TANDBERG Security Camera , , ,

D14049.03

MAY 2008

Grey Headline (continu ed)

TANDBERG VIDEO COMMUNICATIONS SERVER

ADMINISTRATOR GUIDE

Introduction Getting Started Overview and

Status

System

Conguration

VCS

Conguration

Zones and

Neighbors

Call

Processing

Bandwidth

Control

Firewall

Traversal Maintenance Appendices

Registration Control

Authentication Databases

Authentication using an LDAP Server

If the VCS is using an LDAP server fo r authentication, the proc ess is as follows:

The endpoint presents its user name and authentication c redentials (these are generat ed using 1.

its password) to the VCS, and the alias (es) with which it wishes to register

The VCS looks up the username in the L DAP database and obtains the a uthentication and alias 2.

information for that entry.

If the authentication crede ntials match those supplied by th e endpoint, the registratio n will 3.

continue.

The VCS will then determine which ali as(es) the endpoint will be allowed to attem pt to register

with, based on the alias origin set ting. For H.323 endpoints, you ca n use this setting to override

the aliases presented by the endp oint with those in the H.350 dire ctory, or you can use them

in addition to the endpoint’s aliases. Fo r SIP endpoints, you can use this set ting to reject a

registration if the endpoint ’s AOR does not match that in the LDAP dat abase.

Alias Origin Setting

This setting determines the ali as(es) with which the endpoint will att empt to register. The options

are as follows:

LDAP

The alias(es) presented by the endpoint will b e used as long as they are listed in the L DAP

database for the endpoint’s usern ame.

If an endpoint presents an alias tha t is listed in the LDAP database, it will b e registered with that

• alias.

If more than one alias is listed in the LDA P database for that username, t he endpoint will be

• registered with only those aliases that it has p resented.

If an endpoint presents an alias tha t is not in the LDAP database, it will not b e registered with

• that alias.

If an endpoint presents more tha n one alias but none are listed in the LDA P database, it will not

• be allowed to register.

If no aliases are presented by the endp oint, it will be registered with all t he aliases listed in the

• LDAP database for its username. (This is to allo w for MCUs which additively reg ister aliases

for conferences, for example the TAND BERG MPS (J4.0 and later) which regis ters ad-hoc

conferences.) (This applies to H.323 o nly).

If no aliases are listed in the LDAP data base for the endpoint’s username, th en the endpoint will

• be registered with all the aliases it presente d.

Combined

The alias(es) presented by the endpoint will b e used in addition to any that are list ed in the LDAP

database for the endpoint’s usern ame. In other words, this is the same as fo r LDAP, with one

exception:

If an endpoint presents an alias tha t is not in the LDAP database, it will be all owed to register

• with that alias.

Endpoint

The alias(es) presented by the endpoint will b e used; any in the LDAP database will b e ignored.

If no aliases are presented by the endp oint, it will not be allowed to register.

•

Conguring the LDAP

Server Directory

The directory on the LDAP

server should be congured

to implement the ITU H.350

specication [2] to store

credentials for devices with

which the VCS communicates.

The directory should also be

congured with the aliases

of endpoints that will register

with the VCS.

For instructions on

how to congure

common LDAP

servers, see the Appendi x

LDAP Conguration.

Securing the LDAP Connection wit h TLS

The trafc between the V CS and the LDAP server can be

encrypted using Transpor t Layer Security (TLS).

To use TLS:

LDAP encryption must be se t to

• TLS

the LDAP server must have a valid c erticate installed,

• verifying its identity

The VCS must trust the certi cate installed on the LDAP

• server.

For information on how to congur e the VCS to trust the

certicate installed on t he LDAP server, see Security.

TLS can be difcult to congur e, so we recommend that

you conrm that your LDAP data base is working

correctly before you atte mpt to secure the connection

with TLS. We also recommend that y ou use a third party LDAP

browser to verify that your LDA P server is correctly con gured to

use TLS.