[cisco-voip] CM 6.13 AD Sync'd - Failed logins
Wes Sisk
wsisk at cisco.com
Mon Jun 15 16:02:54 EDT 2009
IPCC is going to authenticate via CTI. You will want to check the IMS
(identity management session) trace lines inside of the CTI SDI traces
(checkbox in RTMT)
CCMUser authentication goes through Tomcat. Tomcat has its own hooks to
IMS. Tomcat logs for IMS:
admin:file list activelog tomcat/logs/security/log4j/*
security.bin security00001.log
security00002.log security00003.log
security00004.log security00005.log
security00006.log security00007.log
security00008.log security00009.log
security00010.log
dir count = 0, file count = 11
IMS is primarily the informix database. It tracks authentication and
attempts. For LDAP sync IMS stores the md5hash of the password from AD
in the informix database.
All that said we are seeing many authentication failures when informix
gets too busy. Informix may eventually return but not before timeouts.
Unfortunately there is no way to identify what is causing informix to be
too busy. This need is captured by
Need an Informix profiler built into CLI , Open CSCsz67357
which is also in the hot issues list.
When people are encountering this issue the IMS cache usually offers
some reprieve. You can enable IMS cache with the enterprise parameter
"Enable Caching". With this the user must authenticate successfully
once and then the successful attributes will be cached. In real world
terms that means you must experience a timeout at least once even after
enabling the cache. But so long as that auth request was successful
then subsequent logins will be expedient.
HTH
/Wes
On Monday, June 15, 2009 3:06:15 PM, Carter, Bill <bcarter at sentinel.com>
wrote:
>
> I have a CM 6.13 cluster synched to AD. We are also using AD for
> Authentication. There is an IPCC Express Call Center connected to the
> cluster.
>
>
>
> We are getting reports that occasionally Call Center users can not
> login to CAD. When this happens, they immediately try to login to the
> CCMuser web page and this also fails. After a few minutes they are
> able to login.
>
>
>
> This seems to happen in a cluster, were 2-4 users have the same
> problem at the same time.
>
>
>
> On CM, what trace files can I use to look at LDAP authentication? I
> have debug traces on DirSync but I don't know if this will also show
> authentication problems.
>
>
>
> CM is configured with 2 servers for LDAP authentication.
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20090615/1771c88d/attachment.html>
More information about the cisco-voip
mailing list