the "Cisco Unified MeetingPlace for IBM Lotus Notes Installation and Configuration" chapter of the Administration Guide for Cisco Unified MeetingPlace for IBM Lotus Notes Release 6.0
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
MeetingPlace Web End User Authentication
Provides the following authentication configuration options:
1. MeetingPlace (Default setting)• This is used when CUCM LDAP Auth is enabled
• CUCM LDAP Auth support multidomain
2. LDAP (supports multi-domain with 2-way trusts)
3. LDAP, then MeetingPlace
4. Trust External Authentication
5. HTTP Basic Authentication (Domain)
6. Windows Integrated Authentication
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
1. MeetingPlace “Default” Authentication
Authenticating users against the profile database on the Cisco MeetingPlace Application Server is the default user authentication option.
You have two options when configuring this type of authentication:
Logging in with an HTML-based web page form. This is the default option.
Logging in against a login window rendered by your web browser.
Regardless of the login page users see, user IDs and passwords are sent to the MP Audio Server for authentication.
Both profiles and user passwords must match and Profiles are case-sensitive.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
1. Cisco Unified MeetingPlace “Default” Authentication
MP Web
MeetingPlace Application Server
User Profile DB
User ID/Password
Choose one of the following options Login Method": 1. Choose Web Page Form to see an HTML-based Cisco Unified MeetingPlace login window. This is the default authentication method.2. Choose HTTP Basic Authentication to see a login window rendered by your web browser.
Note : If you choose HTTP Basic Authentication, users cannot log in to Cisco Unified MeetingPlace as guests.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
2. LDAP Authentication
LDAP authentication compares users’ login information against the profile database on an LDAPv2-compliant directory server.
Once users are authenticated by the LDAP server, users are automatically logged in to Cisco MeetingPlace as long as their LDAP user IDs also exist in Cisco MeetingPlace.
Single Forest or Multiple Forests Supported
[email protected] & [email protected]
Multiple LDAP’s must provide two-way trusts between them
MeetingPlace configuration points to one LDAP
With LDAP authentication, the following restrictions apply:
MeetingPlace Web supports only unencrypted LDAP, that is, queries to the LDAP server are in clear text.
LDAP profiles are used for authentication
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
2. Cisco Unified MeetingPlace LDAP Authentication
MP Web
MeetingPlace Application Server
User Profile DB
LDAP Distinguished Name (DN) Single DN=CN=%USERNAME%, OU=People, DC=mydomain, DC=com
Or multiple Forests CN=%USERNAME%Users Login “Domain/userID” format
Corporate LDAP Directory (AD, Netscape and SunOne)
User Profiles
CUCM
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
3. LDAP then MeetingPlace Authentication
This authentication mode attempts to authenticate users against two directories if the need arises. This behavior allows a company to give non-LDAP users, such as guests or contractors, access to Cisco MeetingPlace
When users first log in, they are authenticated against the LDAP directory. (Single Domain only)
If this authentication fails, the login information is sent to the Cisco MeetingPlace Audio Server for a possible match.
If a match is made in the LDAP database, the user must provide the proper LDAP password. Three attVideots with the incorrect password will lock the user’s LDAP profile.
Only users who are not found in the LDAP directory are eligible for authentication through the Cisco MeetingPlace directory.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
4. Trust External Authentication
Trust External Authentication represents a broad-range of enterprise security software that provides functions like authentication, resource access authorization, Single Sign On (SSO), and intrusion detection.
Typically, this software protects your web server by installing a DLL plug-in into the web server service, for example IIS. This DLL plug-in, also called ISAPI Filter, intercepts user login credentials and passes them to a corporate authentication and authorization server.
For MeetingPlace Web Authentication to work with this software, the software must be able to output user IDs in the HTTP header so that they can be passed to Cisco MeetingPlace for authentication.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
5. HTTP Basic Authentication (Domain)
The HTTP basic authentication method is a widely used industry-standard method for collecting user ID and password information.
1. Users are prompted by a pop-up login window that is rendered by their web browser.
2. Users enter valid domain user IDs and passwords. Cisco MeetingPlace profile passwords are ignored and not used in the authentication operation.
3. If the web servers accept the login credentials and the user IDs also exist in Cisco MeetingPlace profile databases, users are logged in automatically to Cisco MeetingPlace and are granted access to the Cisco MeetingPlace home page.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
5. HTTP Basic Authentication (Domain) Cont.
The advantage of HTTP Basic Authentication is that it is part of the HTTP specification and is supported by most browsers.
The disadvantage is that the password is Base64 encoded before being sent over the network. Since Base64 is not a true encryption, it can be easily deciphered.
You can mitigate this security issue by implementing Secure Socket Layer (SSL) on the web server.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
6. Windows Integrated Authentication (WIA) Windows Integrated Authentication (WIA) uses an algorithm
to generate a hash based on the credentials and computers that users are using.
WIA then sends this hash to the server; user passwords are not sent to the server.
If WIA fails for some reason, such as improper user credentials, users are prompted by their browsers to enter their user IDs and passwords.
The Windows logon credentials are encrypted before being passed from the client to the web server.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
Although Windows Integrated Authentication (WIA) is secure, it does have the following limitations:
• Only Microsoft Internet Explorer version 4.0 or later versions support this authentication method.
• WIA does not work across proxy servers or other firewall applications
• WIA works only under the browser's Intranet Zone connections and for any trusted sites you have configured.
6. Windows Integrated Authentication (WIA) Cont.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
WIA is best suited for an intranet environment where both users and the web server are in the same domain and where administrators can ensure that every user has Microsoft Internet Explorer. The web server must be in a Windows domain.
To further ensure or verify that your network supports WIA, refer to Microsoft online documentation at http://support.microsoft.com.
An example of suggested documentation includes the following: http://support.microsoft.com/kb/q264921/
6. Windows Integrated Authentication (WIA) Cont.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
Resources
Cisco Unified MeetingPlace 7 System Requirements Document
Cisco Unified MeetingPlace 7 Configuration Guide
Directory Service Configuration section
UC Manager LDAP Configuration section
End User Authentication Section (MP Web)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34