100068640

8/2/2019 100068640

1/18

Avaya Aura CommunicationManager BranchRelease 2.0

Job Aid: Configuring and Working withLDAP

November 2009Issue 2

8/2/2019 100068640

2/18

8/2/2019 100068640

3/18

Issue 2 November 2009 3

Introduction

This Job Aid describes how to configure Branch Central Manager and Branch Device Manager useraccounts using your organizations LDAP or RADIUS servers.

This allows you to configure and maintain the accounts centrally, reducing the time for adds, moves anddeletes.

Prerequisites

Operating System: Windows 2003 Server, Service Pack 2.

Both the Active Directory and the Certificate Authority server are on the same computer. If the AD

and CA server are not, see: CA Server and AD on different servers on page 9. The LDAP server host name including domain name, for example atl-ad-gc.corp.company.com

The Active Directory Domain, for example corp.company.com.

See Table 1 for a list of terms used in this document.

Table 1: Glossary

Abbreviation Meaning

AD Active Directory

CA Certificate Authority

DC Domain Controller

8/2/2019 100068640

4/18

4 Installation and Upgrades for the Avaya G450 Media Gateway

Creating CA and DC certificates

Request for new certificate for Domain Controller and validationof existing CA Server certificate

1. Click Start > Run > mmc.

2. Select File > Add/Remove Snap-in.

3. The Add/Remove Snap-in window opens.

4. Click Add....

- The Add Standalone Snap-in window opens:

5. Select Certificates

6. Click Add.

8/2/2019 100068640

5/18



- The Certificates snap-in wizard opens:

7. Select Computer account in the Certificates snap-in wizard.

8. Click Next >.

- The next step in the wizard opens:

9. Select Local computer: (the computer this console is running on).

10. Click Finish.

8/2/2019 100068640

6/18


11. Open the Personal > Certificates page in the Console:

Create new certificate for the Active Directory as follows:

12. Right-click Certificates and select All Tasks > Request New Certificate

13. Choose Domain Controller template in the Certificate Request Wizard:

14. Click Next >

8/2/2019 100068640

7/18



- The following screen opens:

15. Type the full computer name of Active Directory server, including domain name, for example

atl-ad-gc.corp.com, in the Friendly name field.16. Click Next > until you reach the final stage.

17. Click Finish.

- The following screen opens:

18. Click Finish to exit the wizard.

8/2/2019 100068640

8/18


Exporting the CA Server certificate

The next step is exporting the CA server certificate to *.cer file.

1. Right-click the first certificate as shown below and select All Tasks > Export:

- The the Certificate Export Wizard opens:

2. Select No, do not export the private key.

3. Click Next >.

8/2/2019 100068640

9/18




4. Select Base-64 encoded X.509 format.

5. Click Next >.

6. Enter a file name for the *.cer file in the appropriate field.

CA Server and AD on different servers

If the CA Server and AD are on different servers, do the following:

1. Import CA server certificate to the Trusted Root Certificate Authorities list on the AD server.Right-click Trusted Root Certification Authorities >Certificates in the Console window andselect All Tasks > Import:

-The Certificate Import Wizard opens:

8/2/2019 100068640

10/18


2. Select the CA server certificate in the File name field.

3. Click Next >.


4. Click Next >.

5. Click Finish.

6. Request an AD certificate from the CA server and load the AD certificate to Certificates >Personal as shown below:

Configuring Branch Device Manager

1. Upload the CA server certificate file that you exported in the previous steps to Communication

Manager Branch.2. Open the Maintenance & Monitoring > Security > Trusted Certificates page.

3. Select 'File' in the Download method drop-down list

4. Click Browse to locate the file you saved in the previous section.

8/2/2019 100068640

11/18

Configuring Branch Device Manager


5. Click Start

6. The file is uploaded to the Communication Manager Branch, and then appears in the TrustedCertificates table.

7. Configure the DNS Server as shown in Figure 1.

Note:Note: The DNS Server must include the entry of the Domain Controller.

8. Open the Configuration > Platform > Network Connection > DNS tab.

9. Type the IP Address of the active directory server into the Primary Name Server field.

Figure 1: DNS server configuration

10. Click Apply Changes.

11. Open the Platform > Administrative Users Accounts > Local users tab.

12. Select LDAPS in the Remote authentication of administrative users drop-down list.

13. Open the Platform > Administrative Users Accounts > LDAP client tab.

14. Set the parameters as shown in Table 2

8/2/2019 100068640

12/18


Note:Note: The Server Address field must contain DNS name of Domain Controller.

15. Ensure that the DNS server is accessible from the Communication Manager Branch by sending aping from Communication Manager Branch to DNS server.

Configuring Enterprise Network Management to work with

LDAP

A user can access to the ENM system if the user is configured in the ENM User Administration tool.If the user is not configured as Local User in the User Administration form, the LDAP serverauthenticates the user.

The user role is always determined by the Role drop down list in the ENM User Administration tool.

You can open the ENM User Administration tool by clicking on the Administrators node in the BranchCentral Manager (formerly Distributed Office Central Manager) navigation pane.

Configure the connection to the LDAP Server

The LDAP server connection parameters reside in the file aimproperties.xml.

Table 2: Device Manager LDAP client parameters

Field Value

Server Address Host name/IP address of the LDAP server.For example: atl-adc-gc.corp.com

Base DN The DN (Distinguished Name) of the entry at which to start thesearch.For example: CN=Users,DC=corp,DC=com.Use this parameter is to log in to the LDAP server.

Bind DN Bind distinguished name, used for connection authentication tothe LDAP server.Example: CN=Administrator,CN=Users,DC=corp,DC=com

Bind Secret Password for above distinguished name.

Active DirectoryServer Select this if you are using Microsoft Active Directory server.

8/2/2019 100068640

13/18

Configuring Enterprise Network Management to work with LDAP


To edit the file:

1. Open the Windows file explorer by clicking on the My Computer icon on your desktop or from theWindows Start menu.

2. Locate the aimproperties.xml file.

Tip:

Tip: You can find the file in the following location: \jboss-4.0.4.GA\server\default\conf\. For example, if you installed ENMunder C:\Program Files\Avaya, then the file will be under C:\Program Files\

Avaya\jboss-4.0.4.GA\server\default\conf\.

3. Right-click on the file.

4. Select Open With > WordPad.

5. Search for the section that contains the following LDAP parameters:

ldap://135.9.78.125:389

ssl

cn=root,dc=avaya,dc=com

secret

dc=avaya,dc=com?cn

6. Update the properties according to the description in Table 3.

- For example, if you want to update the property ldap.secureConnection to "none", update theline: ssl to:none.

7. When you have finished updating all the properties, save the file by selecting File > Save.

8. Close WordPad by selecting the File > Exit.

Table 3: LDAP server connection

Properties Value

settings.policy.authenticate ldap

ldap.url Host name/IP address and optionally port of theLDAP server (the default port numbers are 389 and636 for SSL).The format is: ldap[s]://:[port]. Forexample, ldap://1.2.3.4:389.

8/2/2019 100068640

14/18


LDAP Search URI

The LDAP search URI field must be with the following structure:

???

Note:Note: Note: the 2 question marks are part of the structure.

See Table 4 for information on the parameters.

ldap.secureConnection ssl - if SSL is enabled on the LDAP server. Note,usually if this option is selected, the LDAP urlstarts with "ldaps", or

none - if SSL is disabled on the LDAP server.

ldap.binddn Bind distinguished name, used for connectionauthentication to the LDAP server. For example,cn=admin,ou=sv,dc=avaya,dc=com. This parameteris used to login to the LDAP server.

ldap.bindpassword Password for above distinguished name.

ldap.searchuri This field must contain a legal LDAP search URI.See LDAP Search URI for full details of this field

Table 4: LDAP Search URI parameters.

Parameter Value

basedn The DN (Distinguished Name) of the entry at which tostart the search.

1 of 2

Table 3: LDAP server connection

Properties Value

8/2/2019 100068640

15/18

Configuring Enterprise Network Management to work with LDAP


Examples for Active Directory:

Simple user search, recursively search the user under the base DN DC=cmbead,DC=local:

DC=cmbead,DC=local??sub?(sAMAccountName=[user name])

Recursively search a user that is a member of the group

CN=Administrators,CN=Builtin,DC=cmbead,DC=local under the base DN DC=cmbead,DC=local:

DC=cmbead,DC=local??sub?(&(memberOf=CN=Administrators,CN=Builtin,DC

=cmbead,DC=local)(sAMAccountName=[user name]))

Examples for Open LDAP

Simple user search; recursively searches the user under the base DN DC=example,DC=com:

DC=example,DC=com??sub?(uid=[user name])

Recursively search a user that is a member of the groupCN=hrpeople,OU=groups,DC=example,DC=com under the base DN DC=example,DC=com:

DC=example,DC=com??sub?(&(memberOf=CN=hrpeople,OU=groups,DC=example

,DC=com)(uid=[user name]))

Note:Note: The OpenLDAP server must support the 'memberOf' attribute for this query to work.

scope The scope of the search. It can be one of thefollowing:

one - entries immediately below the base DN. sub - the entire subtree starting at the base DN.

filter How to examine each entry in the scope, for example,(&(objectClass=person)(|(givenName=John)(mail=john*))) - search for people who either have given nameJohn or an e-mail address starting with john.

The filter can also contain the unique constant: [username] that the login name that is actually trying tologin replaces.

Special characters must be in XML representation.For example:

& (ampersand): &

> (larger then): >

< (smaller then):

100068640

Documents

Transcript of 100068640