<div dir="ltr">Great point about LDAP over SSL and certs. Thank you for mentioning this.</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 5, 2016 at 2:10 PM, Brian V <span dir="ltr"><<a href="mailto:bvanbens@gmail.com" target="_blank">bvanbens@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
common mistake that can happen and makes it "look like" only the
publisher can provide LDAP authentication is if you're doing secure
LDAP (over SSL) and didn't distribute the root CA/chain for the SSL
encryption to all the CUCM nodes. More of an issue with older CUCM
but thought i'd mention it.<br>
Each CUCM node can perform the LDAP authentication (not the sync).
Also make sure any firewalls and such allow the LDAP requests from
the subscriber nodes as well as the publisher.<div><div class="h5"><br>
<br>
<br>
<br>
<div>On 2/5/2016 3:49 PM, Justin Steinberg
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">This isn't the full answer you're looking for, but
I'll still throw it out there...
<div><br>
</div>
<div>I know LDAP enabled agents can login to Finesse when the
UCM publisher is down as that happened to me last week. The
UCM LDAP auth component doesn't rely on the Dirsync service,
so the UCM LDAP auth runs on all UCM nodes.
<div><br>
</div>
<div>I had a UCS blade failure that took down the UCM pub, but
the UCCX pub and all the primary AD servers were still
online for the UCM subs to authenticate. </div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Feb 5, 2016 at 4:17 PM, Anthony
Holloway <span dir="ltr"><<a href="mailto:avholloway+cisco-voip@gmail.com" target="_blank">avholloway+cisco-voip@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>UCCXers,</div>
<div><br>
</div>
<div>I'm trying to avoid spinning up an entire lab to
answer a simple question that the SRND is glossing over.
"Can Agents login to Finesse on the Island Mode side
opposite the CUCM Publisher if using LDAP
Authentication?"</div>
<div><br>
</div>
<div>What the SRND has to say about failover and Island
Mode:</div>
<div><br>
<div><a href="http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_W5EB2ACC_00" target="_blank">http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_W5EB2ACC_00</a><br>
</div>
<div><br>
</div>
<div>A little further down in the SRND it talks about
Finesse in Island Mode, and it states that Agents can
work on both sides, but it does not state, if that is:
A) for only already logged in Agents, or B) for CUCM
local authentication or LDAP authentication or
otherwise.</div>
<div><br>
</div>
<div><a href="http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_F3A11E07_00" target="_blank">http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_F3A11E07_00</a><br>
</div>
<div><br>
</div>
<div>This is a very shallow description on what I
consider to be a very deep topic, so I'm asking here
for real world experience.</div>
<div><br>
</div>
<div>Assume that we have two Data Centers: DC-A and
DC-B.</div>
<div><br>
</div>
<div><b>DC-A Contains:</b></div>
<div>
<ul>
<li>LDAP Server A<br>
</li>
<li>CUCM Publisher<br>
</li>
<li>UCCX Publisher (Currently Engine Master)<br>
</li>
<li>Agents<br>
</li>
</ul>
</div>
<div><br>
</div>
<div><b>DC-B Contains</b></div>
<div>
<ul>
<li>LDAP Server B<br>
</li>
<li>CUCM Subscriber<br>
</li>
<li>UCCX Subscriber (Currently Engine Slave)<br>
</li>
<li>Agents<br>
</li>
</ul>
</div>
<div><br>
</div>
<div><b>Assumed Config</b></div>
<div>
<ul>
<li>Call flows are internal, no voice gateways to
worry about<br>
</li>
<li>CUCM LDAP Auth config is pointing at LDAP Server
A first and LDAP Server B second<br>
</li>
<li>UCCX Publisher AXL/JTAPI config is pointing at
CUCM Pub first and CUCM Sub second<br>
</li>
<li>UCCX Subscriber AXL/JTAPI config is pointing at
CUCM Sub first and CUCM Pub second<br>
</li>
<li>UCCX CTI Route Points have Device Pool with CMG
pointing at CUCM Pub first and CUCM Sub second<br>
</li>
<li>UCCX Publisher CTI Ports have Device Pool with
CMG pointing at CUCM Pub first and CUCM Sub second<br>
</li>
<li>UCCX Subscriber CTI Ports have Device Pool with
CMG pointing at CUCM Sub first and CUCM Pub second<br>
</li>
</ul>
</div>
<div><br>
</div>
<div><b>Question</b></div>
<div>
<ol>
<li>Can an Agent in DC-B, who was not logged in
before Island Mode happened, now log in, while in
Island mode? Does CUCM's authentication method
change the answer? E.g., LDAP integrated user
versus local user.<br>
</li>
</ol>
<div>Thank you.</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
cisco-voip mailing list
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a>
</pre>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>