advertisement
TANDBERG Gatekeeper User Guide
18.
Appendix B: Configuring LDAP Servers
18.1.
Microsoft Active Directory
18.1.1.
Prerequisites
These comprehensive step-by-step instructions assume that Active Directory is installed. For details on installing Active Directory please consult your Windows documentation.
The following instructions are for Windows Server 2003 Enterprise Edition. If you are not using this version of Windows, your instructions may vary.
18.1.2.
Adding H.350 objects
1. Create the organizational hierarchy
Open up the Active Directory Users and Computers MMC snap-in. Under your BaseDN right-click and select New Organizational Unit. Create an Organizational unit called h350.
Note: It is good practice to keep the H.350 directory in its own organizational unit to separate out
H.350 objects from other types of objects. This allows access controls to be setup which only allow the Gatekeeper read access to the BaseDN and therefore limit access to other sections of the directory.
2. Add the H.350 objects
Create an ldif
file with the following contents:
# MeetingRoom1 endpoint dn: commUniqueId=comm1,ou=h350,dc=my-domain,dc=com objectClass: commObject objectClass: h323Identity objectClass: h235Identity commUniqueId: comm1 h323Identityh323-ID: MeetingRoom1 h323IdentitydialedDigits: 626262 h235IdentityEndpointID: meetingroom1 h235IdentityPassword: mypassword
Add the ldif
file to the server using the command: ldifde -i -c DC=X <ldap_base> -f filename.ldf
This will add a single H.323 endpoint with an H.323 Id alias of
MeetingRoom1
and an E.164 alias of
626262
. The entry also has H.235 credentials of id
meetingroom1
and password
mypassword
which are used during authentication.
Page 95 of 105
18.2.
TANDBERG Gatekeeper User Guide
18.1.3.
Securing with TLS
To enable Active Directory to use TLS, you must request and install a certificate on the Active Directory server. The certificate must meet the following requirements:
Be located in the Local Computer's Personal certificate store. This can be seen using the
Certificates MMC snap-in.
Have the private details on how to obtain a key associated for use with it stored locally. When viewing the certificate you should see a message saying "You have a private key that corresponds to this certificate''.
Have a private key that does not have strong private key protection enabled. This is an attribute that can be added to a key request.
The Enhanced Key Usage extension includes the Server Authentication object identifier, again this forms part of the key request.
Issued by a CA that both the domain controller and the client trust.
Include the Active Directory fully qualified domain name of the domain controller in the common name in the subject field and/or the DNS entry in the subject alternative name extension.
OpenLDAP
18.2.1.
Prerequisites
These instructions assume that an OpenLDAP server has already been installed. For details on installing
OpenLDAP see the documentation at http://www.openldap.org.
The following examples use a standard OpenLDAP installation on the Linux platform. For installations on other platforms the location of the OpenLDAP configuration files may be different. See the OpenLDAP installation documentation for details.
18.2.2.
Installing the H.350 schemas
The following ITU specification describes the schemas which are required to be installed on the LDAP server:
H.350
H.350.1
H.350.2
Directory services architecture for multimedia conferencing - An LDAP schema to represent endpoints on the network.
Directory services architecture for H.323 - An LDAP schema to represent H.323 endpoints.
Directory services architecture for H.235 - An LDAP schema to represent H.235 elements.
The schemas can be downloaded in ldif
format from the web interface on the Gatekeeper. To do this, navigate to
Gatekeeper Configuration > Files
and click on the links for the LDAP schemas.
Copy the downloaded schemas to the OpenLDAP schema directory:
/etc/openldap/schemas/commobject.ldif
/etc/openldap/schemas/h323identity.ldif
/etc/openldap/schemas/h235identity.ldif
Edit
/etc/openldap/slapd.conf
to add the new schemas. You will need to add the following lines: include /etc/openldap/schemas/commobject.ldif include /etc/openldap/schemas/h323identity.ldif include /etc/openldap/schemas/h235identity.ldif
The OpenLDAP daemon (slapd) must be restarted for the new schemas to take effect.
Page 96 of 105
TANDBERG Gatekeeper User Guide
18.2.3.
1.
Adding H.350 objects
Create the organizational hierarchy
Create an ldif
file with the following contents:
# This example creates a single organizational unit to contain
# the H.350 objects dn: ou=h350,dc=my-domain,dc=com objectClass: organizationalUnit ou: h350
Add the ldif
file to the server using the command: slapadd -l <ldif_file>
This organizational unit will form the BaseDN to which the Gatekeeper will issue searches. In this example the BaseDN will be
ou=h350,dc=my-domain,dc=com
.
Note: It is good practice to keep the H.350 directory in its own organizational unit to separate out
H.350 objects from other types of objects. This allows access controls to be setup which only allow the Gatekeeper read access to the BaseDN and therefore limit access to other sections of the directory.
2. Add the H.350 objects
Create an ldif
file with the following contents:
# MeetingRoom1 endpoint dn: commUniqueId=comm1,ou=h350,dc=my-domain,dc=com objectClass: commObject objectClass: h323Identity objectClass: h235Identity commUniqueId: comm1 h323Identityh323-ID: MeetingRoom1 h323IdentitydialedDigits: 626262 h235IdentityEndpointID: meetingroom1 h235IdentityPassword: mypassword
Add the ldif
file to the server using the command: slapadd -l <ldif_file>
This will add a single H.323 endpoint with an H.323 Id alias of
MeetingRoom1
and an E.164 alias of
626262
. The entry also has H.235 credentials of id
meetingroom1
and password
mypassword
which are used during authentication.
Page 97 of 105
TANDBERG Gatekeeper User Guide
18.2.4.
Securing with TLS
The connection to the LDAP server can be encrypted by enabling Transport Level Security (TLS) on the connection. To do this you must create an X.509 certificate for the LDAP server to allow the Gatekeeper to verify the server's identity. Once the certificate has been created you will need to install the following three files associated with the certificate onto the LDAP server:
The certificate for the LDAP server.
The private key for the LDAP server.
The certificate of the Certificate Authority (CA) that was used to sign the LDAP server's certificate.
All three files should be in PEM file format.
The LDAP server must be configured to use the certificate. To do this, edit
/etc/openldap/slapd.conf
and add the following three lines:
TLSCACertificateFile <path to CA certificate>
TLSCertificateFile <path to LDAP server certificate>
TLSCertificateKeyFile <path to LDAP private key>
The OpenLDAP daemon (slapd) must be restarted for the TLS settings to take effect.
For more details on configuring OpenLDAP to use TLS consult the OpenLDAP Administrator's Guide.
To configure the Gatekeeper to use TLS on the connection to the LDAP server you must upload the CA's certificate as a trusted CA certificate. To do this, navigate to
Gatekeeper Configuration > Files
and upload the certificate.
Page 98 of 105
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 8
- 8 Trademarks and Copyright
- 8 Disclaimer
- 8 Environmental Issues
- 8 TANDBERG's Environmental Policy
- 9 European Environmental Directives
- 9 Waste Handling
- 9 Information for Recyclers
- 9 Digital User Guides
- 10 Operator Safety Summary
- 10 Water and Moisture
- 10 Cleaning
- 10 Ventilation
- 10 Lightning
- 10 Dust
- 10 Vibration
- 11 Power connection and Hazardous voltage
- 11 Servicing
- 11 Accessories
- 11 Communication lines
- 12 Introduction
- 12 Main Features
- 12 Hardware Overview
- 14 Installation
- 14 Precautions
- 14 Preparing the Installation Site
- 15 Unpacking
- 15 Mounting
- 15 Connecting the Cables
- 15 Power cable
- 15 LAN cable
- 15 Null-modem RS-232 cable
- 15 Switching on the System
- 16 Getting started
- 16 Initial Configuration
- 17 System Administration
- 17 Web interface
- 18 Command line interface
- 19 Session timeout
- 19 Administrator Account
- 19 Root Account
- 19 Backups
- 20 IP Configuration
- 20 Endpoint Registration
- 21 Neighbor Gatekeepers
- 21 Neighboring and dial plans
- 22 Adding Neighbors and configuring zones
- 22 Search Order
- 23 Alternates
- 24 Call Processing Overview
- 26 Transforming Destination Aliases
- 26 Alias Transforms
- 27 Zone Transforms
- 28 Unregistered Endpoints
- 28 Calling from an Unregistered Endpoint
- 28 Calling to an Unregistered Endpoint
- 30 Bandwidth Control
- 30 About Bandwidth Control
- 30 Subzones
- 31 Subzone links
- 31 Pipes
- 32 Insufficient Bandwidth
- 32 Insufficient bandwidth
- 33 Bandwidth Control and Firewall Traversal
- 34 Bandwidth Control Examples
- 34 Example without a firewall
- 34 Example with a firewall
- 36 Registration Control
- 36 Setting Registration Restriction Policy
- 36 Viewing the Allow and Deny lists
- 36 Activating use of Allow or Deny lists
- 37 Managing entries in the Allow and Deny lists
- 38 Authentication
- 38 Authentication using a local database
- 38 Authentication using an LDAP server
- 39 Enforced dial plans
- 40 Securing the LDAP connection with TLS
- 41 URI Dialing
- 41 About URI Dialing
- 41 Making a Call Using URI Dialing
- 41 Enabling URI dialing
- 41 Configuring DNS server(s)
- 41 Configuring the domain name
- 41 URI dialing and firewall traversal
- 42 Receiving a Call Using URI Dialing
- 43 DNS Records
- 44 ENUM Dialing
- 44 About ENUM Dialing
- 44 Configuring ENUM
- 44 Enabling ENUM support
- 44 Managing ENUM DNS zones
- 46 Configuring DNS NAPTR Records
- 47 Example Traversal Deployments
- 47 Simple Enterprise Deployment
- 47 Enabling outgoing URI calls
- 48 Enabling incoming URI calls
- 48 Enterprise Gatekeepers
- 49 Dialing Public IP Addresses
- 49 Neighbored Enterprises
- 50 URI Dialing from within the Enterprise
- 51 Third Party Call Control
- 51 About Third Party Call Control
- 51 Placing a Call
- 51 Transferring a Call
- 51 Enabling call routed mode
- 52 Enabling call transfer
- 52 Disconnecting a Call
- 53 Call Policy
- 53 About Call Policy
- 53 Uploading the CPL script
- 53 Enabling use of the CPL script
- 53 Call Policy and Authentication
- 53 CPL Standard
- 54 Making Decisions Based on Addresses
- 54 address-switch
- 55 CPL Script Actions
- 55 location
- 56 proxy
- 56 reject
- 56 Unsupported CPL Elements
- 56 CPL Examples
- 56 Call screening of authenticated users
- 57 Call screening based on domain
- 57 Call redirection
- 57 Call screening based on alias
- 58 Logging
- 58 About Logging
- 58 Viewing the event log
- 58 Controlling what is Logged
- 58 About Event levels
- 58 Setting the log level
- 59 Event Log Format
- 60 Logged Events
- 64 Remote Logging
- 64 Enabling remote logging
- 65 Software Upgrading
- 65 About Software Upgrading
- 65 Upgrading Using HTTP(S)
- 66 Upgrading Using SCP/PSCP
- 68 Command Reference
- 68 Status
- 68 Listing all status information
- 68 Listing all status commands
- 68 Calls
- 68 Ethernet
- 69 ExternalManager
- 69 Feedback
- 69 IP
- 69 LDAP
- 70 Links
- 70 NTP
- 70 Pipes
- 70 Registrations
- 71 ResourceUsage
- 71 SubZones
- 71 SystemUnit
- 72 Zones
- 72 Configuration
- 72 Authentication
- 73 Ethernet
- 73 ExternalManager
- 73 Gatekeeper
- 76 HTTP/HTTPS
- 76 IP
- 77 LDAP
- 77 Links
- 77 Log
- 78 NTP
- 78 Option Key
- 78 Pipes
- 78 Services
- 79 Session
- 79 SNMP
- 79 SSH
- 79 Subzones
- 81 SystemUnit
- 81 Telnet
- 81 TimeZone
- 81 Traversal
- 81 Zones
- 84 Command
- 84 AllowListAdd
- 84 AllowListDelete
- 84 Boot
- 84 CallTransfer
- 84 CheckBandwidth
- 84 CredentialAdd
- 85 CredentialDelete
- 85 DefaultLinksAdd
- 85 DefaultValuesSet
- 85 DenyListAdd
- 85 DenyListDelete
- 86 Dial
- 86 DisconnectCall
- 86 FeedbackRegister
- 87 FeedbackDeregister
- 87 FindRegistration
- 87 LinkAdd
- 87 LinkDelete
- 87 Locate
- 87 OptionKeyAdd
- 87 OptionKeyDelete
- 87 PipeAdd
- 88 PipeDelete
- 88 RemoveRegistration
- 88 SubZoneAdd
- 88 SubZoneDelete
- 88 TransformAdd
- 89 TransformDelete
- 89 ZoneAdd
- 89 ZoneDelete
- 90 History
- 90 calls
- 90 registrations
- 91 Feedback
- 91 Register status
- 91 Register History
- 92 Register event
- 93 Other Commands
- 93 about
- 93 clear
- 93 eventlog
- 93 license
- 93 relkey
- 93 Syslog
- 94 Appendix A: Configuring DNS Servers
- 94 Microsoft DNS Server
- 94 BIND 8 & 9
- 94 Verifying the SRV Record
- 95 Appendix B: Configuring LDAP Servers
- 95 Microsoft Active Directory
- 95 Prerequisites
- 95 Adding H.350 objects
- 96 Securing with TLS
- 96 OpenLDAP
- 96 Prerequisites
- 96 Installing the H.350 schemas
- 97 Adding H.350 objects
- 98 Securing with TLS
- 99 Appendix C: Regular Expression Reference
- 100 Appendix D: Technical data
- 100 Technical Specifications
- 100 System Capacity
- 100 Ethernet Interfaces
- 100 System Console Port
- 100 ITU Standards
- 100 Security Features
- 100 System Management
- 100 Environmental Data
- 100 Physical Dimensions
- 101 Hardware MTBF
- 101 Power Supply
- 101 Certification
- 101 Approvals
- 101 EMC Emission - Radiated Electromagnetic Interference
- 101 EMC Immunity
- 101 Electrical Safety
- 101 ICSA certification
- 102 Bibliography
- 103 Glossary
- 104 Index