Securing LDAP on Meetingplace Express
Hello,
I'm looking to harden the security of a MeetingPlace Express (V2.0.1.15).
SSL has been implemented successfully resulting in https browsing only.
The next step is to integrate with AD for user authentication over a secure link. The Bind requests currently are simple (i.e. clear text userid and password) which is not secure.
Can anyone advise on how this can be configured to use SSL/TLS for the LDAP queries. This is a standalone MPX in that I do not have a Cisco Call Manager to secure the queries.
Thanks.
You will need to install the AD Plugin for CallManager before this.
Complete these steps in order to integrate MeetingPlace Express with Active Directory (AD):
- Log in to Cisco Unified MeetingPlace Express.
- Choose Administration at the top of the page.
- On the left side of the page:
Choose System Configuration.
Choose Usage Configuration.
- Configure these fields:
Cisco CallManager version-Set this field to Cisco Unified CallManager Release 4.x.
LDAP URL-Set this field:
Make sure that this URL starts with ldap, not http. For example, ldap://server-ip-address:port/
Make sure that there are no spaces after the URL.
Directory username-Use the format of an LDAP distinguished name, for example:
Password-Use the password that was specified during the Cisco Unified CallManager installation.
Cisco base
User base
Directory type
- Click Save.
Similar Messages
-
LDAP Integration issue- MeetingPlace Express 2.1.1.2
Hello ,
I have sucessfully installed Cisco Unified MeetingPlace Express 2.1.1.2
i can able to make audio/web conf .but i am unable to integrate with LDAP
while i am testing LDAP configuration i am getting below error
" Error while testing AXL configuration. Cisco Unified Communications Manager
is not available "
attached LDAP conguration and error
It would be great if any one can help me on this .
Thanks ,
SamThanks Java ,
The same document i followed for LDAP confguration .
previously it was working for few time .
RTMT logs i can able to see MPX contacting to CUCM .
Attacehd the RTMT AXL /MPX logs
Thanks ,
Sam -
MeetingPlace Express and LDAP Directory
Hello Folks,
I have got 2 questions:
1)Is there a built-in synch AD between CallManager and MeetingPlace Express? I would like to be able to add new people added in the CallManager to MPE directory automatically? Would it be possible?
2)can we add extra attendees on the fly if we go over
Thanks,Bahman,
You can set up an import file to bulk add profiles. Check the Importing Data into Meetingplace Express section.
http://www.cisco.com/en/US/products/ps6533/products_administration_guide_chapter09186a00805edd00.html
Best practices recommend that you setup floater and overbook ports using the formula specified in this link.
http://www.cisco.com/en/US/products/ps6533/products_administration_guide_chapter09186a0080579c3a.html#wp1054721
You can also read more about Floater and overbook ports here
http://www.cisco.com/en/US/products/ps6533/products_administration_guide_chapter09186a0080579c3a.html#wp1054072
HTH
Sankar
PS: please remember to rate posts! -
MeetingPlace Express can support Active Directory?
We are running MeetingPlace Express v1.1.2.1001. I was wondering if it is possible to use MS Active Directory integration? The purpose would be to enable us to select "from directory" under invitees when scheduling a meeting and it would pull the users/e-mail addresses from MS Active Directory.
I noticed under System Configuration, Usage Configuration, in the LDAP section you can select Directory Type Active Directory. However I cannot find any documentation on integration MS A/D.
If not, any word on the best way to get this integrated in a MS A/D environment?
ryanActive Directory is supported for authentication, but I don't believe it is for profile related information though I may be incorrect.
Once you set the Active Directory parameters via the Usage Configuration screen, you must define set the "isLocalUser" parameter to "No" during the import of user profiles. You cannot set this parameter from the User Profiles page, only via an import of user profile information.
Once you've set the isLocalUser parameter to No, MPE will look to AD for user authentication. -
How to change system time on Cisco MeetingPlace Express Server
How to change system time on Cisco MeetingPlace Express Server
Model MCS-7825-I4Hi Vijay,
As per the install guide for MPX 1.x as well as 2.x "Caution! Be sure you enter the correct date and time. You must reinstall the Cisco Unified MeetingPlace Express operating system and application if you need to change the date or time of your server in the future."
http://docwiki.cisco.com/wiki/Cisco_Unified_MeetingPlace_Express,_Release_2.x_--_Configuring_the_Cisco_Unified_MeetingPlace_Express_Server#Configuring_the_Cisco_Unified_MeetingPlace_Express_Server
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/meetingplace_express/1_2/english/installation/guide/iug/mpxinst3.html
HTH
Manish -
Disk space problem on MeetingPlace Express
I get the email below daily. I'm thinking it's ok to cat /dev/null the cma.log file?
I also think I might be able to do the same thing to stdout.old?
Anything else I should try other than the instructions?
* Directory listing
[mpxadmin@meeting ConfSchd]$ ls -la
total 3036516
drwxrwxr-x 2 mpxadmin mpx 4096 Aug 2 13:27 .
drwxrwxr-x 17 root mpx 4096 Nov 4 2009 ..
-rw-rw-r-- 1 mpxadmin mpx 0 Nov 4 2009 ActConf.lk
-rw-rw-r-- 1 mpxadmin mpx 0 Nov 4 2009 Attach.lk
-rw-rw-r-- 1 mpxadmin mpx 4 Dec 22 2012 confId
-rw-rw-rw- 1 mpxadmin mpx 391 Apr 5 2010 pegstats
-rw-rw-r-- 1 mpxadmin mpx 255639 Aug 2 14:25 stderr
-rw-rw-r-- 1 mpxadmin mpx 1152127 Dec 22 2012 stderr.old
-rw-rw-r-- 1 mpxadmin mpx 516106727 Aug 2 16:50 stdout
-rw-rw-r-- 1 mpxadmin mpx 2588797008 Dec 22 2012 stdout.old
-rw-rw-r-- 1 mpxadmin mpx 0 Nov 4 2009 TCMap.lk
[mpxadmin@meeting ConfSchd]$
* EMAIL
This is an automated message from the MeetingPlace Express system with
hostname [meeting.afgrp.com] to inform you that disk space is low.
Details on where the problem is and how to resolve it are indicated below.
Low space in partition /. Percent used = [90].
The following files might cause trouble. However, inspect each one to make sure.
Look specifically for large files with old timestamps. Also, note that some of
the files indicated might have been previously mentioned. In this case, use the
prior instructions to handle these files rather than the instructions below.
If you are uncertain, contact Cisco TAC for confirmation/advice.
For the files below, use the following procedure to empty these files rather than
delete them outright.
1. For each file to be emptied do:
cat /dev/null > <filename>
2. After all files that you wish to empty have been emptied, do:
su // Enter 'root' password.
mpx_sys restart
-rw-rw-r-- 1 mpxadmin mpx 283120801 Apr 11 02:00 /var/mp/ConfSchd/stdout
-rw-r----- 1 root root 127007041 Dec 22 05:30 /var/spool/compaq/cma.log
In general, to free up disk space where it is uncertain exactly what files are in question,
do the following:
1. In general, go to places like /root, /mpxadmin, /tmp and do "ls -la" to look
for large files. If a file is large, old, and seems like some kind of log or
error file, it could be a candidate for deletion.
2. Generally files of type log (*.log), stderr, stdout, or txt (*.txt) are the
best candidates to look for. A good command to look for these types of
files with size of 10,000,000 bytes or larger is:
find / -name "<file type>" -exec ls -la {} ; | awk '{if( >=10000000) {print} }'
For example, to look for all log files 10,000,000 bytes or larger on
the entire system:
find / -name "*.log" -exec ls -la {} ; | awk '{if($5 >= 10000000) {print} }'
3. If you have a specific problem partition that you are trying to reduce size
for, do the following:
1. Find out the directory name of the top of the partition from "df".
2. "cd" to that location.
3. Then do: du -x -b --max-depth=1
4. Look for the directories that are really large.
5. Then "cd" into the worst subdirectory (or subdirectories).
6. Get a list of all large files from current directory location and lower:
(This example assumes 10,000,000 bytes and a check for .log files.
Note the starting location of '.' (current location) rather
than '/' (entire disk) ).
find . -name "*.log" -exec ls -la {} ; | awk '{if($5 >= 10000000) {print} }'
Complete output of the 'df' command:
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda1 6048320 5111204 629876 90% /
/dev/sda6 4032092 767336 3059932 21% /common
/dev/sda2 8064304 6492268 1162380 85% /db
/dev/sda9 256667 8416 234999 4% /grub
/dev/sda7 122154520 110696 115838720 1% /mpx-record
/dev/sda5 5036284 3577128 1203324 75% /opt
/dev/sda3 6048352 109032 5632080 2% /partB
none 1026932 22624 1004308 3% /dev/shmHi Josh,
It seems that the root partition of the MeetingPlace Express server is almost full. I have attached a document for your reference which can be used to minimize the disk space issues.
Once the steps mentioned in the attached document are completed, run the command "df" to check the disk space.
If you do not see much improvement in the root partition, then in that case some other files might need to be removed from the server to increase the root partition space.
If any of the partitions reach upto 90% or above, then the server might behave unexpectedly.
Feel free to revert if you have face any issues or have any queries.
Regards,
Rishabh -
MeetingPlace Express 2.1.1.2 Dial Out was not Successful
I'm configuring a MeetingPlace Express v.2.1.1.2 and I can't make the MPX do the call to the guests of a meeting.
I make the configuration test in: Services > Logs > Verify Configuration > Call configuration verification and show the following error:
==============================================================
==============================================================
Call-Config Report
Summary
WARNING:The H.323 ID should match the host name
Valid E.164 Address has been configured
H.323 gateway has been configured
Error: Dial Out was not Successful
Call-Config Report Details
H.323 Details
H.323 enabled : YES
E.164 address : 196
H.323 ID : mpxadmin
H.323 gateway 1 : 010.145.002.030
SIP enabled : YES
DialOut Session Summary
VUI Configuration: 250 Sessions, 250 Confs
*** VUI INTERNAL STATUS UTILITY ***
DebugMenu:
1) Quick Status of all Ports 4) Make Test Call
2) Verbose Status of Port Range 5) Show All Confs
3) Display complete Port Information 0) Quit
Enter the Command (0 -- 100) []: You entered 4.
Enter destination for your call: The Telephone Number is 196. Len is 3
Do you want specific ports? (t -- F): You entered f.
Placing Call .....Call was unsuccessful: Ring No Answer.
DebugMenu:
1) Quick Status of all Ports 4) Make Test Call
2) Verbose Status of Port Range 5) Show All Confs
3) Display complete Port Information 0) Quit
Enter the Command (0 -- 100) []: You entered 0.
==============================================================
==============================================================
That parameter could check?
Here I place information on the configuration of my network:
CUCM v.7.0 --> 10.145.2.10
Voice Gatweay --> 10.145.2.30
In CUCM > Device > Gateway --> Gateway: 10.145.2.20 | Description: Cisco MeetingPlace Express | Type: H.323 Gateway | IP: 10.145.2.20
Please expect your valuable help!
Thanks a lot!
ErnestoGhi Ernesto,
As the problem you are facing is a dial out issue on MPE, go
through the checklist mentioned below in order to confirm the configuration
is intact.
Here is the checklist :
1. Ensure that H323 GW is defined on CCM/CUCM.
Device > Gateway > find.
Look for a device name that equals either MPE's hostname, FQDN, or IP
Address.
2. Ensure that h323 Gateways are configured on MPE.
MPE Administration Center > System Configuration > Call Configuration > H323
Configuration
Ensure that h323 is enabled.
Ensure that you have entered your CCM's IPs in h323 Gateway 1, 2
3. Ensure that CCM's interface with MPE is up.
Ensure that MPE's IP Address is listed under the "IP Address" column.
Ensure that this IP Address is that of the FIRST NIC on MPE, not the second.
4. Verify that MPE has the CSS required to call the destination.
FIRST, FIND MPE's CSS:
When MPE places a call, the CSS in question is Device > Gateway > MPE-GW >
Inbound
THEN the relevant config is under Device > "Call Routing Information -
Inbound Calls" > Calling Search Space
SECOND, FIND DESTINATION PATTERN's PARTITION:
If the destination is an IP Phone within the CCM/CUCM Cluster, then the
relevant config is under Device > Phone > click on Directory Number in CCM.
If the destination is a PSTN endpoint/phone, then the relevant config is
under Device > Route Pattern.
5. Ensure that your user profile is set to allow outdials.
MPE Administration Center > User Configuration > User Profile Management >
Your User Profile > Can call out of meetings should be set to "Yes".
6. When you place a call from from the CLI, the system applies permissions
from the "Guest" User profile since mpxadmin or root are not Users within
the MPX application. To allow this to work, you need to verify two
settings:
MPE Administration Center > User Configuration > User Profile Management >
Guest > Can call out of meetings should be set to "Yes".
Ensure that the Guest profile is not in a "locked" state.
MPE Administration Center > System Configuration > Usage Configuration >
Allow Guest outdials should be set to "Yes".
Hope this helps!
Thanks,
Karthik -
CUCM 6 with MeetingPlace Express
Hello,
I have CUCM 6.1 integrated with MeetingPlace Express VT and everything is set up. However, when I test with trying to conference more than 2 users the video ends on everybody's desktop. When it is just 2 users the video shows up fine as soon as I conference in the next person it kicks the video off. Any help would be appreciated
Thanks!Sorry, forgot to mention that I have configured everything in CUCM and Meetingplace and created the Video conference bridge and added it to the MRGL. It shows the bridge as registered in both CUCM & MPE
Thanks! -
Connect to secure LDAP server from iWS 4.1
I am trying to connect to a secure LDAP server that is expecting client authentication. I installed a client cert (provided by the LDAP admin) on the iWS admin server, and I can search/view user records housed on the LDAP server.
However, when I try to use an iWS webserver to restrict access to a resource using the LDAP, it appears that I have to install the client cert on that webserver as well. The problem is, that if the webserver is not a secure webserver, there appears to be no way to do this. That is, I cannot use a non-secure webserver (not running https) to access the secure LDAP server.
When I install the client cert on the non-secure webserver, I have to create a Trust Database, providing a password. I can then install the client cert that I need to access the LDAP server, but when I go to restart the non-secure webserver, it complains that it can't read the cert database ("NSS initialization failed: -8177"), and attempts to authenticate users fail.
If the webserver is running https, a secure webserver, that is, everything works fine: I can install the client cert, and use the LDAP to authenticate users.
Is there any way to configure a non-secure iWS webserver so that it can read its Trust Database? Or some way to store client certs that does not require a Trust Database?I don't believe so. As far as I know, this capability was first introduced in iPlanet Web Server 6.0.
-
MeetingPlace Express Assistance
Hi All,
We have MeetingPlace Express version 2.1.1.2.
We need to configure it to accept any user to make a non-scheduled conference directly, without requesting the user to enter his profile ID and profile password, and without the need to add the data of the users into the MeetingPlace.
We just need it to act as an audio conference bridge, so we need the user to dial the MeetingPlace number, then he can enter a certain password (one password for all our staff) to enable our employees to log into the MeetingPlace, and then get the Meeting ID and Meeting password and start the meeting.Sherif,
You are going to want to export using all of the headers and leaving them intact in the import file. You will want to follow the steps below for a successful import as the system is really sensitive that the data is formatted a certain way.
Create a test user profile in MPE manually so that you can get the file format of the import file with the headers.
Export User Profiles.
Export this test user profile to a file and include the header information.
This will create a User_Profiles.txt file that you will save and then open up in Excel. (Follow these steps below to ensure that the file is formatted correctly)
1. Within Excel, click on the Open tool on the toolbar. Excel displays the Open dialog box. (To display this dialog box in Excel 2007/2010, click the Office button and then click on Open.)
2. Using the Files of Type drop-down list at the bottom of the dialog box, indicate that you want to open Text Files (*.prn; *.txt; *.csv).
3. Select the saved export file.
4. Click on Open. Excel starts the Text Import Wizard, displaying the Step 1 of 3 dialog box.
5. Make sure the Delimited choice is selected, then click on Next. Excel displays the Step 2 of 3 dialog box.
6. Select Comma as a delimiter, then click on Next. Excel displays the Step 3 of 3 dialog box.
7. Click on Finish. Your file is imported.
8. Once the file is opened up in Excel, import your users into this spreadsheet so that they conform to the necessary format and the required headers.Next, find the "isLocalUser" field and set the parameter value for al user profiles from "No' to 'Yes'. Then find the EncryptedProfilePWD and EncryptedUserPWD fields. Remove the 'Encrypted' portion of the field name in the header so that they now read ProfilePWD and UserPWD. Make sure the value for the ProfilePWD for these user profiles is a standard alpha password. (cisco) Then make sure the value for the UserPWD for these user profiles is a standard numeric password. (12345). You may just be able to leave them as they are from your import.
9. Save the file with the changes.
10. Go to the Application MPE Web Page and then Maintenance-->Import Data-->Import User Profiles.
11. Select 'Add Profiles To System', select file to import, and set Overwrite field to 'Yes". (You should also set the log information to file option.)
12. Hit 'Execute' to import the user profiles to the system.
13. Once this is completed successfully, then go check the User Profile configuration to ensure that all users are imported correctly into MPE.
If you run into any problems with this procedure, please open an SR with TAC so that we can assist further.
Thank You,
Gerry -
MeetingPlace Express strange problem !
Environment:
MeetingPlace Express 1.1.1.11
CallManager 4.1(3)sr2
Voice Gateway 1: 2821 (c2800nm-advipservicesk9-mz.124-4.T.bin) + VIC2-4FXO
Voice Gateway 2: 2621XM (c2600-advipservicesk9-mz.123-14.T5.bin) + NM-2V + 2* VIC-2FXO
VG1 connect to CallManager using H.323, VG2 connect to CallManager using MGCP
MeetingPlace Express connect to CallManager using H.323.
Problem:
When dial-in from PSTN to VG1 and VG2, both are well; but when using "Find-Me" feature, MeetingPlace express dial to user, users via VG2 are can sent dtmf with MeetingPlace Express, but users via VG1 can not sent any dtmf digit to MeetingPlace Express. So users via VG1 can not enter the meeting.For more information the following url would be useful,
http://www.cisco.com/en/US/products/ps6533/products_installation_guide_book09186a008057b547.html -
MeetingPlace Express User ID Change
I am running MeetingPlace Express 2.1.1.2 and it is AD/CCM Integrated. We in the process of changing our AD User login ID and I may have run into a problem. From Call Manager perspective I just perform a full sync and it is good when a change is made.
However I cannot modify the user ID in Meeting Place Express.In reading the on line help, it says "Deleting a user profile also results in the removal of all meetings scheduled by that user from the end-user web interface; however, any meetings scheduled by that user still exist in the system" Does that not contradict itself?
When I add the user back with the same profile ID, will it re-associate the scheduled meetings? Also, is there a way to manually modify/sync the user id rather than deleting and re-adding?
Thanks, in advance.
DougI still don't understand how and when you are encountering that obstacle, but nevertheless if you cannot surmount it you will have to solicit Apple's help.
Apple can reset your iPhone if you present them its original, dated sales receipt. I believe you will have to do that in person at an Apple Store or an Apple Authorised Service Provider. -
MeetingPlace Express callout feature not working
Hello ,
we have Cisco Unified MeetingPlace Express 2.1.1.2 .
I am able to make audio/web confrence .
But call out facility is not working .
Please let me know what configuration need to be done for getting call out facility on CUMP
Below call out features are not working .
1-Call -alram
2-operator assistence while dialing 0
3-dialing from webconf
4- dialing from phone view
CUCM version 7.1
Meeting place i have confifured as h.323 h/w in CUCM
Thanks ,
ShaijalHello,
After restarting CUMP server my problem got resolved .
I gave below command to restart the system from the root .
/sbin/shutdown/ -r now
Thanks,
Shaijal -
Secured LDAP implementation in Oracle BI
Hi All,
Can anyone tell me how can I implement the secured LDAP in Oracle BI as I have enabled SSL certificate box during the LDAP configuration in the Oracle BI Repository. Is this enough to say that we have implemented secured LDAP or there is something more that I need to do.
Thanks!In terms of securing your LDAP credentials you probably want the OBIEE Presentation Layer as well to be running over HTTPS otherwise the user LDAP credentials will be sent over a clear text HTTP session (although it might not be an issue for you as the BI Server and the Presentation Services might be running on the same box).
-
Secure LDAP for GWIA Address book
I've setup the GWIA 7.0.3 May 2009 code set and configured for Secure LDAP.
I'm using the same *.b64 and *.key files we use for all our POA and MTAs.
I cannot get the Novell LDAP address book to connect to 636.
Is there a document I can use to help me figure this out.
I can revert to 389 but that port is not open through the firewall.
MikePOP and IMAP both work on secure port
>>>
From: jgrubbs<[email protected]>
To:novell.support.groupwise.7x.gwia
Date: 9/9/2009 6:36 PM
Subject: Re: Secure LDAP for GWIA Address book
Does POP3 work on the secure port?-- Jeff Grubbs
Novell Technical Support Engineer II
[email protected]-------------------------jgrubbs's Profile: http://forums.novell.com/member.php?userid=41638View this thread: http://forums.novell.com/showthread.php?t=385674
Maybe you are looking for
-
Greetings, When I go to System Preferences, Startup Disk I see an icon that says "Network Setup" with an icon that has a question mark on it. I am hard wired to a router but think that I should still have the start up disk icon there. Does anybody ha
-
10G WITH VISUAL C++ AM USING WEBUTIL TO CALL A DLL WHAT IS THE TYPE IN THE COMAND (WEBUTIL_C_API.Invoke??? ) IF I WANT TO RETURN A STRING FROM C++ AND WHAT IS THE TYPE STRING TO PUT IN C++ extern "C" __declspec(dllexport) ??? __cdecl teststring(char*
-
Hi i am stuck in activate stage. I am totally forget my old apple id and password. cant remember it. need help to activate ipad. it is registered to old apple id. thats why i cant activate it.
-
Hi I am new to macs. Like I said above I want to edit a downloaded document. Can anyone recommend a good programme to do this. Thanks
-
How do I change the search engine in Safari?
Hi y'all, How do I change the search engine used in the "search" slot in the menu bar? I still want it to use google, but would like to change it to the danish version. Kind regards -z