<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Century Gothic";
panose-1:2 11 5 2 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#404040;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#404040;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#404040">FYI - Just ran a quick test in a lab environment - LDAP user authentication against a Subscriber node while the Publisher’s network adapter is disconnected. Works as expected. Also running CUCM 10.5 but this
(DirSync Synchronization vs. Tomcat Security authentication) also applies going back to 7.x as far as I recall.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#404040"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#404040">Hope this helps<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#404040"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#404040">- Dan<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#404040"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#404040"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> cisco-voip [mailto:cisco-voip-bounces@puck.nether.net]
<b>On Behalf Of </b>Daniel Pagan<br>
<b>Sent:</b> Monday, July 06, 2015 9:45 AM<br>
<b>To:</b> Lelio Fulgenzi; cisco-voip@puck.nether.net<br>
<b>Subject:</b> Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#404040">LDAP authentication is used by Tomcat and isn’t just restricted to the Publisher server - Subscriber nodes handle this as well. DirSync is specific to synchronization of LDAP attributes and only runs on the Pub,
so synchronization would definitely be affected if the Publisher is offline. I suggest to check out the Tomcat Security logs off CUCM for more info on user authentication against LDAP and your source of failure.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#404040"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#404040">So to answer your question, LDAP authentication should still work when the Publisher is offline.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#404040"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#404040">For the UCCX agent concern, authentication of agents occur over AXL to CUCM, so if the AXL server is the Publisher, and that’s offline or experiencing issue w/ Tomcat during an authentication attempt by the UCCX
agent, then I would imagine seeing a failure. AXL and Tomcat Security logs off the UCM side should shed some light on that problem<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#404040"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#404040">As for SSO, I checked w/ my teammate and, in his experience, SSO can be handled by Subscriber nodes assuming the metadata was imported to those servers - authentication occurs against the IdP and not CUCM so
this seems logical to me as well.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#404040"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#404040">Hope this helps.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#404040"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#404040">- Dan<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#404040"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#404040"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> cisco-voip [<a href="mailto:cisco-voip-bounces@puck.nether.net">mailto:cisco-voip-bounces@puck.nether.net</a>]
<b>On Behalf Of </b>Lelio Fulgenzi<br>
<b>Sent:</b> Monday, July 06, 2015 9:16 AM<br>
<b>To:</b> <a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<b>Subject:</b> Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal">This has been our experience as well. Glad you started this thread. It's seems like a huge single point of failure to me for such an integral part of the process. I suspect hunt group login would also be affected. <br>
<br>
Sent from my iPhone<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
On Jul 6, 2015, at 5:02 AM, Matthew Collins <<a href="mailto:mcollins@block.co.uk">mcollins@block.co.uk</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Hi All,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">CUCM 10.5 <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Just trying to get some conformation, When LDAP Synchronization and authentication is enabled this is performed by the DirSync process that only runs on the CUCM Publisher. So If we lose the CUCM Publisher for whatever reason it would seem
that the Authentication also fails due to the single point of failure of DirSync. Should LDAP authentication still work if the CUCM Publisher is still down.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">So for LDAP users this would stop them signing in to Jabber clients and UCCX agents who are ldap’ed synced logging into the finesse webpages. Does anyone know is SSO is resilient on the CUCM publisher or would SSO still work in a Publisher
outage. <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Century Gothic",sans-serif;color:#009DB1;mso-fareast-language:EN-GB">Regards</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Century Gothic",sans-serif;color:#009DB1;mso-fareast-language:EN-GB"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Century Gothic",sans-serif;color:#009DB1;mso-fareast-language:EN-GB">Matthew Collins
</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></span></p>
</div>
</blockquote>
</div>
</body>
</html>