Grey Headline (continued)
LDAP Configuration
TANDBERG VIDEO COMMUNICATIONS SERVER ADMINISTRATOR GUIDE
Microsoft Active Directory
Adding H.350 Objects
Create the Organizational Hierarchy
1.Open up the Active Directory Users and Computers MMC
2.Under your BaseDN
3.Create an Organizational unit called h350.
It is good practice to keep the H.350 directory in its own
organizational unit to separate out H.350 objects from other types of objects. This allows access controls to be
setup which only allow the VCS read access to the BaseDN and therefore limit access to other sections of the directory.
Add the H.350 Objects
1.Create an ldif file with the following contents:
#MeetingRoom1 endpoint
dn: commUniqueId=comm1,ou=h350,DC=X
objectClass: commObject
objectClass: h323Identity
objectClass: h235Identity
objectClass: SIPIdentity
commUniqueId: comm1
h323IdentitydialedDigits: 626262
h235IdentityEndpointID: meetingroom1
h235IdentityPassword: mypassword
SIPIdentityUserName: meetingroom1
SIPIdentityPassword: mypassword
SIPIdentitySIPURI: sip:MeetingRoom@X
!The SIP URI in the ldif file must be prefixed by sip:.
Introduction | Getting Started |
| Overview and | System |
| Status | Configuration | ||
|
|
| ||
|
|
|
|
|
D14049.03
MAY 2008
2.Add the ldif file to the server using the command: ldifde
where:
<ldap _ base> is the base DN of your Active Directory Server.
The example above will add a single endpoint with an H.323 ID alias of MeetingRoom1, an E.164 alias of 626262 and a SIP URI of MeetingRoom@X The entry also has H.235 and SIP credentials of ID meetingroom1 and password mypassword which are used during authentication.
H.323 registrations will look for the H.323 and H.235 attributes; SIP will look for the SIP attributes. Therefore if your endpoint is registering with just one protocol you do not need to include elements relating to the other.
For information about what happens when an alias is not in the LDAP database see the section
Alias Origin Setting.
VCS | Zones and | Call | Bandwidth |
Configuration | Neighbors | Processing | Control |
187 
Securing with TLS
To enable Active Directory to use TLS, you must request and install a certificate on the Active Directory server. The certificate must meet the following requirements:
•Be located in the Local Computer’s Personal certificate store. This can be seen using the Certificates MMC
•Have the private details on how to obtain a key associated for use with it stored locally. When viewing the certificate you should see a message saying “You have a private key that corresponds to this certificate’’.
•Have a private key that does not have strong private key protection enabled. This is an attribute that can be added to a key request.
•The Enhanced Key Usage extension includes the Server
Authentication object identifier, again this forms part of the key request.
•Issued by a CA that both the domain controller and the client trust.
•Include the Active Directory fully qualified domain name of the domain controller in the common name in the subject field and/or the DNS entry in the subject alternative name extension.
To configure the VCS to use TLS on the connection to the LDAP server you must upload the CA’s certificate as a trusted CA certificate. This can be done on the VCS by navigating to:
•Maintenance > Security.
Firewall Maintenance Appendices
Traversal
