Discovery 6: Create a Local User Account and Configure LDAP

Introduction
In this lab, you will explore how to create a local user account in Cisco UCM, create a custom credential policy, and
enable LDAP synchronization.

This lab will take approximately 40 minutes to complete.

Topology

Credentials
Usernames and Passwords

Device IP address Username Password

HQ-UCM 10.1.5.5 administrator C0ll@B

PC-1 10.1.5.200 Student C0ll@B

Task 1: Create a Local User Account in Cisco UCM

Activity
Step 1
Open Chrome from PC-1 desktop and navigate to https://10.1.5.5/ccmadmin accepting any security warnings.

Step 2
Log in with username of Administrator and password C0ll@B.

Step 3
Select User Management > End User.
Step 4
Click Add New and then use the following information to create a local user account:

User ID: jdoe

Password: C0ll@B
Self-Service User ID: 11001
PIN: 94253
Last name: Doe
First name: John
Display Name: John Doe
User Locale: English, United States

Step 5
The Self-Service User ID is used for self-provisioning phones. Leave all other values as default and click Save.
Step 6
Click Edit Credential next to the Password field.

Step 7
Notice that the Credential Information menu allows for the administrator to lock the account, disallow the user to
change their password, or force the user to change their password at next login. You will also notice that the
Authentication Rule currently has the Default Credential Policy assigned. Select Does Not Expire and click
Save.

Task 2: Create a Custom Credential Policy

If your organization chooses to either local users or synchronize users from LDAP but not use LDAP Authentication
then users will be able to set and change their passwords. A credential policy will enable you to enforce rules on
the creation of passwords such as password length and how often passwords will need to be changed.

Activity
Step 1
Select User Management > User Settings > Credential Policy.
Step 2
Notice the two default Credential Policies (Default Credential Policy and Enhanced Security Credential Policy).
Click the Default Credential Policy.

Step 3
Notice the default settings required for password creation in Cisco UCM. These settings can be changed directly
here, impacting all current and future user accounts, or a new policy can be created using this one as the starting
point. Click Copy.
Step 4
Enter the following information in your new policy, and then click Save.

Display Name: Custom Credential Policy

Failed Logon: 3
Minimum Credential Length: 5
Stored Number of Previous Credentials: 3
Check for Trivial Passwords: Selected
Leave all other values as default

Step 5
Select User Management > End User.
Step 6
Click Find, then click jdoe.

Step 7
Click Edit Credential next to the Password field.

Step 8
Select Custom Credential Policy from the Authentication Rule dropdown menu.

Step 9
Click Save.
Task 3: Associate a Local User Account to an Access Control Group
If you do not associate a user to any access control groups, then that user will not have any access to services
running on Cisco Unified CM.

Activity
Step 1
Click Go next to Related Links: Back to User.

Step 2
Scroll down to the bottom of jdoe’s user account page to the Permission Information section. Notice there are no
groups or roles listed in the two lists. Click Add to Access Control Group.

Step 3
Click Find in the popup window, then select the check box next to the Standard CCM End Users group.
Step 4
Click Add Selected.

Step 5
Notice that the Standard CCM End Users entry is now listed in the group list. There is however still nothing listed
under the Roles list. Click Save.

Step 6
Scroll to the bottom of jdoe’s user account page, and now notice that the roles list contains Standard CCM End
Users and Standard CCMUSER Administration.
Task 4: Enable LDAP Synchronization
Activity
Step 1
Select System > LDAP > LDAP System.

Step 2
Check the Enable Synchronizing from LDAP Server. Leave the default settings for LDAP Server Type and
LDAP Attribute for User ID.
Step 3
Click Save.

Step 4
Select System > LDAP > LDAP Directory.
Step 5
Click Add New.

LDAP uses a tree like format. Each entry is added underneath a 'branch' of an organization. At the top of the tree is
the organization and underneath a company may split the organization up in different ways. For example, your
LDAP tree may be broken down by department or by physical location or by department and then physical location.
The more granular your LDAP server, the easier it is to apply rights to small groups of users.

When you point Cisco Unified CM at an LDAP server you have to point the 'Search Base' at any part of the tree
and the search will begin at that point and work downwards. For example if you have a folder or branch called IT
and 3 folders or branches underneath for 3 locations you can point Cisco Unified CM at the folder or branch called
IT and all users in all three locations will be added. The LDAP server in the lab has all users in a single folder for
ease of use.

Navigation is entered into Cisco Unified CM in the format CN= (Common Name which is essentially the top level
folder for your search) DC= (Domain Controler which is essentially the name of the domain or tree you are
searching. So if I wanted to locate users in the Germany folder under the IT folder which was under the HR folder
in the Cisco domain I would type CN=Germany, CN=IT, CN=HR, DC=cisco, DC=com.
Step 6
Use the following information to complete the LDAP Directory page, and then click Save.

LDAP Configuration Name: HQ LDAP 1

LDAP Manager Distinguished Name: Administrator@cll-collab.internal
LDAP Password: C0ll@B
Confirm Password: C0ll@B
LDAP User Search Base: CN=Users, DC=cll-collab, DC=internal
Perform a Re-sync Every: 6 Hours (6 hours is the most frequent you can set the Re-sync for)
Phone Number: ipPhone
Directory URI: mail
LDAP Server Information: 10.1.5.100
Step 7
Notice the two status messages, the first informing you that the Add was successful, the second notifying you
that for synchronization to work, the Cisco DirSync service needs to active.

Step 8
Select Cisco Unified Serviceability from the Navigation menu, then click Go.
Step 9
Select Tools > Service Activation.

Step 10
Select the Publisher server from the dropdown menu and click Go.

Step 11
Check the Cisco DirSync service under the Directory Services section.

Step 12
Click Save and confirm that the service has been activated.

Step 13
Select Cisco Unified CM Administration from the Navigation menu, then click Go.
Step 14
Select System > LDAP > LDAP Directory.

Step 15
Click Find, then click HQ LDAP 1.

Step 16
Click Perform Full Sync Now.

Step 17
 Click OK on the notification popup. You will now notice that the Perform Full Sync Now button has changed to
Cancel Sync Process.

The Cancel Sync Process button will revert back to Perform Full Sync once the process has complete.

Step 18
Select User Management > End User.

Step 19
Click Find and confirm that the user accounts have synced from the Active Directory. If the user accounts are not
yet listed, wait a few minutes and click Find again. The synchronization process can take up to 5 minutes to
complete.

Step 20
 Click the jwhite account.

Step 21
Notice how some fields, such as User ID, First name, Last name, and Display name cannot be changed as they
are now controlled in Active Directory.

Step 22
Enter 11002 in the Self-Service User ID field.

Step 23
Scroll down to section titled Convert User Account. Notice that you can select the checkbox to convert this LDAP
user account into a local user account. This option can be used as a quick way to create the entire database of
user accounts. You could have replicated all accounts from LDAP, then convert them all to local accounts to
manage them locally in Cisco UCM. In this lab, DO NOT select this checkbox. If you do make a mistake and
convert the user, then delete the user and re-synchronize LDAP.

Step 24
Click Save.

Task 5: Enable LDAP Authentication

LDAP Authentication enables the passwords and subsequent password policies inside the LDAP database to be
used for user access instead of having passwords stored in Cisco Unified CM. If an organization has a central
LDAP server managing credentials for multiple applications then access to Cisco Unified CM will use the same
credentials. Any change to credentials will be instantaneous rather than having to wait the minimum of 6 hours for
Cisco Unified CM to synchronize with the LDAP server.

Activity
Step 1
Select System > LDAP > LDAP Authentication

Step 2
Check the Use LDAP Authentication for End Users.

Step 3
Use the following information to complete the LDAP Authentication page, and then click Save.

LDAP Manager Distinguished Name: Administrator@cll-collab.internal

LDAP Password: C0ll@B
Confirm Password: C0ll@B
LDAP User Search Base: CN=Users, DC=cll-collab, DC=internal
LDAP Server Information: 10.1.5.100
Step 4
Using a different web browser such as Firefox, navigate to https://10.1.5.5/ccmuser accepting any security
warnings. Note that we use a different browser so both the user portal and the Cisco Unified CM administrator
pages both stay logged in.

Step 5
Log in using username: jwhite password: C0ll@B. Notice the message stating you do not have the required
permissions to access this system.

Step 6
Go back to Cisco Unified CM and select User Management > End User.
Step 7
Click on jwhite

Step 8
Scroll down to the bottom of jwhite’s user account page to the Permission Information section. Notice there are
no groups or roles listed in the two lists. Click Add to Access Control Group.

Step 9
Click Find in the popup window, then select the check box next to the Standard CCM End Users group.

Step 10
Click Add Selected
Step 11
Return to Firefox and try to login as jwhite again. Notice that this time it works because jwhite now has a role
configured that includes access to the Self Care Portal. If prompted enter 94253 as jwhite's pin.