CUCM Initial Configuration - LDAP Integration

There are two types of user accounts in CUCM, they are:

• End Users: There account are associated with pyhsical people and are used for interactive logins (they can be end user or CUCM administrator depending on the user groups and roles assisted to these accounts).
• Application Users: All application users are associated with CUCM applications and or feature such as Cisco Attendant Console and Cisco Unified Contact Center Express. These accounts do not have interactive logins, they are only used for internal communication between applications.

LDAP is used so that end users and administrators are able to authenticate using corporate directory, thus allowing single logon functionality and also allows for contact lookups by using the Directories button on the Cisco IP Phone.

CUCM supports two types of LDAP integration for end users:
Note: Application user accounts are stored in the local database and are always managed from CUCM.

• LDAP synchronization: (uses a service called DirSync) using this method end users can not be added or deleted from within CUCM (user management is done using LDAP), all user and organizational data associated with the end user is managed in LDAP and synchronized the CUCM. Note: End user passwords and CUCM settings are stored locally and not in LDAP.
  
• LDAP authentication: using this method end user passwords are no longer stored locally in CUCM but in LDAP. End user accounts need to be created individually in CUCM for authentication to work, these accounts need to be identical in LDAP and CUCM (there is a possibility for user error creating these accounts, therefore it is recommened that LDAP synchronization and authenticationbe used).

Best Practices for LDAP Integration :

• Create a dedicated account on the LDAP server with administrative rights for the OU (this need to read all user objects).
• The password for this account should be set to never expire.
• Use IP addresses and remove DNS reliance.
• Multiple LDAP servers removes the single point of failure.
• Query the Active Directory Global Catalog server (faster response time).
  
• The LDAP connection between the LDAP server and CUCM should use Secure LDAP, this needs to be enabled on the LDAP and CUCM servers. (How to enable LDAP over SSL with a third-party certification authority)
  

Configuring LDAP Integration with synchronization and authentication:

1. Create the LDAP user account and assign administrative permissions
2. Active the DirSync service
3. Configure the LDAP system
4. Configure the LDAP directory (cn=, ou=, dc=)
   
5. Configure the LDAP authentication (cn=, ou=, dc=)

Note: Final notes to take into consideration:

1. LDAP users need to have First Name, Surname Name and Password fields populated.
2. In IE 7 you can not have both the https://cucm-ipaddress/ccmadmin page and https://cucm-ipaddress/ccmuser in the same browser.
3. Before the end user can login with their credentials the user should be added in UserGroup- Standard CCM End Users via "Add end users to Group"

Adding multiple users to the Standard CCM End Users can be done through the User Groups:




Additional reference link: Configuring Cisco Unified Communication Manager Directory Integration