Cisco Unified MeetingPlace 7.

0 Directory Service Integrations to LDAP and Authentication Methods

Unified Communications Business Unit

August 2008
Update MR1 January 2009

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

LDAP Profile Synch vs. Authentication

MeetingPlace Applications Server
UC Manager 6.X/7.X LDAP for Profile synchronization (no direct LDAP synch)

Creates new profiles, modifies and deletes profiles

If you use CUCM LDAP, then you must configure either UCM or Web Authentication to LDAP as well CUCM LDAP Authentication OR MP Web Authentication both are supported

MeetingPlace 7.0 Web Server

Outlook and Lotus Notes Authentication Methods 6 Authentication Methods for Web Authentication

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

MeetingPlace 7.0 Profiles and Authentication with Customer LDAP

Method 1: Manually Creating User Profiles
You can manually define user profiles. This is useful for adding one or a few new users to the database

Method 2: Manual Import User Profiles

You can import user profiles from any existing database, such as an LDAP directory into a .csv file

Method 3: CUCM 5.X/6.X LDAP Synchronization

Via CUCM 5.X/6.X ONLY MeetingPlace Application Server AXL to CUCM LDAP to Customer LDAP Support for all CUCM 5.X/6.X LDAP Systems No direct LDAP integration

User Authentication is via various methods:

Outlook/Notes CUCM/LDAP Authentication Option (only option used for WebEx scheduling with MeetingPlace voice only system) (6) different MeetingPlace Web Authentication methods
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Method 1: Manual Add Profile

Application Server -> Web Admin Center -> User Configuration-> Add Profile Only * 6 Fields are Required

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Method 2: Import/Export Profiles

Import file must be a comma-delimited ASCII file (an unformatted or flat file with a .csv extension).

All Headers are found in Administrators Guide CUMP

Example:fnm","lnm","uid","prfnum","phnum","ctctuid","grpnme","grpnum

Exporting User Group Information and User Profile Information first will provide the .CSV Headers automatically User Group Profile or individual Profile users can be imported from any database extraction Several fields are automatically populated based on the information in the users group defaults. The only mandatory fields are the user ID (uid), password (EncryptedUserPWD), and profile number (prfnum), group name and number.
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Method 3: MeetingPlace/CUCM to LDAP Profile Management

CUCM 5.X/6.X LDAP Integration
AXL/SOAP

MP Application Server

AXL Adaptor

Customer LDAP Directory

DB

Requires a CUCM 5.X/6.x running with LDAP Integration configured on

CUCM (also used for SIP trunking)

Creates new profiles, deactivates, changes

Provides Time Zone and Groups Filters to automate users into correct
groups

LDAP Authentication done in MP Web/Outlook/Lotus Notes components

Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

LDAP Directories
Cisco Unified CM: Directory Synchronization

User Data Synchronization

DirSync

DB
User Lookup

DirSync tool pulls main user attributes from directory into DB User passwords are NOT synced

Corporate Directory
(Microsoft AD, Netscape/iPlanet)

IMS

WWW

Cisco Unified CM 6.X Server

MP Directory Service Profile Synch

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

MeetingPlace 7.0 with CUCM 5.X/6.X Directory Services Supported

Customer Directory
Windows AD 2000
Windows AD 2003 Windows AD 2007 Windows AD 2008 Netscape 4.x iPlanet 4.x Sun 5.1 Directory Server Sun Java 5.2 Directory Server OpenLDAP IBM Tivoli Directory Services Novell eDirectory SunOne Domino Directory
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

CUCM Directory Services

Yes
Yes Yes Yes Yes Yes Yes Yes On roadmap On roadmap Yes No No

MPDS 5.x
Yes
Yes No No Yes Yes No No No No No Yes No
8

Active Directory ADAM server is not supported

LDAP Directories
Integration Approaches: Cisco Unified CM
Corporate LDAP Directory
No data written to Directory!

User Authentication (read only)

User Provisioning (read only)

enabled independently Sync Agent DB

LDAP

Embedded database

Cisco Unified CM 6.X

Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

LDAP Directories
Cisco Unified CM: End Users vs. Application Users

Cisco Unified CM users are now divided in two categories:

End Usersphysical users (can be telephony users or administrators) Application Usersused for other voice applications (Unified CM Assistant, Attendant Console, IPCC Express, etc.)

Key concept: Application Users are always kept local to CUCM DB and authenticated locally, even when integrating with an external directory MLA concepts fully integrated in CUCM administration pages (Roles and User Groups)
Just assign the appropriate Role to End Users to turn them into administrators
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

10

LDAP Directories
Cisco Unified CM: Main Features Supported corporate directories:
Microsoft AD 2000 and 2003

Netscape 4.x, iPlanet 5.1 and Sun ONE 5.2 Built-in redundancy (configure multiple LDAP hosts) SecuritySupport for LDAP over SSL (LDAPS) Support for multi-tree AD (discontiguous namespaces) Configurable periodic or manual resync Authentication (enabled separately):
End User password can be authenticated against directory End User PINs are authenticated against CUCM DB Application User passwords are authenticated against CUCM DB

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

11

Directory Service Parameters

Any of these fields that are not available in Cisco Unified Communications Manager (via LDAP) are left blank in the Cisco Unified MeetingPlace user profile. First name , Last Name, User ID, Profile numberUnique number based on the Main phone number User status E-mail address Main phone number

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

12

MeetingPlace Directory Service Filters

The filters are configurable to create profiles based on Country code or Time Zone based on telephone numbers. Filters for Time Zone
Filtered by phone number prefix (area code, country code, etc.) By default, the local time of the Application Server is assigned

Filters for Groups

Group nameFiltered by department number By default, the System User Group is assigned

Filters for Profile Number

1. 2. 3. 4. Configure Filters for Time Zone then do Filters for Groups Configure Profile Number Filters then do Directory Synch last with UC Manager

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

13

Profile Number 3 Choices for Filters (7.0.2+)

Use phone number as profile number
The UC Manager User Profile Telephone Number field entry is the Profile number If the Telephone Number for a user is blank or conflicts with an existing Profile number in MeetingPlace, then the system will instead use a six-digit auto-generated profile number

Use last n digits of phone number as profile number

If the Telephone Number for a user is blank, or if applying this method for a user conflicts with an existing Profile number in MeetingPlace, then the system will instead use a six-digit autogenerated profile number.

Use 6 digit auto-generated profile number

The auto-generated profile numbers start from 100001, and they always contain six digits. If the Telephone Number field entry for a user is shorter than the configured Number of digits, then the Telephone Number will be used as is as the Profile number.

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

14

Profile Number Configuration

Apply the profile number configuration method to new users only or to each user profile that gets imported or updated during Directory Service user profile updates or full synchronizations

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

15

MeetingPlace Open SOAP API (MPSA)

If there are Custom LDAP requirements, then there is a MeetingPlace API that offers the ability to write a custom program interface from Customer LDAP directly to MP Applications Server via SOAP API User Service Methods
addUserProfile, addUserProfileFromTemplate, addUserProfileBasic deleteUserProfile updateUserProfile, updateUserProfileFromTemplate getUserProfile, getUniqueUserId isProfiledUser, findUserProfileList addGroupProfile, deleteGroupProfile, updateGroupProfile, updateGroupProfileFromTemplate, getGroupProfile, findGroupProfileList

Cisco Developer Program Support for MPSA

http://developer.cisco.com/web/mpsa/home
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

16

User Authentication Benefits

Single Sign-On (SSO)Allows users who have already been authenticated once to have access to all resources and applications on the network without having to re-enter their credentials.

Centralized user databaseFacilitates profile management.

NOTE: For SSO to work, you must ensure that Cisco MeetingPlace user IDs are set up so that they match the corresponding user IDs used by the third-party authentication software.

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

17

MeetingPlace WEB - End User Authentication Methods to Third Party Systems

MeetingPlace and Outlook Integration Authentication (uses Windows Client authentication) MeetingPlace and Lotus Notes Integration Authentication (uses Domino client authentication) MeetingPlace Web 7 Authentication Options 1. MeetingPlace Directory Service can be configured to use CUCM/LDAP Authentication method 2. MeetingPlace Profile/password (Default setting) 3. LDAP (Multi-forest support) 4. LDAP, then MeetingPlace (single LDAP Forest) 5. Trust External Authentication 6. HTTP Basic Authentication 7. Windows Integrated Authentication

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

18

MeetingPlace with Outlook Integration Authentication

MeetingPlace for Outlook supports stored cookie at the client desktop User has to enter password the first time they click on the MeetingPlace tab (plugin) in Outlook This password is: 1. Admin assigned for MP profile if they are a local user 2. LDAP password if profile is created by MP Directory Service (LDAP Authentication must then be enabled)

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

19

MeetingPlace with Lotus Notes Integration Authentication Support

The only form of authentication supported by Cisco Unified MeetingPlace for IBM Lotus Notes is Domino authentication with Cisco Unified MeetingPlace Web Conferencing configured to use MeetingPlace authentication. Configuring Domino authentication with MeetingPlace authentication, refer to the "Cisco Unified MeetingPlace for IBM Lotus Notes Installation and Configuration" chapter of the Administration Guide for Cisco Unified MeetingPlace for IBM Lotus Notes Release 6.0

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

20

MeetingPlace Web End User Authentication

Provides the following authentication configuration options: 1. MeetingPlace (Default setting)

This is used when CUCM LDAP Auth is enabled CUCM LDAP Auth support multidomain

2.

LDAP (supports multi-domain with 2-way trusts)

3.
4. 5.

LDAP, then MeetingPlace

Trust External Authentication HTTP Basic Authentication (Domain)

6.

Windows Integrated Authentication

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

21

1. MeetingPlace Default Authentication

Authenticating users against the profile database on the Cisco MeetingPlace Application Server is the default user authentication option.

You have two options when configuring this type of authentication:

Logging in with an HTML-based web page form. This is the default option. Logging in against a login window rendered by your web browser.

Regardless of the login page users see, user IDs and passwords are sent to the MP Audio Server for authentication.

Both profiles and user passwords must match and Profiles are case-sensitive.
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

22

1. Cisco Unified MeetingPlace Default Authentication

MP Web

Choose one of the following options Login Method": 1. Choose Web Page Form to see an HTMLbased Cisco Unified MeetingPlace login window. This is the default authentication method. 2. Choose HTTP Basic Authentication to see a login window rendered by your web browser.
Note : If you choose HTTP Basic Authentication, users cannot log in to Cisco Unified MeetingPlace as guests.
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

MeetingPlace Application Server User Profile DB

User ID/Password

23

2. LDAP Authentication
LDAP authentication compares users login information against the profile database on an LDAPv2-compliant directory server. Once users are authenticated by the LDAP server, users are automatically logged in to Cisco MeetingPlace as long as their LDAP user IDs also exist in Cisco MeetingPlace. Single Forest or Multiple Forests Supported
jsmith@ciscousa.com & jjones@ciscoemea.com Multiple LDAPs must provide two-way trusts between them MeetingPlace configuration points to one LDAP

With LDAP authentication, the following restrictions apply:

MeetingPlace Web supports only unencrypted LDAP, that is, queries to the LDAP server are in clear text. LDAP profiles are used for authentication

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

24

2. Cisco Unified MeetingPlace LDAP Authentication

Corporate LDAP Directory (AD, Netscape and SunOne)

MP Web

User Profiles
MeetingPlace Application Server

User Profile DB

CUCM

LDAP Distinguished Name (DN) Single DN=CN=%USERNAME%, OU=People, DC=mydomain, DC=com Or multiple Forests
CN=%USERNAME%

Users Login Domain/userID format

Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

25

3. LDAP then MeetingPlace Authentication

This authentication mode attempts to authenticate users against two directories if the need arises. This behavior allows a company to give non-LDAP users, such as guests or contractors, access to Cisco MeetingPlace When users first log in, they are authenticated against the LDAP directory. (Single Domain only) If this authentication fails, the login information is sent to the Cisco MeetingPlace Audio Server for a possible match. If a match is made in the LDAP database, the user must provide the proper LDAP password. Three attVideots with the incorrect password will lock the users LDAP profile.

Only users who are not found in the LDAP directory are eligible for authentication through the Cisco MeetingPlace directory.
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

26

4. Trust External Authentication

Trust External Authentication represents a broad-range of enterprise security software that provides functions like authentication, resource access authorization, Single Sign On (SSO), and intrusion detection. Typically, this software protects your web server by installing a DLL plug-in into the web server service, for example IIS. This DLL plug-in, also called ISAPI Filter, intercepts user login credentials and passes them to a corporate authentication and authorization server. For MeetingPlace Web Authentication to work with this software, the software must be able to output user IDs in the HTTP header so that they can be passed to Cisco MeetingPlace for authentication.
27

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

5. HTTP Basic Authentication (Domain)

The HTTP basic authentication method is a widely used industry-standard method for collecting user ID and password information.

1. Users are prompted by a pop-up login window that is rendered by their web browser.
2. Users enter valid domain user IDs and passwords. Cisco MeetingPlace profile passwords are ignored and not used in the authentication operation. 3. If the web servers accept the login credentials and the user IDs also exist in Cisco MeetingPlace profile databases, users are logged in automatically to Cisco MeetingPlace and are granted access to the Cisco MeetingPlace home page.
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

28

5. HTTP Basic Authentication (Domain)

Cont.
The advantage of HTTP Basic Authentication is that it is part of the HTTP specification and is supported by most browsers. The disadvantage is that the password is Base64 encoded before being sent over the network. Since Base64 is not a true encryption, it can be easily deciphered. You can mitigate this security issue by implementing Secure Socket Layer (SSL) on the web server.

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

29

6. Windows Integrated Authentication (WIA)

Windows Integrated Authentication (WIA) uses an algorithm to generate a hash based on the credentials and computers that users are using. WIA then sends this hash to the server; user passwords are not sent to the server. If WIA fails for some reason, such as improper user credentials, users are prompted by their browsers to enter their user IDs and passwords. The Windows logon credentials are encrypted before being passed from the client to the web server.

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

30

6. Windows Integrated Authentication (WIA)

Cont.
Although Windows Integrated Authentication (WIA) is secure, it does have the following limitations:
Only Microsoft Internet Explorer version 4.0 or later versions support this authentication method.
WIA does not work across proxy servers or other firewall applications WIA works only under the browser's Intranet Zone connections and for any trusted sites you have configured.

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

31

6. Windows Integrated Authentication (WIA) Cont.

WIA is best suited for an intranet environment where both users and the web server are in the same domain and where administrators can ensure that every user has Microsoft Internet Explorer. The web server must be in a Windows domain. To further ensure or verify that your network supports WIA, refer to Microsoft online documentation at http://support.microsoft.com. An example of suggested documentation includes the following: http://support.microsoft.com/kb/q264921/

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

32

Resources
Cisco Unified MeetingPlace 7 System Requirements Document
Cisco Unified MeetingPlace 7 Configuration Guide
Directory Service Configuration section UC Manager LDAP Configuration section

End User Authentication Section (MP Web)

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

33

Presentation_ID

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

34