76
D14049.04
JULY 2008
Grey Headline (continued)
TANDBERG VIDEO COMMUNICATIONS SERVER
ADMINISTRATOR GUIDE
Introduction Getting Started
Overview and
Status
System
Conguration
VCS
Conguration
Zones and
Neighbors
Call
Processing
Bandwidth
Control
Firewall
Traversal
Appendices
Applications Maintenance
Registration Control
Authentication Databases
Authentication using an LDAP Server
If the VCS is using an LDAP server for authentication, the process is as follows:
The endpoint presents its username and authentication credentials (these are generated using 1.
its password) to the VCS, and the alias(es) with which it wishes to register
The VCS looks up the username in the LDAP database and obtains the authentication and alias 2.
information for that entry.
If the authentication credentials match those supplied by the endpoint, the registration will 3.
continue.
The VCS will then determine which alias(es) the endpoint will be allowed to attempt to register
with, based on the alias origin setting. For H.323 endpoints, you can use this setting to override
the aliases presented by the endpoint with those in the H.350 directory, or you can use them
in addition to the endpoint’s aliases. For SIP endpoints, you can use this setting to reject a
registration if the endpoint’s AOR does not match that in the LDAP database.
Alias Origin Setting
This setting determines the alias(es) with which the endpoint will attempt to register. The options
are as follows:
LDAP
The alias(es) presented by the endpoint will be used as long as they are listed in the LDAP
database for the endpoint’s username.
If an endpoint presents an alias that is listed in the LDAP database, it will be registered with that
•
alias.
If more than one alias is listed in the LDAP database for that username, the endpoint will be
•
registered with only those aliases that it has presented.
If an endpoint presents an alias that is not in the LDAP database, it will not be registered with
•
that alias.
If an endpoint presents more than one alias but none are listed in the LDAP database, it will not
•
be allowed to register.
If no aliases are presented by the endpoint, it will be registered with all the aliases listed in the
•
LDAP database for its username. (This is to allow for MCUs which additively register aliases
for conferences, for example the TANDBERG MPS (J4.0 and later) which registers ad-hoc
conferences.) (This applies to H.323 only).
If no aliases are listed in the LDAP database for the endpoint’s username, then the endpoint will
•
be registered with all the aliases it presented.
Combined
The alias(es) presented by the endpoint will be used in addition to any that are listed in the LDAP
database for the endpoint’s username. In other words, this is the same as for LDAP, with one
exception:
If an endpoint presents an alias that is not in the LDAP database, it will be allowed to register
•
with that alias.
Endpoint
The alias(es) presented by the endpoint will be used; any in the LDAP database will be ignored.
If no aliases are presented by the endpoint, it will not be allowed to register.
•
Conguring the LDAP
Server Directory
The directory on the LDAP
server should be congured
to implement the ITU H.350
specication [2] to store
credentials for devices with
which the VCS communicates.
The directory should also be
congured with the aliases
of endpoints that will register
with the VCS.
For instructions on
how to congure
common LDAP
servers, see the Appendix
LDAP Conguration.
Securing the LDAP Connection with TLS
The trafc between the VCS and the LDAP server can be
encrypted using Transport Layer Security (TLS).
To use TLS:
LDAP
•
Encryption must be set to TLS
the LDAP server must have a valid certicate installed,
•
verifying its identity
The VCS must trust the certicate installed on the LDAP
•
server.
For information on how to congure the VCS to trust the
certicate installed on the LDAP server, see the Security
section.
!
TLS can be difcult to congure, so we recommend that
you conrm that your LDAP database is working
correctly before you attempt to secure the connection
with TLS. We also recommend that you use a third party LDAP
browser to verify that your LDAP server is correctly congured to
use TLS.