Table of Contents
Advertisement
Grey Headline (continued)
Registration control
Overview
If the VCS is using an LDAP server for authentication, the process
is as follows:
1. The endpoint presents its username and authentication
credentials (these are generated using its password) to the
VCS, and the aliases with which it wants to register.
2. The VCS looks up the username in the LDAP database and
obtains the authentication and alias information for that entry.
3. If the authentication credentials match those supplied by the
endpoint, the registration will continue.
The VCS then determines which aliases the endpoint is allowed
to attempt to register with, based on the alias origin setting. For
H.323 endpoints, you can use this setting to override the aliases
presented by the endpoint with those in the H.350 directory, or
you can use them in addition to the endpoint's aliases. For SIP
endpoints, you can use this setting to reject a registration if the
endpoint's AOR does not match that in the LDAP database.
Configuring the LDAP server directory
The directory on the LDAP server should be configured to
implement the
ITU H.350 specification [2]
devices with which the VCS communicates. The directory should
also be configured with the aliases of endpoints that will register
with the VCS.
See the
LDAP configuration for device authentication
appendix for instructions on configuring LDAP servers.
Configuring LDAP server settings
The Device LDAP Configuration page is used to configure a
connection to the LDAP database for device authentication.
To go to the Device LDAP Configuration page:
•
VCS configuration > Authentication > Devices > LDAP
configuration
To configure these settings using the CLI:
xConfiguration LDAP
•
xConfiguration Authentication LDAP
•
Overview and
System
Introduction
status
configuration
D14049.07
March 2010
Device authentication using LDAP
LDAP server
The IP address or FQDN (or server address, if a DNS Domain
Name has also been configured) of the LDAP server.
Port
The IP port of the LDAP server.
The default is 389.
Encryption
Determines whether the connection to the LDAP server is
encrypted using Transport Layer Security (TLS).
TLS: TLS encryption is used for the connection to the LDAP
server.
Off: no encryption is used.
The default is Off.
The link Upload a CA Certificate file for TLS takes you to the
Security certificates page, where you can upload a file containing
the trusted CA certificate for the LDAP server. This is required for
encrypted connections between the VCS and the LDAP server.
See the
Security certificates
User DN
to store credentials for
The user distinguished name used by the VCS when binding to
the LDAP server.
Password
The password used by the VCS when binding to the LDAP server.
Base DN
The area of the directory on the LDAP server to search for
credential information. This should be specified as the
Distinguished Name (DN) in the LDAP directory under which the
H.350 objects reside.
VCS
Zones and
configuration
neighbors
section for more information.
Clustering and
Call
Bandwidth
peers
processing
control
56
TANDBERG
VIDEO COMMUNICATION SERVER
Alias origin
This setting determines the aliases with which the endpoint will
attempt to register. The options are:
LDAP: for SIP registrations the AOR presented by the endpoint
is registered providing it is listed in the LDAP database for the
endpoint's username.
For H.323 registrations:
•
At least one of the aliases presented by the endpoint must
be listed in the LDAP database for that endpoint's username.
If none of the presented aliases are listed it is not allowed to
register.
•
The endpoint will register with all of the aliases (up to
a maximum of 20) listed in the LDAP database. Aliases
presented by the endpoint that are not in the LDAP database
will not be registered.
•
If no aliases are listed in the LDAP database, the endpoint will
register with all the aliases it presented.
•
If no aliases are presented by the endpoint, it will register with
all the aliases listed in the LDAP database for its username.
MCUs are treated as a special case. They register with the
presented aliases and ignore any aliases in the LDAP database.
(This is to allow MCUs to additively register aliases for
conferences.)
Combined: the aliases presented by the endpoint are used in
addition to any listed in the LDAP database for the endpoint's
username. In other words, this is the same as for LDAP, except
that if an endpoint presents an alias that is not in the LDAP
database, it will be allowed to register with that alias.
Endpoint: the aliases presented by the endpoint are used; any
in the LDAP database are ignored. If no aliases are presented by
the endpoint, it is not allowed to register.
The default is LDAP.
To use the LDAP database for device authentication, you
must also go to the Device authentication configuration
page and select a Database type of LDAP database.
Firewall
Applications
Maintenance
traversal
ADMINISTRATOR GUIDE
Appendices
Advertisement
Table of Contents
