[cisco-voip] LDAP Authentication when CUCM publisher is down.

Ryan Huff ryanhuff at outlook.com
Mon Jul 6 10:24:18 EDT 2015


I'll be interested to hear your results if you try!

I'm not sure that an ACL would do the trick though, probably would just show up in the traces as a time out. You'd probably have to stop the tomcat service on the pub (something to tell the cluster not to try and use the PUB as a bind source), which is pretty destructive on the pub in a working production environment (disclaimer: I do not advocate you do that).

 
Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.
From: lelio at uoguelph.ca
Date: Mon, 6 Jul 2015 10:12:53 -0400
To: ryanhuff at outlook.com
CC: dpagan at fidelus.com; cisco-voip at puck.nether.net

The worst case scenario, which we ran into, was a scenario where the pub is up and accepting auth requests but not able to process them. In our case the cluster was up for almost 300 days, and there were memory error alerts popping up. It would be nice for the system to understand this issue and go to the next node to try the auth process. 
Interesting note about LDAPS. We are using that. Not sure if that poses additional issues. 
Wish there was an easy way to test this out in production. Perhaps a quick ACL to block phone agent and desktop agent access to the pub and see what happens. And then another test where the ACL blocks access to the LDAP server temporarily. 

Sent from my iPhone
On Jul 6, 2015, at 10:04 AM, Ryan Huff <ryanhuff at outlook.com> wrote:







Hi Dan!

Thanks for the clarification/correction .... I just happen to have a few 3-node cluster hanging around and I just tried this 5 times in a mix of 9.1.1, 10.0 and 10.5 and here is what I found:

3 times LDAP auth was a seamless failover to the sub
2 times LDAP auth did not work on the sub until I bounced the tomcat service on the sub, then it worked fine.

I'm wondering if that, on the times it doesn't work in a failover (because I have experienced it a few times) a simple service bounce is all that is needed?

I suppose another cause of LDAP auth failover NOT working (but not always intuitive) would be cluster over wan (nodes in the cluster are not all on the same segment) and the sub node that LDAP auth is trying to bind from can't talk to the AD server.

From: dpagan at fidelus.com
To: lelio at uoguelph.ca; cisco-voip at puck.nether.net
Date: Mon, 6 Jul 2015 13:45:08 +0000
Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.









LDAP authentication is used by Tomcat and isn’t just restricted to the Publisher server - Subscriber nodes handle this as well. DirSync is specific to synchronization of LDAP attributes and only runs on the Pub,
 so synchronization would definitely be affected if the Publisher is offline. I suggest to check out the Tomcat Security logs off CUCM for more info on user authentication against LDAP and your source of failure.

 
So to answer your question, LDAP authentication should still work when the Publisher is offline.
 
For the UCCX agent concern, authentication of agents occur over AXL to CUCM, so if the AXL server is the Publisher, and that’s offline or experiencing issue w/ Tomcat during an authentication attempt by the UCCX
 agent, then I would imagine seeing a failure. AXL and Tomcat Security logs off the UCM side should shed some light on that problem
 
As for SSO, I checked w/ my teammate and, in his experience, SSO can be handled by Subscriber nodes assuming the metadata was imported to those servers - authentication occurs against the IdP and not CUCM so
 this seems logical to me as well.
 
Hope this helps.
 
- Dan
 
 


From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net]
On Behalf Of Lelio Fulgenzi

Sent: Monday, July 06, 2015 9:16 AM

To: cisco-voip at puck.nether.net

Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.


 

 


This has been our experience as well. Glad you started this thread. It's seems like a huge single point of failure to me for such an integral part of the process. I suspect hunt group login would also be affected. 



Sent from my iPhone




On Jul 6, 2015, at 5:02 AM, Matthew Collins <mcollins at block.co.uk> wrote:



Hi All,
 
CUCM 10.5 
 
Just trying to get some conformation, When LDAP Synchronization and authentication is enabled this is performed by the DirSync process that only runs on the CUCM Publisher. So If we lose the CUCM Publisher for whatever reason it would seem
 that the Authentication also fails due to the single point of failure of DirSync. Should LDAP authentication still work if the CUCM Publisher is still down.
 
So for LDAP users this would stop them signing in to Jabber clients and UCCX agents who are ldap’ed synced logging into the finesse webpages. Does anyone know is SSO is resilient on the CUCM publisher or would SSO still work in a Publisher
 outage. 
 
Regards
 
Matthew Collins

 




_______________________________________________

cisco-voip mailing list

cisco-voip at puck.nether.net

https://puck.nether.net/mailman/listinfo/cisco-voip






_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
 		 	   		  
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150706/6039349c/attachment.html>


More information about the cisco-voip mailing list