Communications Manager LDAP Groups Caveat

If you’re wanting to LDAP synchronize Active Directory distribution groups for use with Cisco Jabber you’ll want to pay close attention to the ‘Synchronize’ setting. This setting is found on the ‘LDAP Directory’ configuration page. TLDR – If you’re using different synchronization agreements for users and groups the user directory synchronization must also be selected for ‘Users and Groups’.

Why and what’s happening inside the DirSync service?

If the directory synchronization agreement is set for ‘Users Only’ the LDAP search filter looks like this:
LDAPUsers

If the directory synchronization agreement is set for ‘Users and Groups’ the LDAP search filter looks like this:
LDAPUsersandGroups

You’ll notice at the bottom of the second screenshot the ‘memberof’ attribute request. This is where the user synchronization agreement requests the all of the groups the user is a member of. This also means that if this is the first time you’re setting up the agreements you’ll have to synchronize groups and then users. If you’re adding groups you have to run a full sync on both agreements.

So again — if you’re using different synchronization agreements for users and groups because you’re looking in different containers both agreements need to be set for Synchronize: ‘Users and Groups’. Obviously if you’re using one synchronization agreement to import both users and groups in a single container you wouldn’t run into this little caveat.

I got tripped up on this recently because the setting would seemingly imply it’s what you’re importing and not the search filter. It took a couple of packet captures to figure it out. PCAP or didn’t happen!

CCM packet cap:
utils network capture eth0 file packetcap1 count 100000 size all

jabber

Advertisements

Cisco Communications Manager 10.5 Certificates BUG

Finally we get cluster-wide certificate management via multi-SAN certificate support. EDIT 6/10/2014 – and I immediately find a SEV2 bug working with TAC Bug ID:CSCup28852. Callmanager hates this certificate and sends group resets every ITL refresh meaning your phones reboot every 10 minutes or so. Fixed in a later CUCM version but not available for download at this time.

You need to properly set up your Microsoft CA to provide the proper certificate template.

  1. New Certificate template “Web Server X509v3”
    1. Certificate purposes – Server authentication, client authentication, IP security end system
    2. Key usage – Digital signature, Non repudiation (I add this so this can also be used for the VMware hosts, Key encipherment, data encryption. When you are in “Key Usage” you cannot assign Key Agreement and Key Encryption. You want to select “key encipherment”
    3. Key length: 2048
    4. Hash: SHA256
  2. Generate Multi-SAN certificate request from your CUCM publisher
    1. Certificate purpose: tomcat
    2. Distribution: Multi-server (SAN)
    3. Common name: Can be left as-is of put in a vanity name
      1. Auto-populated Domains
      2. This should list all of your CUCM and IM&P nodes in the cluster.
    4. Parent domain!
      1. Be sure this is the parent DNS domain your SERVERS are residing in. There are some caveats here if you have servers in different domains
      2. Example: cucm1.site.domain.com
    5. Other domains!
      1. ADD your directory URI domains (AKA e-mail domain).
      2. Example: domain.com
    6. Key Length: 2048
    7. Hash: SHA265
  3. Submit the CSR to the Microsoft CA via http://ca-server/certsrv
  4. Upload the CA root and any intermediates
  5. Upload the new certificate to CUCM publisher

Enjoy that you didn’t have to do that on every cluster node!

Reminder: If Jabber is connecting to Voicemail you need to go to Unity Connection and create CSR and assign a certificate for each Unity Connection node. Jabber will still prompt for a certificate error if Unity Connection is un-signed.