Fuze Meeting LDAP Authentication

Overview
Fuze Meeting LDAP Authentication Service runs on customers premises where it has connectivity to the enterprise Active Directory (AD) infrastructure. It works by doing simple bind with the customer credentials and passes or fails authentication attempt. When an enterprise customer is provisioned to use LDAP his domain authentication request is routed to Fuze Meeting LDAP Authentication Service usually deployed behind the corporate firewall. Fuze Meeting LDAP Authentication Service can be configured to authenticate customers from one or more AD domains. It also can be configured to authenticate only customers from certain AD group. Along with the Fuze Meeting LDAP Authentication Service we provide an administration tool LDAP Authentication Manager (LAM) which helps with configuring the authentication service. Its only purpose is to generate LDAP portion of the configuration file of the Fuze Meeting LDAP Authentication Service which resudes in /opt/wmp/current/conf/ folder on the machine where the service is installed. Changes in ldapauthentication.ini in that folder require restarting the LdapAuthentication service. The documentation of the Fuze Meeting LDAP authentication service, the LAM administration tool and advanced configuration settings are described below. Please follow these steps to allow users from the corporate Active Directory (AD) to have access to the Fuze Meeting service: 1. Enable a domain for AD authentication. 2. Select groups of users to authenticate (optional step). 3. Make the configuration changes and restart Fuze Meeting authentication service.

7/18/2011

FuzeBox, Inc.

LDAP Authentication Manager

The LDAP Authentication Manager (LAM) is used to configure the Fuze Meeting LDAP Authentication Service to authenticate with Active Directory user accounts. A user is considered successfully authenticated against the Active Directory server when the user: is found on the Active Directory server has provided the same password as the one stored in the Active Directory server is a member of at least one allowed authentication group, or everyone in the domain is allowed to be authenticated

It is a good practice to create one or more groups in Active Directory and to make all users that have rights to login to Fuze Meeting service, members of these groups. The authentication service can authenticate users against more than one Active Directory server. Three login name formats are supported: NetBIOS style DOMAIN\user DNS style user@domain.com SIP URI user@lcs.domain.com

7/18/2011

FuzeBox, Inc.

Step-by-step Configuration
1. Open LDAP Authentication Manager (LAM).

2. Add domain in Domains list by pressing Add Domain button or from the context menu in the domains list window. A dialog box will open. Enter domain, AD server port, domain admin account and password.

Double click on existing domain entry in order to edit it. To delete a domain entry - select it and press <Delete>. 3. Select domain in the list, click <Connect>. The LAM will connect to selected domain and populate the domain tree in bottom right window.

7/18/2011

FuzeBox, Inc.

4. In the Selected Domain window pick the groups that you want to authenticate and click the checkboxes. The selected groups will appear in the top right window the Authenticated User Groups list.

7/18/2011

FuzeBox, Inc.

To delete a group in the Authenticated User Groups window select it and press <Delete>. To keep it in the list but to disable the authentication uncheck the box in front of its name. 5. Press <Apply Changes> authentication.ini file. button to save all modifications to

When you have applied changes that require Fuze Meeting Authentication service restart you will see a message reminding you to do so. <Reset Changes> button will restore settings to the state after the last <Apply Changes>.

7/18/2011

FuzeBox, Inc.

Configuration Files
LDAP Authentication Manager uses two configuration files LdapAuthAdmin.ini and authentication.ini. The first one is used to configure LAM itself. LAM reads it at start up, it is a read only file for LAM. It is changed manually. The second one is configuration file for Fuze Meeting LDAP Authentication Service. It can be modified manually, but the recommended way is through the LAM tool. After modifications are applied by pressing <Apply Changes>, the LAM saves these modifications under section [LDAP] in authentication.ini file. The LAM and the two configuration files are located in LAM tool installation folder. Below you will find short description of configuration settings that the corporate Administrator may touch. LdapAuthAdmin.ini file:
FirstIniFile File name of first target configuration file. This key is mandatory. The Tool will read database connection settings from this file and will write [LDAP] section settings in it. Controls selecting containers (not only groups) in domains tree view window. Possible values: YES, NO. Default value: NO (should stay this way).

SelectContainers

7/18/2011

FuzeBox, Inc.

Authentication.ini file:
ServerY PortY NameY PassY PathYX Domain name in DNS style of domain Y. Example: ServerA=FuzeBox.bg Port. Usually it is 389. Example: PortA=389 Login account for domain Y. Example: NameA=administrator Account password in encrypted form Example: PassA=TYGVOPAS Distinguished name of a selected group. Example: PathA0=CN=test1,CN=Users,DC=FuzeBox,DC=bg PathA1=CN=test2,CN=Users,DC=FuzeBox,DC=bg

[LDAP] AccA= NameA=administrator PassA=GHDEETMNB ServerA=domain1.com PortA=389 PathA0=CN=test,CN=Users,DC=domain1,DC=com ProxyA0=LCS,msRTCSIP-PrimaryUserAddress ProxyA1=RM,msRTCSIP-PrimaryUserAddress AccB= NameB=admin PassB=POTVBNMTR ServerB=domain2.com PortB=389 PathB0=CN=ldap0,CN=Users,DC=domain2,DC=com PathB1=CN=ldap1,CN=Users,DC=domain2,DC=com PathB2=CN=ldap2,OU=Office,DC=domain2,DC=com ProxyB0=LCS,msRTCSIP-PrimaryUserAddress

7/18/2011

FuzeBox, Inc.