<div dir="ltr">Great point about LDAP over SSL and certs.  Thank you for mentioning this.</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 5, 2016 at 2:10 PM, Brian V <span dir="ltr"><<a href="mailto:bvanbens@gmail.com" target="_blank">bvanbens@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    common mistake that can happen and makes it "look like" only the
    publisher can provide LDAP authentication is if you're doing secure
    LDAP (over SSL) and didn't distribute the root CA/chain for the SSL
    encryption to all the CUCM nodes.  More of an issue with older CUCM
    but thought i'd mention it.<br>
    Each CUCM node can perform the LDAP authentication (not the sync). 
    Also make sure any firewalls and such allow the LDAP requests from
    the subscriber nodes as well as the publisher.<div><div class="h5"><br>
    <br>
    <br>
    <br>
    <div>On 2/5/2016 3:49 PM, Justin Steinberg
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">This isn't the full answer you're looking for, but
        I'll still throw it out there...
        <div><br>
        </div>
        <div>I know LDAP enabled agents can login to Finesse when the
          UCM publisher is down as that happened to me last week.  The
          UCM LDAP auth component doesn't rely on the Dirsync service,
          so the UCM LDAP auth runs on all UCM nodes.    
          <div><br>
          </div>
          <div>I had a UCS blade failure that took down the UCM pub, but
            the UCCX pub and all the primary AD servers were still
            online for the UCM subs to authenticate.  </div>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Fri, Feb 5, 2016 at 4:17 PM, Anthony
          Holloway <span dir="ltr"><<a href="mailto:avholloway+cisco-voip@gmail.com" target="_blank">avholloway+cisco-voip@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">
              <div>UCCXers,</div>
              <div><br>
              </div>
              <div>I'm trying to avoid spinning up an entire lab to
                answer a simple question that the SRND is glossing over.
                 "Can Agents login to Finesse on the Island Mode side
                opposite the CUCM Publisher if using LDAP
                Authentication?"</div>
              <div><br>
              </div>
              <div>What the SRND has to say about failover and Island
                Mode:</div>
              <div><br>
                <div><a href="http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_W5EB2ACC_00" target="_blank">http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_W5EB2ACC_00</a><br>
                </div>
                <div><br>
                </div>
                <div>A little further down in the SRND it talks about
                  Finesse in Island Mode, and it states that Agents can
                  work on both sides, but it does not state, if that is:
                  A) for only already logged in Agents, or B) for CUCM
                  local authentication or LDAP authentication or
                  otherwise.</div>
                <div><br>
                </div>
                <div><a href="http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_F3A11E07_00" target="_blank">http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_F3A11E07_00</a><br>
                </div>
                <div><br>
                </div>
                <div>This is a very shallow description on what I
                  consider to be a very deep topic, so I'm asking here
                  for real world experience.</div>
                <div><br>
                </div>
                <div>Assume that we have two Data Centers: DC-A and
                  DC-B.</div>
                <div><br>
                </div>
                <div><b>DC-A Contains:</b></div>
                <div>
                  <ul>
                    <li>LDAP Server A<br>
                    </li>
                    <li>CUCM Publisher<br>
                    </li>
                    <li>UCCX Publisher (Currently Engine Master)<br>
                    </li>
                    <li>Agents<br>
                    </li>
                  </ul>
                </div>
                <div><br>
                </div>
                <div><b>DC-B Contains</b></div>
                <div>
                  <ul>
                    <li>LDAP Server B<br>
                    </li>
                    <li>CUCM Subscriber<br>
                    </li>
                    <li>UCCX Subscriber (Currently Engine Slave)<br>
                    </li>
                    <li>Agents<br>
                    </li>
                  </ul>
                </div>
                <div><br>
                </div>
                <div><b>Assumed Config</b></div>
                <div>
                  <ul>
                    <li>Call flows are internal, no voice gateways to
                      worry about<br>
                    </li>
                    <li>CUCM LDAP Auth config is pointing at LDAP Server
                      A first and LDAP Server B second<br>
                    </li>
                    <li>UCCX Publisher AXL/JTAPI config is pointing at
                      CUCM Pub first and CUCM Sub second<br>
                    </li>
                    <li>UCCX Subscriber AXL/JTAPI config is pointing at
                      CUCM Sub first and CUCM Pub second<br>
                    </li>
                    <li>UCCX CTI Route Points have Device Pool with CMG
                      pointing at CUCM Pub first and CUCM Sub second<br>
                    </li>
                    <li>UCCX Publisher CTI Ports have Device Pool with
                      CMG pointing at CUCM Pub first and CUCM Sub second<br>
                    </li>
                    <li>UCCX Subscriber CTI Ports have Device Pool with
                      CMG pointing at CUCM Sub first and CUCM Pub second<br>
                    </li>
                  </ul>
                </div>
                <div><br>
                </div>
                <div><b>Question</b></div>
                <div>
                  <ol>
                    <li>Can an Agent in DC-B, who was not logged in
                      before Island Mode happened, now log in, while in
                      Island mode?  Does CUCM's authentication method
                      change the answer?  E.g., LDAP integrated user
                      versus local user.<br>
                    </li>
                  </ol>
                  <div>Thank you.</div>
                </div>
              </div>
            </div>
            <br>
            _______________________________________________<br>
            cisco-voip mailing list<br>
            <a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
            <a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
cisco-voip mailing list
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br></div>