[cisco-voip] CUCM LDAP Authentication Redundancy

Anthony Holloway avholloway+cisco-voip at gmail.com
Fri Aug 19 09:29:09 EDT 2016


UPDATE: After a Dirsync restart on Pub and Tomcat on all Subs, the LDAP
sync is now using the top/primary LDAP server in the list again.  This was
a TAC recommendation and there was nothing in the logs indicating why it
was choosing the third LDAP server in the first place.  Therefore, I don't
know what might trigger it again in the future.  The defect Brian Meade
noted maybe the closest thing to it.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuu55380

Also, I have yet to schedule an outage to test if LDAP Auth/Dirsync is
failing over between the servers properly. I will update the list once that
is done.

On Thu, Aug 4, 2016 at 12:59 PM, Anthony Holloway <
avholloway+cisco-voip at gmail.com> wrote:

> All,
>
> I'm working on an issue where my CUCM 11.0 system is configured with 3
> LDAP servers under LDAP Authentication AND LDAP Directory.
>
> What I'm see is, for packet captures of CUCM when a login attempt is made,
> the CUCM server sends the BIND request to the last server in the list of
> three servers.  However, when performing a directory sync, CUCM server
> sends the requests to the first server in the list.
>
> I'm trying to read up on what the expected behavior is, as I've always
> thought of it as top = primary; middle = secondary; bottom = tertiary.  In
> fact, a few years ago there was an issue with CAD logins, when the primary
> server was unreachable and CAD would timeout before CUCM tried the
> secondary server.
>
> The SRND is no help with only the following passage:
>
> *High Availability*
> *Unified CM LDAP Synchronization allows for the configuration of up to
> three redundant LDAP servers for each directory synchronization agreement.
> Unified CM LDAP Authentication allows for the configuration of up to three
> redundant LDAP servers for a single authentication agreement. You should
> configure a minimum of two LDAP servers for redundancy. The LDAP servers
> can be configured with IP addresses instead of host names to eliminate
> dependencies on Domain Name System (DNS) availability.*
>
> Source: CUCM 11.0 SRND
> <http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab11/collab11/directry.html?bookSearch=true#pgfId-1085451>
>
> So, what do you know, or what can you share, that states one way or the
> other, why CUCM might use a server in the listing, other than the first
> one, assuming the first server is healthy and accessible?
>
> I did search the bug toolkit and didn't see any defects matching this
> scenario.
>
> Thanks.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20160819/16c4bf2f/attachment.html>


More information about the cisco-voip mailing list