Great point about LDAP over SSL and certs. Thank you for mentioning this. On Fri, Feb 5, 2016 at 2:10 PM, Brian V <[email protected]> wrote:
> common mistake that can happen and makes it "look like" only the publisher > can provide LDAP authentication is if you're doing secure LDAP (over SSL) > and didn't distribute the root CA/chain for the SSL encryption to all the > CUCM nodes. More of an issue with older CUCM but thought i'd mention it. > Each CUCM node can perform the LDAP authentication (not the sync). Also > make sure any firewalls and such allow the LDAP requests from the > subscriber nodes as well as the publisher. > > > > > On 2/5/2016 3:49 PM, Justin Steinberg wrote: > > This isn't the full answer you're looking for, but I'll still throw it out > there... > > I know LDAP enabled agents can login to Finesse when the UCM publisher is > down as that happened to me last week. The UCM LDAP auth component doesn't > rely on the Dirsync service, so the UCM LDAP auth runs on all UCM nodes. > > > I had a UCS blade failure that took down the UCM pub, but the UCCX pub and > all the primary AD servers were still online for the UCM subs to > authenticate. > > On Fri, Feb 5, 2016 at 4:17 PM, Anthony Holloway < > [email protected]> wrote: > >> UCCXers, >> >> I'm trying to avoid spinning up an entire lab to answer a simple question >> that the SRND is glossing over. "Can Agents login to Finesse on the Island >> Mode side opposite the CUCM Publisher if using LDAP Authentication?" >> >> What the SRND has to say about failover and Island Mode: >> >> >> http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_W5EB2ACC_00 >> >> A little further down in the SRND it talks about Finesse in Island Mode, >> and it states that Agents can work on both sides, but it does not state, if >> that is: A) for only already logged in Agents, or B) for CUCM local >> authentication or LDAP authentication or otherwise. >> >> >> http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_11_0/design/guide/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11/UCCX_BK_U3AF2742_00_unified-ccx-design-guide-11_appendix_0100.html#UCCX_RF_F3A11E07_00 >> >> This is a very shallow description on what I consider to be a very deep >> topic, so I'm asking here for real world experience. >> >> Assume that we have two Data Centers: DC-A and DC-B. >> >> *DC-A Contains:* >> >> - LDAP Server A >> - CUCM Publisher >> - UCCX Publisher (Currently Engine Master) >> - Agents >> >> >> *DC-B Contains* >> >> - LDAP Server B >> - CUCM Subscriber >> - UCCX Subscriber (Currently Engine Slave) >> - Agents >> >> >> *Assumed Config* >> >> - Call flows are internal, no voice gateways to worry about >> - CUCM LDAP Auth config is pointing at LDAP Server A first and LDAP >> Server B second >> - UCCX Publisher AXL/JTAPI config is pointing at CUCM Pub first and >> CUCM Sub second >> - UCCX Subscriber AXL/JTAPI config is pointing at CUCM Sub first and >> CUCM Pub second >> - UCCX CTI Route Points have Device Pool with CMG pointing at CUCM >> Pub first and CUCM Sub second >> - UCCX Publisher CTI Ports have Device Pool with CMG pointing at CUCM >> Pub first and CUCM Sub second >> - UCCX Subscriber CTI Ports have Device Pool with CMG pointing at >> CUCM Sub first and CUCM Pub second >> >> >> *Question* >> >> 1. Can an Agent in DC-B, who was not logged in before Island Mode >> happened, now log in, while in Island mode? Does CUCM's authentication >> method change the answer? E.g., LDAP integrated user versus local user. >> >> Thank you. >> >> _______________________________________________ >> cisco-voip mailing list >> [email protected] >> https://puck.nether.net/mailman/listinfo/cisco-voip >> >> > > > _______________________________________________ > cisco-voip mailing > [email protected]https://puck.nether.net/mailman/listinfo/cisco-voip > > >
_______________________________________________ cisco-voip mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-voip
