Avaya Aura Communication Manager Branch

Release 2.0 Job Aid: Configuring and Working with LDAP

November 2009 Issue 2

Introduction
This Job Aid describes how to configure Branch Central Manager and Branch Device Manager user accounts using your organizations LDAP or RADIUS servers. This allows you to configure and maintain the accounts centrally, reducing the time for adds, moves and deletes.

Prerequisites

Operating System: Windows 2003 Server, Service Pack 2. Both the Active Directory and the Certificate Authority server are on the same computer. If the AD and CA server are not, see: CA Server and AD on different servers on page 9. The LDAP server host name including domain name, for example atl-ad-gc.corp.company.com The Active Directory Domain, for example corp.company.com. Table 1: Glossary Abbreviation AD CA DC Meaning Active Directory Certificate Authority Domain Controller

See Table 1 for a list of terms used in this document.

Issue 2 November 2009

Creating CA and DC certificates

Request for new certificate for Domain Controller and validation of existing CA Server certificate
1. Click Start > Run > mmc. 2. Select File > Add/Remove Snap-in. 3. The Add/Remove Snap-in window opens. 4. Click Add.... - The Add Standalone Snap-in window opens:

5. Select Certificates 6. Click Add.

4 Installation and Upgrades for the Avaya G450 Media Gateway

Creating CA and DC certificates

- The Certificates snap-in wizard opens:

7. Select Computer account in the Certificates snap-in wizard. 8. Click Next >. - The next step in the wizard opens:

9. Select Local computer: (the computer this console is running on). 10. Click Finish.

Issue 2 November 2009

11. Open the Personal > Certificates page in the Console:

Create new certificate for the Active Directory as follows: 12. Right-click Certificates and select All Tasks > Request New Certificate 13. Choose Domain Controller template in the Certificate Request Wizard:

14. Click Next >

6 Installation and Upgrades for the Avaya G450 Media Gateway

Creating CA and DC certificates

- The following screen opens:

15. Type the full computer name of Active Directory server, including domain name, for example atl-ad-gc.corp.com, in the Friendly name field. 16. Click Next > until you reach the final stage. 17. Click Finish. - The following screen opens:

18. Click Finish to exit the wizard.

Issue 2 November 2009

Exporting the CA Server certificate

The next step is exporting the CA server certificate to *.cer file. 1. Right-click the first certificate as shown below and select All Tasks > Export:

- The the Certificate Export Wizard opens:

2. Select No, do not export the private key. 3. Click Next >.

8 Installation and Upgrades for the Avaya G450 Media Gateway

Creating CA and DC certificates

- The next step in the wizard opens:

4. Select Base-64 encoded X.509 format. 5. Click Next >. 6. Enter a file name for the *.cer file in the appropriate field.

CA Server and AD on different servers

If the CA Server and AD are on different servers, do the following: 1. Import CA server certificate to the Trusted Root Certificate Authorities list on the AD server. Right-click Trusted Root Certification Authorities >Certificates in the Console window and select All Tasks > Import: - The Certificate Import Wizard opens:

Issue 2 November 2009

2. Select the CA server certificate in the File name field. 3. Click Next >. - The next step in the wizard opens:

4. Click Next >. 5. Click Finish. 6. Request an AD certificate from the CA server and load the AD certificate to Certificates > Personal as shown below:

Configuring Branch Device Manager

1. Upload the CA server certificate file that you exported in the previous steps to Communication Manager Branch. 2. Open the Maintenance & Monitoring > Security > Trusted Certificates page. 3. Select 'File' in the Download method drop-down list 4. Click Browse to locate the file you saved in the previous section.

10 Installation and Upgrades for the Avaya G450 Media Gateway

Configuring Branch Device Manager

5. Click Start 6. The file is uploaded to the Communication Manager Branch, and then appears in the Trusted Certificates table. 7. Configure the DNS Server as shown in Figure 1. Note: The DNS Server must include the entry of the Domain Controller. 8. Open the Configuration > Platform > Network Connection > DNS tab. 9. Type the IP Address of the active directory server into the Primary Name Server field. Figure 1: DNS server configuration

Note:

10. Click Apply Changes. 11. Open the Platform > Administrative Users Accounts > Local users tab. 12. Select LDAPS in the Remote authentication of administrative users drop-down list. 13. Open the Platform > Administrative Users Accounts > LDAP client tab. 14. Set the parameters as shown in Table 2

Issue 2 November 2009

11

Note:

Note: The Server Address field must contain DNS name of Domain Controller. Table 2: Device Manager LDAP client parameters Field Server Address Base DN Value Host name/IP address of the LDAP server. For example: atl-adc-gc.corp.com The DN (Distinguished Name) of the entry at which to start the search. For example: CN=Users,DC=corp,DC=com. Use this parameter is to log in to the LDAP server. Bind distinguished name, used for connection authentication to the LDAP server. Example: CN=Administrator,CN=Users,DC=corp,DC=com Password for above distinguished name. Select this if you are using Microsoft Active Directory server.

Bind DN

Bind Secret Active Directory Server

15. Ensure that the DNS server is accessible from the Communication Manager Branch by sending a ping from Communication Manager Branch to DNS server.

Configuring Enterprise Network Management to work with LDAP

A user can access to the ENM system if the user is configured in the ENM User Administration tool. If the user is not configured as Local User in the User Administration form, the LDAP server authenticates the user. The user role is always determined by the Role drop down list in the ENM User Administration tool. You can open the ENM User Administration tool by clicking on the Administrators node in the Branch Central Manager (formerly Distributed Office Central Manager) navigation pane.

Configure the connection to the LDAP Server

The LDAP server connection parameters reside in the file aimproperties.xml.

12 Installation and Upgrades for the Avaya G450 Media Gateway

Configuring Enterprise Network Management to work with LDAP

To edit the file: 1. Open the Windows file explorer by clicking on the My Computer icon on your desktop or from the Windows Start menu. 2. Locate the aimproperties.xml file. Tip: You can find the file in the following location: <Avaya Installation directory>\ jboss-4.0.4.GA\server\default\conf\. For example, if you installed ENM under C:\Program Files\Avaya, then the file will be under C:\Program Files\ Avaya\jboss-4.0.4.GA\server\default\conf\. 3. Right-click on the file. 4. Select Open With > WordPad. 5. Search for the section that contains the following LDAP parameters: <entry key="ldap.url">ldap://135.9.78.125:389</entry> <entry key="ldap.secureConnection">ssl</entry> <entry key="ldap.binddn">cn=root,dc=avaya,dc=com</entry> <entry key="ldap.bindpassword">secret</entry> <entry key="ldap.searchuri">dc=avaya,dc=com?cn</entry> 6. Update the properties according to the description in Table 3. - For example, if you want to update the property ldap.secureConnection to "none", update the line: <entry key="ldap.secureConnection">ssl</entry> to: <entry key="ldap.secureConnection">none</entry>. 7. When you have finished updating all the properties, save the file by selecting File > Save. 8. Close WordPad by selecting the File > Exit. Table 3: LDAP server connection Properties settings.policy.authenticate ldap.url Value ldap Host name/IP address and optionally port of the LDAP server (the default port numbers are 389 and 636 for SSL). The format is: ldap[s]://<hostname>:[port]. For example, ldap://1.2.3.4:389.

Tip:

Issue 2 November 2009

13

Table 3: LDAP server connection Properties ldap.secureConnection Value

ssl - if SSL is enabled on the LDAP server. Note, usually if this option is selected, the LDAP url starts with "ldaps", or none - if SSL is disabled on the LDAP server.

ldap.binddn

Bind distinguished name, used for connection authentication to the LDAP server. For example, cn=admin,ou=sv,dc=avaya,dc=com. This parameter is used to login to the LDAP server. Password for above distinguished name. This field must contain a legal LDAP search URI. See LDAP Search URI for full details of this field

ldap.bindpassword ldap.searchuri

LDAP Search URI

The LDAP search URI field must be with the following structure: <basedn>??<scope>?<filter> Note: Note: the 2 question marks are part of the structure. Table 4: LDAP Search URI parameters. Parameter basedn Value The DN (Distinguished Name) of the entry at which to start the search. 1 of 2

Note:

See Table 4 for information on the parameters.

14 Installation and Upgrades for the Avaya G450 Media Gateway

Configuring Enterprise Network Management to work with LDAP

Table 4: LDAP Search URI parameters. Parameter scope Value The scope of the search. It can be one of the following: one - entries immediately below the base DN. sub - the entire subtree starting at the base DN. How to examine each entry in the scope, for example, (&(objectClass=person)(|(givenName=John)(mail=joh n*))) - search for people who either have given name John or an e-mail address starting with john. The filter can also contain the unique constant: [user name] that the login name that is actually trying to login replaces. Special characters must be in XML representation. For example: & (ampersand): &amp; > (larger then): &gt; < (smaller then): &lt; 2 of 2

filter

Examples for Active Directory:

Simple user search, recursively search the user under the base DN DC=cmbead,DC=local: DC=cmbead,DC=local??sub?(sAMAccountName=[user name])

Recursively search a user that is a member of the group CN=Administrators,CN=Builtin,DC=cmbead,DC=local under the base DN DC=cmbead,DC=local: DC=cmbead,DC=local??sub?(&amp;(memberOf=CN=Administrators,CN=Builtin,DC =cmbead,DC=local)(sAMAccountName=[user name]))

Examples for Open LDAP

Simple user search; recursively searches the user under the base DN DC=example,DC=com: DC=example,DC=com??sub?(uid=[user name])

Recursively search a user that is a member of the group CN=hrpeople,OU=groups,DC=example,DC=com under the base DN DC=example,DC=com: DC=example,DC=com??sub?(&amp;(memberOf=CN=hrpeople,OU=groups,DC=example ,DC=com)(uid=[user name])) Note: The OpenLDAP server must support the 'memberOf' attribute for this query to work.

Note:

Issue 2 November 2009

15

LDAP test utility.

!
Important:

Important: You should only use this file with ENM version 5.2.11 and above.

Description:
This utility uses the LDAP parameters specified in the aimproperties.xml file, under <Avaya Directory>\jboss-4.0.4.GA\server\default\conf\, and checks if the LDAP user and password (the parameters given to this script) are correct.

Downloading the file

1. Point your browser to support.avaya.com. 2. Click Products. 3. Select Communication Manager Branch. 4. Click LDAP_test_utility.zip 5. Follow the on-screen instructions.

Using the file

1. Unzip the LDAP_test_utility.zip file contents TestLDAP.txt and TestLDAP.jar to the Avaya Installation directory. Tip: The default directory is c:\Program Files\Avaya\ 2. Rename TestLDAP.txt to TestLDAP.bat. 3. Open the command line window: a. Open the Start menu. b. Select Run... c. Type cmd in the Open... field. d. Click OK. - The command line window opens. 4. Change the directory to the Avaya Installation directory using the cd command, for example, type cd C:\Program Files\Avaya\ and press the Enter key. 5. In order to check LDAP user and password, type the following in the command line window: TestLDAP.bat <LDAP user> <LDAP password> and then press the Enter key.

Tip:

16 Installation and Upgrades for the Avaya G450 Media Gateway

Configuring Enterprise Network Management to work with LDAP

6. The result of the LDAP test appears in the command line window. Note: If you change the content of aimproperties.xml file, you can run this script without stopping and starting Avaya services.

Note:

Issue 2 November 2009

17

18 Installation and Upgrades for the Avaya G450 Media Gateway