D 14049.01
07.2007 182
TANDBERG VIDEO COMMUNICATION SERVER
ADMINISTRATOR GUIDE
Text goes here
Introduction Getting
Started
System
Overview
System
Configuration
H.323 & SIP
Configuration
Registration
Control
Zones and
Neighbors
Call
Processing
Firewall
Traversal
Bandwidth
Control Maintenance Appe ndices
TANDBERG VIDEO COMMUNICATION SERVER
ADMINISTRATOR GUIDE
Appendices
LDAP Conguration
Securing with TLS The connection to the LDAP ser ver can be encrypte d by enabling
Transport Level Security ( TLS) on the connection. To do this you
must create an X.509 certif icate for the LDAP serve r to allow
the VCS to verify the serve r’s identity. Once the certif icate has
been created you will need to insta ll the following three files
associated with the certi ficate onto the LDAP ser ver:
The certificate for the L DAP server.
The private key for the LDAP ser ver.
The certificate of the Ce rtificate Authorit y (CA) that was used
to sign the LDAP server’s cert ificate.
All three files should be in PEM fil e format.
The LDAP server must be conf igured to use the certifi cate. To do
this:
•
•
•
Edit /etc/openldap/slapd.conf and add the following
three lines:
TLSCACertificateFile <path to CA certificate>
TLSCertificateFile <path to LDAP server
certificate>
TLSCertificateKeyFile <path to LDAP private
key>
The OpenLDAP daemon (slapd) must be re started for the TLS
settings to take effect.
To configure the VCS to use TLS on the conn ection to the LDAP
server you must upload the CA’s certi ficate as a trusted CA
certificate. This can be do ne on the VCS by navigating to:
Maintenance > Security.
1.
•
Adding H.350 Objects Create the Organizational Hie rarchy
Create an ldif file with the followin g contents:
# This example creates a single
# organizational unit to contain the H.350
# objects
dn: ou=h350,dc=my-domain,dc=com
objectClass: organizationalUnit
ou: h350
Add the ldif file to the serve r using the command:
slapadd -l <ldif _file>
This organizational unit will for m the BaseDN to which the
VCS will issue searches. In this examp le the BaseDN will be:
ou=h350,dc=my-domain,dc=com.
It is good practice to keep the H.3 50 directory in its own
organizational unit to separa te out H.350 objects from
other types of objects. Th is allows access controls to be
setup which only allow the VCS read ac cess to the BaseDN and
therefore limit access to other s ections of the director y.
1.
2.
Add the H.350 Objects
Create an ldif file with the followin g contents:
# MeetingRoom1 endpoint
dn: commUniqueId=com m1,ou=h350,dc=my-
domain,dc=com
objectClass: commObject
objectClass: h323Identity
objectClass: h235Identity
commUniqueId: comm1
h323Identityh323-ID: MeetingRoom1
h323IdentitydialedDigits: 626262
h235IdentityEndpointID: meetingroom1
h235IdentityPassword: mypassword
Add the ldif file to the server usin g the command:
slapadd -l <ldif _file>
This will add a single H.323 endpoint w ith an H.323 Id alias
of MeetingRoom1 and an E.164 alias of 626262. T he entry
also has H.235 credentials of id meet ingroom1 and password
mypassword which are used duri ng authentication.
1.
2.
OpenLDAPPrerequisites These instructions assume t hat an OpenLDAP server ha s
already been installed. For de tails on installing OpenLDAP s ee
the documentation at http://www.openl dap.org.
The following examples use a stan dard OpenLDAP installatio n
on the Linux platform. For ins tallations on other platfor ms the
location of the OpenLDAP co nfiguration files may be dif ferent.
See the OpenLDAP installati on documentation for det ails.
Installing the H.350 Schemas Copy the OpenLDAP files to the O penLDAP schema directo ry:
/etc/openldap/schemas/commobject.ldif
/etc/openldap/schemas/h323identity.ldif
/etc/openldap/schemas/h235identity.ldif
/etc/openldap/schemas/sipidentity.ldif
Edit /etc/openldap/slapd.conf to add the new
schemas. You will need to add the followin g lines:
include /etc/openldap/schemas/commobject.ldif
include /etc/openldap/schemas/h323identity.
ldif
include /etc/openldap/schemas/h235identity.
ldif
include /etc/openldap/schemas/sipidentity.ldif
The OpenLDAP daemon (slapd) must be re started for the new
schemas to take effect.
1.
2.