Tip:
Highlight text to annotate it
X
Supporting End Users, the sequel. So I'd like to pick up where
we left off in the last nugget, which was we just left off at
creating users using CCM administration as well as talking to
the benefit of creating users and associating with them with
phones. Not only for the user being able to do some of the administration
of the phone themselves, but also for a lot of the future applications,
with what's coming as we combined data and Voice together into
one unified system. But I'd like to jump things around again,
which might not make sense at first until you understand. I'm
going to go straight from CCM administration all the way down
here to Bat. And the reason I'm going to make that jump
is once we enable LDAP integration and tie call manager and
active directory into one unified system, then we're not going to
be able to make bulk additions using BAT anymore because we're
not longer managing local users in the CCM admin. It all moves
over to active directory or whatever LDAP system you're combining with.
So I'm going to shift the order around on that. But I also
make sure I mention that once again, you are hearing from TIVO
Jeremy, this is taken directly out of the CIPT series which is a
CCMP voice topic and applied directly to you. Because again, it's
the same content as before, but I think when I did CIPT, well
I know I did, I moved things in a different order. As in here,
you saw the phones being created first and now we're into user
accounts, whereas in the CIPT series I did the users accounts
and then the phones. So I want to make sure that as we go through,
if I ever mention, when we get to the phones, and you're going
well we've already been there, Jeremy, what are you talking about?
You understand what I'm talking about it, it's Just, it was
in a different order. So with that being said, let's get started.
The CISCO bulk administration tool is a utility that you can
use to make, just as the name applies, bulk changes to anything
in the database. You can add a bunch of users, you can add a
bunch of phones, you can delete a bunch of users, delete a bunch
of phones. And what I like it most for is the modification ability
to where I can go in and I can say I've got a thousands phones
and I need to change all of them to use, John Lennon music on
hold. Well, it's going to be painful if I go phone by phone,
but with BATI can say select all the phones or all the phones
that begin with the extension of this or all the phones that
have a description of conference room. You know, you can set
all of these different search criteria and then say for all of
those devices, do this, go. And call manager does it. If you've
played a lot with sequel server in the past, if you're a database
person, you've probably heard about selects statements, where
you can select things from a database. And that's really all
BATis, is a fancy graphic utility automating select statements
and making bulk changes to the database. It's awesome. So now
it's pre-integrated in the CUCM administration. It used to be
an add on that you would download into the publisher and add
it in and it was kind of this kind of hanging, lingering thing.
But now check it out. We'll bring call manager into the picture
here. And you can see, that menus going across and this guy over
here on the right-hand side, this is our bulk administration
LAN. So it's all integrated from the point that you install it
because it's such a handy tool. Now it also supports data export
and re-import. The reason that's good is it's kind of a back
up style system and I mention that in the bullet right below.
Exported data can also be used for an in-place migration or data
restore. So for example, I might have a cluster of, we'll say,
call manager 6.X servers and I want to move over to 7.X or when
it comes out, 8.X, et cetera. Well you can't actually use the
disaster recovery system or DRS, because DRS only allows you
to restore to the same server. So if I back up this publisher
using the disaster recovering system, I have to restore it to
that publisher and restore all of my data there. I can't actually
take it to another cluster and restore it there. But not so with
Bat. I can actually export just about everything from the database,
not everything, but just about everything from the database and
import it over here, which allows me to bring up a complete parallel
cluster and then shut this one down and maybe repurpose these
servers as subscribers or something like that. So that's very
cool. A very cool function of bulk administration. Now in order to work with that, you have to
understand the pieces that make it tick. There's really two pieces.
You have what's called a template. And then you have a CSV
file, which you may have heard of before. It stands for comma
separated value. I guess you could call it the simplest type
of database that exists, which is just a Notepad file with commas between
it or a text file. So the template is something that you
create inside of call manager and it has, you could say all
of the cookie cutter settings for whatever you're creating. So
for example, if it's phones, maybe all the phones have the same
music on hold. Or maybe all the phones have the same device
pool. And we haven't talked about a lot of the phone settings.
I'll just use music on hold because it's easy one to grasp. Or
all the phones have the same time zone that you're importing,
something like that. That's the template. And this is configured
in the CISCO call manager, in CUCM, from the graphic interface
and it feels just like you're creating a phone or a user or
whatever you're going to import. It looks and feels just like you're
creating that device or component. And then this template
is combined with the CSV file. Now this CSV file is something
that has all Of the unique values. For example, you can't
create a template that has phone extensions, right? Because every
phone has a different extension. Or you can't have a template that
has user names or last name or first names because everybody's
got different user names, last names and first names. You can't
really templatize those kind of things. So for that we create
a CSV file. Now the good news is CISCO has made it very easy for
us to do this. You're not in Notepad typing in values. They've created
a Microsoft Excel template. Um, and I'll show you that.
And it actually has a macro that runs and spits out a CSV file
when it's said and done. You take those two pieces, you combine
them together and that will put all of those devices or users
or phones or gateways, whatever you've decided to import into the
call manager database, using the BAT engine. So let's do it. I'm
going to take you over to our call manager.
Bring him into the picture. I'm going to jump over to the bulk
administration area. Now, the first place you want to go when
you're ready to do this, is to get that Excel template to generate
your CSV file. So go to this upload and download files area,
and right there you can see that I've got BAT.XLT, it's the only
file. It's the Excel CSV tool. I've checked it, hit download
selected and, you know, I'll save it; don't want to open it.
And I'll just put it on my desktop. It's kind of where you put
everything. And I have a theory. My theory, and I just came up
with this theory this morning when I was kind of cleaning up
the desktop, I think that the state of your desktop on your computer
reflects the state of your life. Meaning, and I'll talk about
myself because I find this so true for myself. If you go to your
desktop and there's like 50 icons or a 100 icons just like scattered
about, you know, you've downloaded things, you've created folders,
temporary files. I was looking at that, and I kind of went through
this. This was kind of a self renewal moment, right? This morning,
I'm sitting there and I'm looking, I'm like, I don't even know
what half these things are. I'm like delete, delete. And then
I see something, like, oh, that was a cool idea I had. Delete
it, you know, it's kind of one of those things where it was in
the moment, I need to get rid of it, my life is in disarray right
now. So my desktop, look at this, this is a view of my desk top.
Isn't it beautiful? I have just like minimal things and things that I use.
And these are, by the way, virtual machines that run on my computer.
Actually I can make my life even more organized. So anyway,
I'll save my BAT to, not to unity, Oh, where did
it go? I'm in such disarray. To my desk top. And there it is. So I'll double click the
icon and bring it up in Excel. Now the first thing that you want
to do in any version of Excel is enable the macros.
It's a macro-enabled work sheet that allows you to generate the
CSV file. So I'm in Excel 2007, just hit the option, hit enable
and it's going to now enable the macros. Now down at the bottom
of the spreadsheet, I want to draw our attention to these tabs.
This allows you to create things for anything
that is in the call manager. I'm kind of stretching it to the
side here. You can see I've got phones, device profiles, users,
up date users, phone users, VG200 gateways. All of these kinds
of things and the list just keeps going on. CISCO put a lot of
time into this Excel template. And I'm going to use it right
off to create some user accounts. So click on user, and right
up here you can see all of the different fields that I would
want to create for my users. So let's put some information in
here. Let's do a first name, just so I can identify them from
the list. We'll call him BAT user 1, no middle name. We'll just, you know,
last name, BAT 1. User ID, BAT user 1. Password let's just
use CISCO. And you can see as we go through here, there's just
a ton of things. Let's throw a pin in there, 1 2 3 4 5, how's
that? You know, just a ton of different things that we have
available to us. But notice, just about all of them are optional.
You don't have to have that in there. It's kind of how detailed
do you want to get when you create your user accounts?
So I'm just gonna, to create, let's do two user accounts. I'll
use the magic of Excel. And I'll tell you what, I fall more
in love with Excel every time I use it. And I also have a Mac
that has, what do they call it, spread sheets or something like
that. Very cool application, but I'm telling you we live in
an Excel world and Excel is awesome. So I'm just going to copy
all of this data. I've got two users, now.
Going along with getting my life organized, I created a project
plan this morning in Excel. I'm so happy, I feel better. So I'm
going to click on this export to BAT format. And click the button
and notice it's like zoom, it runs a little macro; that's the
macro right there. And it says what do you want to export it
as? Now by default it names it with users, whatever you're creating
and then this is a little time stamp, which is September 4th,
2009, which represents the date. Now I'm going to click on browse,
and I'm going to throw this on my desktop. My life is getting
more disorganized as we speak. Put it on my desktop and I have
to type in a name. So I'll just call it users. Users, click on okay. And when I do that,
you notice it exports it to a text file and it automatically puts
users.TXT on there. It's a CSV file. And I'll open that file up,
it's over here on my desktop and right there, you can see in
all its glory, this is a CSV file. There's our two users, BAT
user 1 and BAT user 2. User name and so on. And up here is a little
key. It's a key for you, but also for BAT, so when BAT imports
this, it knows what database fields match up with this. Notice
I didn't type in a middle name. So I have BAT user 1, comma,
comma meaning there is no middle name. So anything that
you see a comma with nothing in between, these are just blanks
for the fields up above, so the database doesn't get confused. So I've
created my CSV file; that's this guy over here on the right.
Now I need to create that user template. Actually, yeah let's do
that now. There's other things I need to do, but for now we'll
jump into user template. I'll hit bulk administration. Users, and you
can see that I have my insert, update, delete, export, all of
the functions that I have, but I'm just going to go to user template.
As of right now, I don't have a user template. So I'm going to
add a new one. It says, what is the name? Now, you would normally
name this based on the task at hand. It's like you're importing
a bunch of sales users. You'd name it sales users. And all of
these functions would be unique to the sales department and what
they're doing over there. But I'll call it users template.
And it says do you want to set the default password to the user
ID? Which, you know, I had one in the Excel template, I came
up with the password of CISCO, right there, but I'm just gonna
say, you know, what? Let's do that. So when users log in, I don't
have to say, your user ID is this and then use CISCO. Just say
you're user ID is this and when you first log in, that will be
your password. You'll want to change that when you first get
in there and something like that. So that will kind of synchronize
those, and there's some other options here that you can set.
I'm going to add them, you might remember from the previous nugget,
they couldn't access the user web pages until I added them to
the CCM end user, user group, which gives them now the ability
to access the CCM user pages. And there's, like I said, some
other things and we haven't talked about them yet. So we'll set
those later. And I'll just save them. I've got my first user
template now called users template. So now I'm going to do the
combine function. I've got the CSV file, I've got the user templates.
So I'm going to move this back over, do bulk administration, users,
import users. And this is where I put the pieces together. Oh,
I forgot to do something. It's going to say what file name is
it? Now there is going to be nothing in there because I haven't
up loaded the file. Remember, I generated that CSV file but it's
sitting on my desktop. So I need to go to bulk administration,
upload/download files. Add a new one.
File on my desktop. There it is. User.TXT. Okay, okay. My desktop
wasn't quite as organized as it looked, but it's better, right?
So select the target. I'm exposed. So select the target,
I choose users right there, that's going to be what I'm importing,
I'm importing users accounts. And then, what am I doing? Oh, select
the transaction type. Okay. I'm going to use this for inserting
users, sorry, I was thinking about my desktop. I gotta drop
that. So I click on Save, which now saves this as a template
or I should say as a CSV file that has the ability to access
for the function of inserting users. So now I jump over to users,
insert users. And my file shows up in the list; users.TXT. You
can even view it if you want to look at that. And I'm going to
combine that, this is the combining function, put these two together
into the BAT engine. I'm going to combine it with users template
and about from there. And it says is this file created with export
users? And I'm going to say, no, this wasn't created this isn't
like a migrate from another cluster. I created this with my Excel
template. So it says what's your job description, I'll keep that.
And I'll hit run immediately so otherwise it will go into a scheduler
and you have to go back and schedule it at a later time.
So, I'm going to jump over now to bulk administration. And I've
done all of my user stuff. I'm going to jump down to the job
scheduler. And you can see I've got, right here, my insert users.
Notice it's processing right now. It's just going through it.
And this is isn't a VMWare machine so it's not going to be quite
as a fast as a real full-blown server, but it shouldn't take
long, its just two users. Let me click on find. There we go,
it now says completed. So it completed at September 24th, 9:32 or so. I click on now
my user management and shoot over to the end users and look at
that? I've got users: BAT user 1 and BAT user 2. And by the way,
let me make sure I bring you up to speed. You might remember
in the previous nugget, I did create two users, Jeremy and somebody
else, I can't remember who they were. Maybe just Jeremy. I deleted
those guys. And actually I didn't delete them. In the last nugget,
we were using call manager 6.X. And now we're using call manager
7.0, which you might remember, if you're going through all
these nuggets in order, in the installation nugget, I warned
you. I said okay, I've done some of the stuff with 6.X and I'm
going to use 7.X for everything else now. So that's where the
users went. So now I have truly a fresh slate. I don't have any
previous stuff. And I've got my first two users imported from
the BAT utility. Now, you might look at that and say, okay
Jeremy that was a lot of work. I could have just gone in there and
added two users, right? Well, yeah, but I also hope that you
see the big picture. That took way longer than just manually adding
two users. But in the big picture, you may have an exported
file with all these users, you may have access to the users accounts
already in an Excel spreadsheet, where you literally cut
and paste 1000 users or 500 users all at a time. And wham, they're
immediately imported, rather than manually one by one adding the
users into the CUCM. So it is much more efficient when you get
to a larger sort of import. Okay. Now let's move into the next
big topic, which is LDAP. I kind of shuffled the order around
so that we can do BAT. And now we've got some users in the database
and now we can do LDAP synchronization and authentication. Now
quick review from the previous nugget, synchronization allows
you to synchronize your user accounts and all major attributes
with, I'll say an LDAP database, but for our example and most
people out there are using active directory. So you can synchronize
your user database in the call manager with active directory
to our only CUCM specific stuff and the passwords are
managed from the call manager. But most people don't want that.
They want also the passwords to come from LDAP as well. So you
can add another piece to that, which is LDAP authentication allowing
the pass words to, I won't say synchronize because they remain
in LDAP, it's just that you use pass through password authentication
so when a user authenticates on the call manager side,
it passes it through to the windows active directory and says is
this okay? Active directory says yes, that's a good password,
let him in. So we'll set-up both of these things, it's a little
bit of process, but not too bad overall. The first step in setting
LDAP synchronization; that's where we'll begin, is making sure you
have one of the supported databases. Meaning, that you're
using Microsoft active directory, Netscape active directory, SUN,
or iPlanet. All these different directories that are out there.
And there are even some that are not in this list. You just want
to make sure that it's supported by the call manager. Second,
you want to set up a synchronization agreement. Meaning, you
have to set up an agreement with call manager between call manager and
active directory that says here's how I want to synchronize. And
the first step of that process is creating a user account in
active directory that will be used for synchronization.
First off, the account in active directory has to have full administrative
privileges to active directory, because you're really synchronizing
the database. I would recommend against using your administrator
account because there's often times it's used for other things.
People change the passwords. You want kind of a dedicated admin
account for call manager that will never change. So I'm going
to pull up, this is on the windows side, active directory, users
and computers from my little home world here. I've got my home.local
domain, expand that down. And I've got just some basic organizational
units. I'm going to say, let's create a user in the users container.
New user and we'll say that this user is going to be
called, let's call him CCM manager. No, let's call him CCM directory
synch. That will be the name of this user. So this will
be used to synch the directory. You have to have a last name
and I'll just copy and paste and that will be his log on name
as well. Now you want to make sure that you remember this user name
and I'm actually going to throw him in a Notepad file here,
just so I've got him for later purposes as that directory synch user. Next, it says
what is the password? I'll say it never expires, first of all. And
I'll use password of P@WORD,
kind of meets that complexity requirements. And hit finish. And now I've got that user
created. So I'll jump in my users container, and he's right here,
and I'm going to say he is a member of domain admins.
So now he's a full administrative user. And just for grains,
that'll be his primary group and I'll even remove him from the
users. And that way he's a full admin, no user privileges at
all, or I should say restrictions. So I've got that user now
created and now I want to create, and this is where that synchronization
comes in, I'm going to create a new organizational unit
for my call manager users. Now I'm doing this right now, let
me just type it in, let's call it CCM end users.
I'm doing this right now, just for this demonstration because
I don't want to, you know, right now I have home, which has me
and my wife in there, and I have FTP users, and I'm clicking
around because I don't want to show you what's in there, there's
all kind of stuff. And I don't want to bleed between the call
manager and this. But remember, in your business, you'll probably
have your existing container that you'll use. You won't create,
well may be you will, but you probably won't create a separate
organizational unit just for call manager users. But my point
is when you create this synchronization agreement between the
two, you're going to need to tell call manager what area it wants
to synchronize with. Meaning, what organizational unit or Units,
you can create multiple synchronization agreements, do you want
to pull those user accounts from? So in this case, I don't want
to pull myself, my wife, and all the FTP users I have, I just
want to create some dedicated users for call manager import.
So I'll create a new user. And let's call him
Frank Sinatra. That's not how you spell Sinatra, well it's
like a travesty to all music lovers everywhere, but I'm going
to call him Frank S. And misspell his last name. So we'll just
give him a password of password, if it will let me do that. Yeah,
it will let me do that. So I've got Frank Sinatra created,
let's create one more guy for now. Let's do somebody I can
spell their last name. Who's somebody famous? Let's do Tom Cruise.
There we go. Got my two users created and these will be the ones
that will now synchronize between the active directory database and call manager.
That's going to be the organizational unit that I set-up
my synchronization agreement for. Now the first thing you want
to make sure of is that your directory synchronization services
are enabled. So you want to shoot over to the service ability
area, CISCO unified service ability. Now I have all my services
in the call manager activated. And that's not normal. Usually,
you'll activate just the services that you need. But since I'm
running in a single call manager environment, the one call manager
does it all. So I'm logging into the call manager as we speak,
which is probably running slow because I have all the services
activated. I go to the services activation area,
and under the services activation, what you're going to be looking
for is the directory services category and you're looking for
a service called CISCO DirSync. Let me scroll down a little bit
here. Right here down at the very bottom, directory services,
CISCO directory sync. If this service isn't activated, nothing's
going to happen. That's essentially the power behind all of this
that does the synchronization. So I'm going to shoot back over
to the call manager administration now that I'm assured that
the service is running, hit the system menu, drop down to LDAP,
and I'll hit first off, LDAP system. Now under the LDAP system,
this is just a basic check box if you will, that says do you
want to synchronize from an LDAP server? Do you want to enable
this kind of synchronization and if so, what kind of server type
are you synchronizing with? And you can see right here that you've
got two options, really active directory or everything else.
And you can choose one of those and everything else does synchronize
with more directories than what's showing here. But it gives
you the option, you go in and choose the server type. And then
the second one is what do you want to use as the user ID? Meaning,
you can have sAM Account name, mail employee, number, telephone
number, user, principle name, you can set all of these things
to be the user account. Meaning, maybe you want somebody logging
in to the user pages using their e-mail address. And Jeremy@whatever.com
or you want somebody logging in using a specific employee number.
These are certain fields in active directory that you can choose
to synchronize with. Most people will use the sAM account name,
which stands for security account manager, this is going to be
your user name that you use when you log into windows. And you
can see that's why it's the default. And I hit save. And now
it's saying LDAP is ready. If only it was that simple right?
You have to say, well okay, LDAP, you're synchronizing, but who
are you synchronizing with? That's where this directory comes
into play. As of right now I don't have any directories, so I'm
going to click on the add new. And this is a fair warning. It
says existing end users not found in the corporate directory
will be deleted. I click on okay. And it says for the correct
integration, okay, and yes it's also mentioning that based on
that attribute that you created, that everybody has to have a
user ID, because that's going to be their log in. That's okay.
Just a couple of warning messages. And this is where this 24-hour
timer comes into place. Any time call manager sees something
in active directory or whatever database you're synchronizing
with, that it doesn't have locally, it will mark that user for
purging, meaning you'll have 24 hours and then it will be deleted.
And that's good news because maybe you've got a user account in call manager
that you forgot to create in active directory. You were using
local users and then you moved this way. Well, as soon as you enable
this, this goes into a purge state for 24 hours and you'll
see it in there as I'm going to be purged. So you can go quickly
go, oh, well let me create the user in active directory and
then this guy will show up as a solid user like non-purge kind
of system and keep all of his attributes. Meaning, you had him
assigned to a phone, you had certain privileges, certain roles,
all of these kind of things assigned to that user. It will remain
that way. Likewise, let's say you accidently delete a user out
of active directory. Well it's going into a purge state in call
manager. It's going to hang there for 24 hours, which means if
you go, oh, oh I didn't mean to delete that user, you can add that
user back in to the active directory database. And it will show
right back up and not lose any of the settings that call manager
had for them, the phone assignment, the pin number and all
of the things that aren't in active directory. Now if you let
it go beyond 24 hours and you delete this user, he will be deleted
from call manager, so when you re-add him back in, you will have
to reset-up all the call manager specific settings for that
user. So where am I? LDAP directory.
So first thing it's going to say is what is the configuration
name? I'm going to say configuration name will just be active
directory. It's just a logical name. And it says, what is the
LDAP manager distinguished name? Now this is going to be that
user. Remember, the one that I created. Who is the user account
that has the rights to synchronize with this database? And I'll say this is the
user name@home.local, which is the name of my domain. You have to
have the full distinguished name; that's what that means. It says what
is his password? That was password with an @ symbol.
And now it comes to the big question, what is the users search
base? This is asking you what organizational unit do you want
to synchronize with? Now this is going to be this end users,
but you have to type it in kind of unique. I'm going to say first
off, the organizational unit equals, this is the official LDAP
syntax, whenever you're doing LDAP queries to the database, you
have to use this kind of syntax, it's CCM end users, case sensitive,
you want to make sure everything's right. Right? Okay. Good.
Now you have to go beyond that because it's not just an organizational
unit, it's under a domain. So you do dc=home. DC stands for domain component and then I
do dc=local. Because remember, it's CCM enduser.home.local,
which is kind of similar to what I have up here on this user
account, when I'm authenticating. This is the domain that it's
in. So you've got to make sure that's typed in, in the LDAP official
syntax. And if you have OU's under OU's, you can, you know, put
OU's OU whatever, comma, you can go as deep as you want with
this. Now I also want to mention that you can set-up multiple
synchronization agreements. Notice I'm saying synchronized with
this organizational unit. But I can also create a second one
of these, a second LDAP directory and say, oh, yeah, also pull
from the home OU, also pull from the user's OU. And it will import
users from all of those. You just have to set-up what's called
multiple synchronization agreements between them. Now, you can
see, right here it's saying do you want to do this just once
and synchronize the accounts just once? Or do you want synchronize
on a regular interval? And if you want you can set up an interval
of how often this synchronizes. Now the thing is that you are
using an active and living, breathing LDAP system, then you want
synchronizing often, maybe at least once a day, maybe even hourly,
because when you create a new user, you want it to automatically
show up so you can add a phone. But also keep in mind you can
always manually resynchronize the database. So you can say perform
this just once and it will synchronize. And then later on, whenever
the Microsoft admin says, hey, we've added five new employees,
you just go in and hit manually resynchronize and pull them over,
rather than having this constant pulling going on of the active
directory database. So for now, we'll just, it's not really a
best practice one way or another. It's totally up to you. I'll
just synchronize it just once for now. And then down here, it's
saying well what fields do you want to synchronize? This is where
I go in and say, well, you know, middle name actually matches
to the area of initials. And you get to match up in the call
manager database what it's going to match up to the active directory
database. And what field it's going to pull from, so you have
to select specifically which areas it's going to grab it from.
And you can see most of them are fixed. Like last name is always
sn, surname. But some of them have different options, like you
can have the mail ID actually come from SAM account name, which
is their user name, rather than the actual mail field in active
directory. So if you want to tweak those, you can. And then the
big one. You have what is the host name or what is the information
of the LDAP server you want to synchronize with? So I'll type
in my IP address of the LDAP server, which is right there, 172.31.100.100.
You can add redundant domain controllers if you want to by adding
a second one. But I only have one domain controller here. So
I hit save. And now I've got that LDAP synchronization
agreement saved between the two databases. Now, just for grins, I'm
going to hit perform a full synch now, see if I get any messages
coming up. It says you haven't saved your changes, cancel now;
save your changes, did I do this? I did this.
Okay, it says update successful. That's good. If it says anything
other than update successful when you do that, that usually signals
there's some kind of communication issue between your database
and call manager or between call manager and active directory.
So let's see if it worked. I'm going to go to my call manager,
scroll back up, hit the user management end user and oh, there
we've got our end users. BAT user 1 and BAT user 2, these are the ones
that I added with the BAT utility just a moment ago, are now marked
as inactive. You can essentially say that I will be purged
in 24 hours because we're no longer using this database. Now if
I ran over to my active directory and added BAT user 1 and
BAT user 2, they would mark over to active. But for now, notice that
Frank Sinatra and Tom Cruise are now added to my database and
if I click on them, I want you to see, notice user ID, completely
grayed out. Meaning, it's not editable. I can't change the last
name. I can't change the first name or telephone number. Before
when we were making these modifications when we were with our
users, all of these were changeable. But now that we're synchronized
and notice that it says, even add and delete are disabled
because the user is synchronized with LDAP. So I can't make any
modification. Whoa, I must have clicked an IE8 button.
Now that I've made this modification, it's restricted me from
doing any of these changes. If I check it, notice there's no
delete button or anything like that. Now I can still go in and
I can change passwords and I can change pin numbers. I can assign
it to an individual phone if I want to make phone assignments.
But for now, those are all call manager specific. Everything
that's linked to active directory is locked. Now let's move to
the next step, which is authentication. Meaning, right now, yes
I'm synchronizing my users, but I have a certain password in
call manager and I have a certain password in active directory.
You typically want those to be the same. And remember, back over
here, those are two separate agreements. We have synchronization,
synchronizing the users and authentication which authenticates
or synchronizes, which allows the authentication credentials
to pass through between the call manager and active directory. So
that's a separate agreement. It's under system; LDAP and notice I'm dropping
down to the last one, LDAP authentication.
Now once again, all I have to do is configure this using the
same still system as before, I'm just going to say use it; distinguished
name is going to be CCM DirSync, oh, it's saved in my cache, password;
password. It says, what is your LDAP search base? This is going
back to that OU equals, I've gotta pull it up,
okay, it's the CCM end users, comma, DC=home; DC=local. Server that I'm going to be synchronizing
to, that's my domain controller, click on save.
And now LDAP authentication is there. So check this out, you
just saw I was able to change those passwords. Now I shoot over
to my end users, I click on Frank, and notice, there is, wow,
it's gone. There is no password, I thought it would be grayed
out for a moment. But it's gone. There is no password field anymore.
You have the pin number, which is call manager specific. But
the authentication now passes through to active directory. So
it's a pretty simple task to enable LDAP synchronization and
LDAP authentication and synchronize the two databases between
the two each other. But remember this is a monumental thing from
an active directory standpoint. You're essentially creating a
domain user account and synchronizing the databases. When you
start throwing words like that to Microsoft admins, they're going
to be like uh, whoa, you know, typically, you're looking at weeks
of red tape and policies and documentation and procedures before
any of those kind of agreements are put in place. But remember,
I'm not here to talk politics, I'm hear to show you how to do
it. And once you're actually ready to do it, it's really not
too bad. All right, the last thing I want to talk about in this
nugget is managing groups, roles and privileges. And this is
really for creating sub administrators in the call manager. Meaning,
that you are only one person. And eventually your organization
may grow to thousands and thousands of phones and you might want
to have people that kind of sub administrate the call manager
or manage it in some way but don't have full access to it. CISCO's
done a lot of work in setting it up. And they've done it well.
It's just a little complex to get used to. We have this kind
of flowchart that I've created down here at the bottom, showing
how these permissions take place. You've got your users, which
you're familiar with. The users are created, which they could
be manually created or synchronized with active directory and
they are added to groups. And that gives them privileges to call
manager in some way because those groups are assigned to roles
and those roles are what actually give you the privileges. So
you might remember when we created that user originally, it couldn't
access the CCM user pages until I assigned them to the CCM user
group. And that's because call manager sees accessing those web
pages as kind of an administrative function. So they have to
be granted some web privileges to do that. So that's kind of
a flowchart of how that works. It kind of reminds me of back
in the days of Microsoft, back a long time ago, I taught Microsoft
content and I use this analogy called ugly, which shows how to
manage your user accounts in Microsoft. You had your users in
the global groups, global groups in the local groups
and then the local groups were assigned to your resources. That's
my little Y right there. And I was kind of sitting in Microsoft's
best practices, I can't really think of a cool acronym for
this one, it would be like googlear or something like that. Because
you're actually putting your users into the groups; groups
into the roles; and roles are assigned to the privileges. It's
almost easier if you can just see it. So let me bring up call manager
administration and I'll hit the user management and let's
first off look at the groups.
These are the base groups and you can see they cannot be deleted,
there's no check box next to them. Just the base groups that
come with call manager and usually they're good enough for what
most people use. You've got car admin; you've got CCM admin;
CCM end users, a read-only administration; some of that can just
manage phones. So they've pre-created groups for a lot of the
common functions that you have in call manager. Now these
groups themselves are not going to give somebody privileges.
It's only because they're assigned to roles. Like with I look
at the CCM admin users, and I click on the i next to roles, it's
assigned to standard CCM admin users role. And see you're reporting
role. So when I go over here to the user management and hit roles,
I see this laundry list of all these different roles that people
have and roles that are pre-created by CISCO. Now you can't really do anything
with these roles. You can copy them. I'll click on add new,
just to say I'm going to add a new role. And let's say, it's a role
specifically dedicated to call manager administration. I hit next
and it's going to take a second to load because there's a lot
of privileges. Now, notice, look at this list. Wow, all of these
different privileges in call manager, from
modifying access lists, adding unity users, this is essentially
every menu that you possibly have in call manager. And you have
the option, do you want to give them read access or up date access
or both to that individual page. So once you create the role,
you can then shoot over here, if you want to do a custom role
and go to the group and create your own group. Let's say I add
a group named custom group and
hit Save. And now I can add users to this group or go back. Let
me go back to the find in list, and I can add roles to that group
and say the custom group is going to have this and this and this.
You know, it essentially does bulk privileges all at once by
assigning that role. I hit add and those are now added. So whoever
I add to this custom group, gets all those roles, which means
they get all the individual privileges that they were assigned.
So let's do this. Let's just grab Frank, Frank Sinatra. And let's
add him to a group. I'm going to make him, CISCO comment, let's
make Frank our phone administrator. So I click on phone only, and I click add
end user to this group, hit find, Frank,
add selected. So now Frank is added to this standard
read-only, is that what I added him to? I thought I did the phone.
Oh well, user, I must have. So I'll go back to, so
he's added to the group, hit find in list, well he's added in there.
So I'm going to log out now from my admin account,
let's try logging in as Frank S. That's the active directory user name. Good.
I'm now in there. So if it was indeed the read-only, I must
have mis-clicked, but let's go to
end users. Click on find and you can see that he can look at
the users, but he cannot change anything. Meaning, it looks like
he has modified privileges, but I'm going to
change the maximum wait time to 444. Looks like he is modifiable
and you go, oh well, he can change it, but notice what's missing.
Imagine yourself as Frank, okay I've updated that,
uh, yeah, where's my save button? There is no save button. The
save button has been removed, which, you know, really gives him
full flexibility of saying, oh, okay, these are all the different
fields. But when it gets to you have find in list, there's no
add button for the phones. So I can go in and look at the phones
and all the attributes. But I can't make any changes or anything
like that, simply because not that I can't modify it, I can do
whatever I want. But there's no save button. So all of our changes
are lost any time we navigate between the different pages. That's
how simple it is, users, groups, roles and privileges.
And that's a good place to wrap up the topics of user-management.
I split up the two nuggets into a part one and part two. But
definitely part two is where I leaned heavily on where the content
really is. We started off talking about BAT. We started there
simply because once I enabled LDAP, I lose the ability to add
a huge amount of users using that because everything is now leaning
on active directory. So I talked about how to enable LDAP. I
looked at both LDAP synchronization and LDAP authentication,
enabling both of those independent features. And allowing all
of our users to now be managed using an outside database, which
truly unifies the user names and password between the data and
the voice network. Finally we looked at using those user accounts
for administration as well as granting end users access to their
pages using the user roles and privileges. I hope this has been
informative for you and I'd like to thank you for viewing.