[cisco-voip] LDAP Authentication when CUCM publisher is down.

Daniel Pagan dpagan at fidelus.com
Mon Jul 6 11:44:26 EDT 2015


"I'm not sure that an ACL would do the trick though, probably would just show up in the traces as a time out"

Exactly. The Publisher will simply failover to the next LDAP server in the list if it cannot establish a connection within 5-seconds to the primary LDAP server. Regardless, the node receiving the LDAP-user authentication request will source the authentication attempt over Tomcat itself. So if a user browses to the /ccmuser page on a subscriber01 and attempts to authenticate, the authentication request should not be passed to subscriber02 or the publisher - it should be handled by that node itself. I doubt this behavior changes with a properly configured LDAPS cluster but I can be wrong. I'm not as familiar with the authentication process for LDAPS.

It also depends on what platform the authentication request is coming from. Using UCCX as an example again, it sends user authentication to CUCM via AXL API. So successful authentication from there is dependent on the AXL server assignments in UCCX - the AXL server (whatever node that might be) receiving the request should use Tomcat to source the LDAP authentication request. However, even with successful LDAP authentication on a subscriber, agent logins can of course still fail on the JTAPI/CTI side for other reasons, especially if AXL and CTI server assignments are different.

@Ryan: For the two lab failures, I'm wondering if this was a pre-existing condition that's unrelated to the test itself.

As for the login failures during the 4-hour window, I can think of a few reasons off the top of my head. Are the LDAP server entered as FQDN or IP addresses? If FQDN, are all your CUCM nodes configured with the same DNS servers? Not that it's a requirement, but if you're using different DNS server assignments, I would make sure the Subs can resolve the name. If using IP address, can you reach the secondary LDAP server from the Subscriber with no issues? Are the port assignments correct for your list of LDAP servers in CUCM? As in... if you're using port 3268 across the board for all added LDAP servers in CUCM, and the secondary LDAP server is not a Global Catalog, I can see this potentially causing a failure when the primary LDAP server is offline. Another thing that comes to mind which I twice ran into is CSCub71123, but this should be resolved in 10.0 and up so you should be good. I'm just thinking as I type here but Tomcat Security logs off the node receiving the auth request should reveal more concrete information... but keep in mind the issue can exist earlier in the auth process and might not even be reaching Tomcat. Grab them off your cluster via RTMT and take a quick look - they're very easy to decipher... very straight forward log files IMO.

Hope this helps.

- Dan



From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Matthew Collins
Sent: Monday, July 06, 2015 11:24 AM
To: Ryan Huff; Lelio Fulgenzi
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.

Thanks for all your responses.

In our scenario when we lost one of a DC (planned maintenance) that hosted the CUCM, IM&P, and UCCX Pubs UCCX fineness agents were unable to log in. Had to resort to a couple of local back up agent accounts.

LDAP authentication wasn't working for any service (Jabber, CUCM Web Gui, UCCX Finesse Web Gui). I wasn't around to do any testing and as it was only a 4 hours maintenance period it wasn't logged with us and no logs where collected.



Regards

Matthew Collins


From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ryan Huff
Sent: 06 July 2015 15:24
To: Lelio Fulgenzi
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.

I'll be interested to hear your results if you try!

I'm not sure that an ACL would do the trick though, probably would just show up in the traces as a time out. You'd probably have to stop the tomcat service on the pub (something to tell the cluster not to try and use the PUB as a bind source), which is pretty destructive on the pub in a working production environment (disclaimer: I do not advocate you do that).


________________________________
Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.
From: lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
Date: Mon, 6 Jul 2015 10:12:53 -0400
To: ryanhuff at outlook.com<mailto:ryanhuff at outlook.com>
CC: dpagan at fidelus.com<mailto:dpagan at fidelus.com>; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
The worst case scenario, which we ran into, was a scenario where the pub is up and accepting auth requests but not able to process them. In our case the cluster was up for almost 300 days, and there were memory error alerts popping up. It would be nice for the system to understand this issue and go to the next node to try the auth process.

Interesting note about LDAPS. We are using that. Not sure if that poses additional issues.

Wish there was an easy way to test this out in production. Perhaps a quick ACL to block phone agent and desktop agent access to the pub and see what happens. And then another test where the ACL blocks access to the LDAP server temporarily.

Sent from my iPhone

On Jul 6, 2015, at 10:04 AM, Ryan Huff <ryanhuff at outlook.com<mailto:ryanhuff at outlook.com>> wrote:
Hi Dan!

Thanks for the clarification/correction .... I just happen to have a few 3-node cluster hanging around and I just tried this 5 times in a mix of 9.1.1, 10.0 and 10.5 and here is what I found:

3 times LDAP auth was a seamless failover to the sub
2 times LDAP auth did not work on the sub until I bounced the tomcat service on the sub, then it worked fine.

I'm wondering if that, on the times it doesn't work in a failover (because I have experienced it a few times) a simple service bounce is all that is needed?

I suppose another cause of LDAP auth failover NOT working (but not always intuitive) would be cluster over wan (nodes in the cluster are not all on the same segment) and the sub node that LDAP auth is trying to bind from can't talk to the AD server.
________________________________
From: dpagan at fidelus.com<mailto:dpagan at fidelus.com>
To: lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Date: Mon, 6 Jul 2015 13:45:08 +0000
Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.
LDAP authentication is used by Tomcat and isn't just restricted to the Publisher server - Subscriber nodes handle this as well. DirSync is specific to synchronization of LDAP attributes and only runs on the Pub, so synchronization would definitely be affected if the Publisher is offline. I suggest to check out the Tomcat Security logs off CUCM for more info on user authentication against LDAP and your source of failure.

So to answer your question, LDAP authentication should still work when the Publisher is offline.

For the UCCX agent concern, authentication of agents occur over AXL to CUCM, so if the AXL server is the Publisher, and that's offline or experiencing issue w/ Tomcat during an authentication attempt by the UCCX agent, then I would imagine seeing a failure. AXL and Tomcat Security logs off the UCM side should shed some light on that problem

As for SSO, I checked w/ my teammate and, in his experience, SSO can be handled by Subscriber nodes assuming the metadata was imported to those servers - authentication occurs against the IdP and not CUCM so this seems logical to me as well.

Hope this helps.

- Dan


From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Lelio Fulgenzi
Sent: Monday, July 06, 2015 9:16 AM
To: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.


This has been our experience as well. Glad you started this thread. It's seems like a huge single point of failure to me for such an integral part of the process. I suspect hunt group login would also be affected.

Sent from my iPhone

On Jul 6, 2015, at 5:02 AM, Matthew Collins <mcollins at block.co.uk<mailto:mcollins at block.co.uk>> wrote:
Hi All,

CUCM 10.5

Just trying to get some conformation, When LDAP Synchronization and authentication is enabled this is performed by the DirSync process that only runs on the CUCM Publisher. So If we lose the CUCM Publisher for whatever reason it would seem that the Authentication also fails due to the single point of failure of DirSync. Should LDAP authentication still work if the CUCM Publisher is still down.

So for LDAP users this would stop them signing in to Jabber clients and UCCX agents who are ldap'ed synced logging into the finesse webpages. Does anyone know is SSO is resilient on the CUCM publisher or would SSO still work in a Publisher outage.

Regards

Matthew Collins

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________ cisco-voip mailing list cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150706/c9f491fa/attachment.html>


More information about the cisco-voip mailing list