Professional Documents
Culture Documents
Introduction
This Job Aid describes how to configure Branch Central Manager and Branch Device Manager user accounts using your organizations LDAP or RADIUS servers. This allows you to configure and maintain the accounts centrally, reducing the time for adds, moves and deletes.
Prerequisites
Operating System: Windows 2003 Server, Service Pack 2. Both the Active Directory and the Certificate Authority server are on the same computer. If the AD and CA server are not, see: CA Server and AD on different servers on page 9. The LDAP server host name including domain name, for example atl-ad-gc.corp.company.com The Active Directory Domain, for example corp.company.com. Table 1: Glossary Abbreviation AD CA DC Meaning Active Directory Certificate Authority Domain Controller
7. Select Computer account in the Certificates snap-in wizard. 8. Click Next >. - The next step in the wizard opens:
9. Select Local computer: (the computer this console is running on). 10. Click Finish.
Create new certificate for the Active Directory as follows: 12. Right-click Certificates and select All Tasks > Request New Certificate 13. Choose Domain Controller template in the Certificate Request Wizard:
15. Type the full computer name of Active Directory server, including domain name, for example atl-ad-gc.corp.com, in the Friendly name field. 16. Click Next > until you reach the final stage. 17. Click Finish. - The following screen opens:
2. Select No, do not export the private key. 3. Click Next >.
4. Select Base-64 encoded X.509 format. 5. Click Next >. 6. Enter a file name for the *.cer file in the appropriate field.
2. Select the CA server certificate in the File name field. 3. Click Next >. - The next step in the wizard opens:
4. Click Next >. 5. Click Finish. 6. Request an AD certificate from the CA server and load the AD certificate to Certificates > Personal as shown below:
5. Click Start 6. The file is uploaded to the Communication Manager Branch, and then appears in the Trusted Certificates table. 7. Configure the DNS Server as shown in Figure 1. Note: The DNS Server must include the entry of the Domain Controller. 8. Open the Configuration > Platform > Network Connection > DNS tab. 9. Type the IP Address of the active directory server into the Primary Name Server field. Figure 1: DNS server configuration
Note:
10. Click Apply Changes. 11. Open the Platform > Administrative Users Accounts > Local users tab. 12. Select LDAPS in the Remote authentication of administrative users drop-down list. 13. Open the Platform > Administrative Users Accounts > LDAP client tab. 14. Set the parameters as shown in Table 2
11
Note:
Note: The Server Address field must contain DNS name of Domain Controller. Table 2: Device Manager LDAP client parameters Field Server Address Base DN Value Host name/IP address of the LDAP server. For example: atl-adc-gc.corp.com The DN (Distinguished Name) of the entry at which to start the search. For example: CN=Users,DC=corp,DC=com. Use this parameter is to log in to the LDAP server. Bind distinguished name, used for connection authentication to the LDAP server. Example: CN=Administrator,CN=Users,DC=corp,DC=com Password for above distinguished name. Select this if you are using Microsoft Active Directory server.
Bind DN
15. Ensure that the DNS server is accessible from the Communication Manager Branch by sending a ping from Communication Manager Branch to DNS server.
To edit the file: 1. Open the Windows file explorer by clicking on the My Computer icon on your desktop or from the Windows Start menu. 2. Locate the aimproperties.xml file. Tip: You can find the file in the following location: <Avaya Installation directory>\ jboss-4.0.4.GA\server\default\conf\. For example, if you installed ENM under C:\Program Files\Avaya, then the file will be under C:\Program Files\ Avaya\jboss-4.0.4.GA\server\default\conf\. 3. Right-click on the file. 4. Select Open With > WordPad. 5. Search for the section that contains the following LDAP parameters: <entry key="ldap.url">ldap://135.9.78.125:389</entry> <entry key="ldap.secureConnection">ssl</entry> <entry key="ldap.binddn">cn=root,dc=avaya,dc=com</entry> <entry key="ldap.bindpassword">secret</entry> <entry key="ldap.searchuri">dc=avaya,dc=com?cn</entry> 6. Update the properties according to the description in Table 3. - For example, if you want to update the property ldap.secureConnection to "none", update the line: <entry key="ldap.secureConnection">ssl</entry> to: <entry key="ldap.secureConnection">none</entry>. 7. When you have finished updating all the properties, save the file by selecting File > Save. 8. Close WordPad by selecting the File > Exit. Table 3: LDAP server connection Properties settings.policy.authenticate ldap.url Value ldap Host name/IP address and optionally port of the LDAP server (the default port numbers are 389 and 636 for SSL). The format is: ldap[s]://<hostname>:[port]. For example, ldap://1.2.3.4:389.
Tip:
13
ssl - if SSL is enabled on the LDAP server. Note, usually if this option is selected, the LDAP url starts with "ldaps", or none - if SSL is disabled on the LDAP server.
ldap.binddn
Bind distinguished name, used for connection authentication to the LDAP server. For example, cn=admin,ou=sv,dc=avaya,dc=com. This parameter is used to login to the LDAP server. Password for above distinguished name. This field must contain a legal LDAP search URI. See LDAP Search URI for full details of this field
ldap.bindpassword ldap.searchuri
Note:
Table 4: LDAP Search URI parameters. Parameter scope Value The scope of the search. It can be one of the following: one - entries immediately below the base DN. sub - the entire subtree starting at the base DN. How to examine each entry in the scope, for example, (&(objectClass=person)(|(givenName=John)(mail=joh n*))) - search for people who either have given name John or an e-mail address starting with john. The filter can also contain the unique constant: [user name] that the login name that is actually trying to login replaces. Special characters must be in XML representation. For example: & (ampersand): & > (larger then): > < (smaller then): < 2 of 2
filter
Simple user search, recursively search the user under the base DN DC=cmbead,DC=local: DC=cmbead,DC=local??sub?(sAMAccountName=[user name])
Recursively search a user that is a member of the group CN=Administrators,CN=Builtin,DC=cmbead,DC=local under the base DN DC=cmbead,DC=local: DC=cmbead,DC=local??sub?(&(memberOf=CN=Administrators,CN=Builtin,DC =cmbead,DC=local)(sAMAccountName=[user name]))
Simple user search; recursively searches the user under the base DN DC=example,DC=com: DC=example,DC=com??sub?(uid=[user name])
Recursively search a user that is a member of the group CN=hrpeople,OU=groups,DC=example,DC=com under the base DN DC=example,DC=com: DC=example,DC=com??sub?(&(memberOf=CN=hrpeople,OU=groups,DC=example ,DC=com)(uid=[user name])) Note: The OpenLDAP server must support the 'memberOf' attribute for this query to work.
Note:
15
Important: You should only use this file with ENM version 5.2.11 and above.
Description:
This utility uses the LDAP parameters specified in the aimproperties.xml file, under <Avaya Directory>\jboss-4.0.4.GA\server\default\conf\, and checks if the LDAP user and password (the parameters given to this script) are correct.
Tip:
6. The result of the LDAP test appears in the command line window. Note: If you change the content of aimproperties.xml file, you can run this script without stopping and starting Avaya services.
Note:
17