[cisco-voip] LDAP Authentication when CUCM publisher is down.

Matthew Collins mcollins at block.co.uk
Mon Jul 6 11:23:40 EDT 2015


Thanks for all your responses.

In our scenario when we lost one of a DC (planned maintenance) that hosted the CUCM, IM&P, and UCCX Pubs UCCX fineness agents were unable to log in. Had to resort to a couple of local back up agent accounts.

LDAP authentication wasn't working for any service (Jabber, CUCM Web Gui, UCCX Finesse Web Gui). I wasn't around to do any testing and as it was only a 4 hours maintenance period it wasn't logged with us and no logs where collected.



Regards

Matthew Collins


From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ryan Huff
Sent: 06 July 2015 15:24
To: Lelio Fulgenzi
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.

I'll be interested to hear your results if you try!

I'm not sure that an ACL would do the trick though, probably would just show up in the traces as a time out. You'd probably have to stop the tomcat service on the pub (something to tell the cluster not to try and use the PUB as a bind source), which is pretty destructive on the pub in a working production environment (disclaimer: I do not advocate you do that).


________________________________
Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.
From: lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
Date: Mon, 6 Jul 2015 10:12:53 -0400
To: ryanhuff at outlook.com<mailto:ryanhuff at outlook.com>
CC: dpagan at fidelus.com<mailto:dpagan at fidelus.com>; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
The worst case scenario, which we ran into, was a scenario where the pub is up and accepting auth requests but not able to process them. In our case the cluster was up for almost 300 days, and there were memory error alerts popping up. It would be nice for the system to understand this issue and go to the next node to try the auth process.

Interesting note about LDAPS. We are using that. Not sure if that poses additional issues.

Wish there was an easy way to test this out in production. Perhaps a quick ACL to block phone agent and desktop agent access to the pub and see what happens. And then another test where the ACL blocks access to the LDAP server temporarily.

Sent from my iPhone

On Jul 6, 2015, at 10:04 AM, Ryan Huff <ryanhuff at outlook.com<mailto:ryanhuff at outlook.com>> wrote:
Hi Dan!

Thanks for the clarification/correction .... I just happen to have a few 3-node cluster hanging around and I just tried this 5 times in a mix of 9.1.1, 10.0 and 10.5 and here is what I found:

3 times LDAP auth was a seamless failover to the sub
2 times LDAP auth did not work on the sub until I bounced the tomcat service on the sub, then it worked fine.

I'm wondering if that, on the times it doesn't work in a failover (because I have experienced it a few times) a simple service bounce is all that is needed?

I suppose another cause of LDAP auth failover NOT working (but not always intuitive) would be cluster over wan (nodes in the cluster are not all on the same segment) and the sub node that LDAP auth is trying to bind from can't talk to the AD server.
________________________________
From: dpagan at fidelus.com<mailto:dpagan at fidelus.com>
To: lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Date: Mon, 6 Jul 2015 13:45:08 +0000
Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.
LDAP authentication is used by Tomcat and isn't just restricted to the Publisher server - Subscriber nodes handle this as well. DirSync is specific to synchronization of LDAP attributes and only runs on the Pub, so synchronization would definitely be affected if the Publisher is offline. I suggest to check out the Tomcat Security logs off CUCM for more info on user authentication against LDAP and your source of failure.

So to answer your question, LDAP authentication should still work when the Publisher is offline.

For the UCCX agent concern, authentication of agents occur over AXL to CUCM, so if the AXL server is the Publisher, and that's offline or experiencing issue w/ Tomcat during an authentication attempt by the UCCX agent, then I would imagine seeing a failure. AXL and Tomcat Security logs off the UCM side should shed some light on that problem

As for SSO, I checked w/ my teammate and, in his experience, SSO can be handled by Subscriber nodes assuming the metadata was imported to those servers - authentication occurs against the IdP and not CUCM so this seems logical to me as well.

Hope this helps.

- Dan


From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Lelio Fulgenzi
Sent: Monday, July 06, 2015 9:16 AM
To: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.


This has been our experience as well. Glad you started this thread. It's seems like a huge single point of failure to me for such an integral part of the process. I suspect hunt group login would also be affected.

Sent from my iPhone

On Jul 6, 2015, at 5:02 AM, Matthew Collins <mcollins at block.co.uk<mailto:mcollins at block.co.uk>> wrote:
Hi All,

CUCM 10.5

Just trying to get some conformation, When LDAP Synchronization and authentication is enabled this is performed by the DirSync process that only runs on the CUCM Publisher. So If we lose the CUCM Publisher for whatever reason it would seem that the Authentication also fails due to the single point of failure of DirSync. Should LDAP authentication still work if the CUCM Publisher is still down.

So for LDAP users this would stop them signing in to Jabber clients and UCCX agents who are ldap'ed synced logging into the finesse webpages. Does anyone know is SSO is resilient on the CUCM publisher or would SSO still work in a Publisher outage.

Regards

Matthew Collins

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________ cisco-voip mailing list cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150706/d9929adb/attachment.html>


More information about the cisco-voip mailing list