71
D14049.03
MAY 2008
Grey Headline (continu ed)
TANDBERG VIDEO COMMUNICATIONS SERVER
ADMINISTRATOR GUIDE
Introduction Getting Started Overview and
Status
System
Conguration
VCS
Conguration
Zones and
Neighbors
Call
Processing
Bandwidth
Control
Firewall
Traversal Maintenance Appendices
Registration Control
Authentication Databases
Authentication using an LDAP Server
If the VCS is using an LDAP server fo r authentication, the proc ess is as follows:
The endpoint presents its user name and authentication c redentials (these are generat ed using 1.
its password) to the VCS, and the alias (es) with which it wishes to register
The VCS looks up the username in the L DAP database and obtains the a uthentication and alias 2.
information for that entry.
If the authentication crede ntials match those supplied by th e endpoint, the registratio n will 3.
continue.
The VCS will then determine which ali as(es) the endpoint will be allowed to attem pt to register
with, based on the alias origin set ting. For H.323 endpoints, you ca n use this setting to override
the aliases presented by the endp oint with those in the H.350 dire ctory, or you can use them
in addition to the endpoint’s aliases. Fo r SIP endpoints, you can use this set ting to reject a
registration if the endpoint ’s AOR does not match that in the LDAP dat abase.
Alias Origin Setting
This setting determines the ali as(es) with which the endpoint will att empt to register. The options
are as follows:
LDAP
The alias(es) presented by the endpoint will b e used as long as they are listed in the L DAP
database for the endpoint’s usern ame.
If an endpoint presents an alias tha t is listed in the LDAP database, it will b e registered with that
• alias.
If more than one alias is listed in the LDA P database for that username, t he endpoint will be
• registered with only those aliases that it has p resented.
If an endpoint presents an alias tha t is not in the LDAP database, it will not b e registered with
• that alias.
If an endpoint presents more tha n one alias but none are listed in the LDA P database, it will not
• be allowed to register.
If no aliases are presented by the endp oint, it will be registered with all t he aliases listed in the
• LDAP database for its username. (This is to allo w for MCUs which additively reg ister aliases
for conferences, for example the TAND BERG MPS (J4.0 and later) which regis ters ad-hoc
conferences.) (This applies to H.323 o nly).
If no aliases are listed in the LDAP data base for the endpoint’s username, th en the endpoint will
• be registered with all the aliases it presente d.
Combined
The alias(es) presented by the endpoint will b e used in addition to any that are list ed in the LDAP
database for the endpoint’s usern ame. In other words, this is the same as fo r LDAP, with one
exception:
If an endpoint presents an alias tha t is not in the LDAP database, it will be all owed to register
• with that alias.
Endpoint
The alias(es) presented by the endpoint will b e used; any in the LDAP database will b e ignored.
If no aliases are presented by the endp oint, it will not be allowed to register.
• Conguring the LDAP
Server Directory
The directory on the LDAP
server should be congured
to implement the ITU H.350
specication [2] to store
credentials for devices with
which the VCS communicates.
The directory should also be
congured with the aliases
of endpoints that will register
with the VCS.
For instructions on
how to congure
common LDAP
servers, see the Appendi x
LDAP Conguration.
Securing the LDAP Connection wit h TLS
The trafc between the V CS and the LDAP server can be
encrypted using Transpor t Layer Security (TLS).
To use TLS:
LDAP encryption must be se t to
• TLS
the LDAP server must have a valid c erticate installed,
• verifying its identity
The VCS must trust the certi cate installed on the LDAP
• server.
For information on how to congur e the VCS to trust the
certicate installed on t he LDAP server, see Security.
!
TLS can be difcult to congur e, so we recommend that
you conrm that your LDAP data base is working
correctly before you atte mpt to secure the connection
with TLS. We also recommend that y ou use a third party LDAP
browser to verify that your LDA P server is correctly con gured to
use TLS.