[cisco-voip] CUCM LDAP Authentication Redundancy
Lelio Fulgenzi
lelio at uoguelph.ca
Fri Aug 19 11:16:14 EDT 2016
Another reason periodic restarts of the cluster are necessary. ;)
Sent from my iPhone
On Aug 19, 2016, at 9:30 AM, Anthony Holloway <avholloway+cisco-voip at gmail.com<mailto:avholloway+cisco-voip at gmail.com>> wrote:
UPDATE: After a Dirsync restart on Pub and Tomcat on all Subs, the LDAP sync is now using the top/primary LDAP server in the list again. This was a TAC recommendation and there was nothing in the logs indicating why it was choosing the third LDAP server in the first place. Therefore, I don't know what might trigger it again in the future. The defect Brian Meade noted maybe the closest thing to it.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuu55380
Also, I have yet to schedule an outage to test if LDAP Auth/Dirsync is failing over between the servers properly. I will update the list once that is done.
On Thu, Aug 4, 2016 at 12:59 PM, Anthony Holloway <avholloway+cisco-voip at gmail.com<mailto:avholloway+cisco-voip at gmail.com>> wrote:
All,
I'm working on an issue where my CUCM 11.0 system is configured with 3 LDAP servers under LDAP Authentication AND LDAP Directory.
What I'm see is, for packet captures of CUCM when a login attempt is made, the CUCM server sends the BIND request to the last server in the list of three servers. However, when performing a directory sync, CUCM server sends the requests to the first server in the list.
I'm trying to read up on what the expected behavior is, as I've always thought of it as top = primary; middle = secondary; bottom = tertiary. In fact, a few years ago there was an issue with CAD logins, when the primary server was unreachable and CAD would timeout before CUCM tried the secondary server.
The SRND is no help with only the following passage:
High Availability
Unified CM LDAP Synchronization allows for the configuration of up to three redundant LDAP servers for each directory synchronization agreement. Unified CM LDAP Authentication allows for the configuration of up to three redundant LDAP servers for a single authentication agreement. You should configure a minimum of two LDAP servers for redundancy. The LDAP servers can be configured with IP addresses instead of host names to eliminate dependencies on Domain Name System (DNS) availability.
Source: CUCM 11.0 SRND<http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab11/collab11/directry.html?bookSearch=true#pgfId-1085451>
So, what do you know, or what can you share, that states one way or the other, why CUCM might use a server in the listing, other than the first one, assuming the first server is healthy and accessible?
I did search the bug toolkit and didn't see any defects matching this scenario.
Thanks.
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20160819/3eece0f1/attachment.html>
More information about the cisco-voip
mailing list