TANDBERG D14049.04 Network Card User Manual


 
211
D14049.04
JULY 2008
Grey Headline (continued)
TANDBERG VIDEO COMMUNICATIONS SERVER
ADMINISTRATOR GUIDE
Introduction Getting Started
Overview and
Status
System
Conguration
VCS
Conguration
Zones and
Neighbors
Call
Processing
Bandwidth
Control
Firewall
Traversal
Appendices
Applications Maintenance
LDAP Conguration
Securing with TLS
The connection to the LDAP server can be encrypted by enabling
Transport Level Security (TLS) on the connection. To do this you
must create an X.509 certicate for the LDAP server to allow
the VCS to verify the server’s identity. Once the certicate has
been created you will need to install the following three les
associated with the certicate onto the LDAP server:
The certicate for the LDAP server.
The private key for the LDAP server.
The certicate of the Certicate Authority (CA) that was used
to sign the LDAP server’s certicate.
All three les should be in PEM le format.
The LDAP server must be congured to use the certicate. To do
this:
Edit 1. /etc/openldap/slapd.conf and add the following
three lines:
TLSCACerticateFile <path to CA certicate>
TLSCerticateFile <path to LDAP server
certicate>
TLSCerticateKeyFile <path to LDAP private
key>
The OpenLDAP daemon (slapd) must be restarted for the TLS
settings to take effect.
To congure the VCS to use TLS on the connection to the LDAP
server you must upload the CA’s certicate as a trusted CA
certicate. This can be done on the VCS by navigating to:
Maintenance > Security.
Adding H.350 Objects
Create the Organizational Hierarchy
Create an 1. ldif le with the following contents:
# This example creates a single
# organizational unit to contain the H.350
# objects
dn: ou=h350,dc=my-domain,dc=com
objectClass: organizationalUnit
ou: h350
Add the ldif le to the server using the command: 2.
slapadd -l <ldif _ le>
This organizational unit will form the BaseDN to which the
VCS will issue searches. In this example the BaseDN will be:
ou=h350,dc=my-domain,dc=com.
It is good practice to keep the H.350 directory in its own
organizational unit to separate out H.350 objects from
other types of objects. This allows access controls to be
setup which only allow the VCS read access to the BaseDN and
therefore limit access to other sections of the directory.
Add the H.350 Objects
Create an 1. ldif le with the following contents:
# MeetingRoom1 endpoint
dn: commUniqueId=comm1,ou=h350,dc=my-
domain,dc=com
objectClass: commObject
objectClass: h323Identity
objectClass: h235Identity
objectClass: SIPIdentity
commUniqueId: comm1
h323Identityh323-ID: MeetingRoom1
h323IdentitydialedDigits: 626262
h235IdentityEndpointID: meetingroom1
h235IdentityPassword: mypassword
SIPIdentityUserName: meetingroom1
SIPIdentityPassword: mypassword
SIPIdentitySIPURI: sip:MeetingRoom@domain.com
Add the 2. ldif le to the server using the command:
slapadd -l <ldif _ le>
The example above will add a single endpoint with an H.323 ID
alias of MeetingRoom1, an E.164 alias of 626262 and a SIP URI
of MeetingRoom@domain.com. The entry also has H.235 and
SIP credentials of ID meetingroom1 and password mypassword
which are used during authentication.
H.323 registrations will look for the H.323 and H.235 attributes;
SIP will look for the SIP attributes. Therefore if your endpoint
is registering with just one protocol you do not need to include
elements relating to the other.
OpenLDAP
For information about what happens when an alias is not
in the LDAP database see the section
Alias Origin Setting.
!
The SIP URI in the ldif le must be prexed by sip:.