advertisement
TANDBERG Gatekeeper User Guide
18.
Appendix B: Configuring LDAP Servers
18.1.
Microsoft Active Directory
18.1.1.
Prerequisites
These comprehensive step-by-step instructions assume that Active Directory is installed. For details on installing Active Directory please consult your Windows documentation.
The following instructions are for Windows Server 2003 Enterprise Edition. If you are not using this version of Windows, your instructions may vary.
18.1.2.
Adding H.350 objects
1. Create the organizational hierarchy
Open up the Active Directory Users and Computers MMC snap-in. Under your BaseDN right-click and select New Organizational Unit. Create an Organizational unit called h350.
Note: It is good practice to keep the H.350 directory in its own organizational unit to separate out
H.350 objects from other types of objects. This allows access controls to be setup which only allow the Gatekeeper read access to the BaseDN and therefore limit access to other sections of the directory.
2. Add the H.350 objects
Create an ldif
file with the following contents:
# MeetingRoom1 endpoint dn: commUniqueId=comm1,ou=h350,dc=my-domain,dc=com objectClass: commObject objectClass: h323Identity objectClass: h235Identity commUniqueId: comm1 h323Identityh323-ID: MeetingRoom1 h323IdentitydialedDigits: 626262 h235IdentityEndpointID: meetingroom1 h235IdentityPassword: mypassword
Add the ldif
file to the server using the command: ldifde -i -c DC=X <ldap_base> -f filename.ldf
This will add a single H.323 endpoint with an H.323 Id alias of
MeetingRoom1
and an E.164 alias of
626262
. The entry also has H.235 credentials of id
meetingroom1
and password
mypassword
which are used during authentication.
Page 95 of 105
18.2.
TANDBERG Gatekeeper User Guide
18.1.3.
Securing with TLS
To enable Active Directory to use TLS, you must request and install a certificate on the Active Directory server. The certificate must meet the following requirements:
Be located in the Local Computer's Personal certificate store. This can be seen using the
Certificates MMC snap-in.
Have the private details on how to obtain a key associated for use with it stored locally. When viewing the certificate you should see a message saying "You have a private key that corresponds to this certificate''.
Have a private key that does not have strong private key protection enabled. This is an attribute that can be added to a key request.
The Enhanced Key Usage extension includes the Server Authentication object identifier, again this forms part of the key request.
Issued by a CA that both the domain controller and the client trust.
Include the Active Directory fully qualified domain name of the domain controller in the common name in the subject field and/or the DNS entry in the subject alternative name extension.
OpenLDAP
18.2.1.
Prerequisites
These instructions assume that an OpenLDAP server has already been installed. For details on installing
OpenLDAP see the documentation at http://www.openldap.org.
The following examples use a standard OpenLDAP installation on the Linux platform. For installations on other platforms the location of the OpenLDAP configuration files may be different. See the OpenLDAP installation documentation for details.
18.2.2.
Installing the H.350 schemas
The following ITU specification describes the schemas which are required to be installed on the LDAP server:
H.350
H.350.1
H.350.2
Directory services architecture for multimedia conferencing - An LDAP schema to represent endpoints on the network.
Directory services architecture for H.323 - An LDAP schema to represent H.323 endpoints.
Directory services architecture for H.235 - An LDAP schema to represent H.235 elements.
The schemas can be downloaded in ldif
format from the web interface on the Gatekeeper. To do this, navigate to
Gatekeeper Configuration > Files
and click on the links for the LDAP schemas.
Copy the downloaded schemas to the OpenLDAP schema directory:
/etc/openldap/schemas/commobject.ldif
/etc/openldap/schemas/h323identity.ldif
/etc/openldap/schemas/h235identity.ldif
Edit
/etc/openldap/slapd.conf
to add the new schemas. You will need to add the following lines: include /etc/openldap/schemas/commobject.ldif include /etc/openldap/schemas/h323identity.ldif include /etc/openldap/schemas/h235identity.ldif
The OpenLDAP daemon (slapd) must be restarted for the new schemas to take effect.
Page 96 of 105
TANDBERG Gatekeeper User Guide
18.2.3.
1.
Adding H.350 objects
Create the organizational hierarchy
Create an ldif
file with the following contents:
# This example creates a single organizational unit to contain
# the H.350 objects dn: ou=h350,dc=my-domain,dc=com objectClass: organizationalUnit ou: h350
Add the ldif
file to the server using the command: slapadd -l <ldif_file>
This organizational unit will form the BaseDN to which the Gatekeeper will issue searches. In this example the BaseDN will be
ou=h350,dc=my-domain,dc=com
.
Note: It is good practice to keep the H.350 directory in its own organizational unit to separate out
H.350 objects from other types of objects. This allows access controls to be setup which only allow the Gatekeeper read access to the BaseDN and therefore limit access to other sections of the directory.
2. Add the H.350 objects
Create an ldif
file with the following contents:
# MeetingRoom1 endpoint dn: commUniqueId=comm1,ou=h350,dc=my-domain,dc=com objectClass: commObject objectClass: h323Identity objectClass: h235Identity commUniqueId: comm1 h323Identityh323-ID: MeetingRoom1 h323IdentitydialedDigits: 626262 h235IdentityEndpointID: meetingroom1 h235IdentityPassword: mypassword
Add the ldif
file to the server using the command: slapadd -l <ldif_file>
This will add a single H.323 endpoint with an H.323 Id alias of
MeetingRoom1
and an E.164 alias of
626262
. The entry also has H.235 credentials of id
meetingroom1
and password
mypassword
which are used during authentication.
Page 97 of 105
TANDBERG Gatekeeper User Guide
18.2.4.
Securing with TLS
The connection to the LDAP server can be encrypted by enabling Transport Level Security (TLS) on the connection. To do this you must create an X.509 certificate for the LDAP server to allow the Gatekeeper to verify the server's identity. Once the certificate has been created you will need to install the following three files associated with the certificate onto the LDAP server:
The certificate for the LDAP server.
The private key for the LDAP server.
The certificate of the Certificate Authority (CA) that was used to sign the LDAP server's certificate.
All three files should be in PEM file format.
The LDAP server must be configured to use the certificate. To do this, edit
/etc/openldap/slapd.conf
and add the following three lines:
TLSCACertificateFile <path to CA certificate>
TLSCertificateFile <path to LDAP server certificate>
TLSCertificateKeyFile <path to LDAP private key>
The OpenLDAP daemon (slapd) must be restarted for the TLS settings to take effect.
For more details on configuring OpenLDAP to use TLS consult the OpenLDAP Administrator's Guide.
To configure the Gatekeeper to use TLS on the connection to the LDAP server you must upload the CA's certificate as a trusted CA certificate. To do this, navigate to
Gatekeeper Configuration > Files
and upload the certificate.
Page 98 of 105
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement