Retrieving Information from Active Directory
The Oracle Enterprise Communications Broker performs SIP Digest authentication against users attempting to register. It can use pre-configured information from Active Directory to perform such authentication. Access to Active Directory uses standard LDAP processes to retrieve the information needed and to offload the processing from other resources to the Communications Broker.
The Communications Broker can obtain registration authentication information directly from Active Directory when you modify the Active Directory schema to include the Oracle-specific attributes and object classes that the Communications Broker needs to authenticate users.
LDAP and Authentication
Lightweight Directory Access Protocol (LDAP) is the Protocol that the Communications Broker uses to perform queries to the Enterprise’s Active Directory to validate registration attempts in the Enterprise network. Requests and responses are sent/received based on the Communications Broker’s LDAP configuration. The Communications Broker's LDAP client queries an LDAP server, usually Active Directory for password information for a user attempting to register. This request and response process verifies that the user can get registration servers (authorization) and verifies that the user is who they say they are (authentication). Once both these stages complete successfully, the Communications Broker registers the user.
The Communications Broker, using LDAP, performs the following on a registration attempt:
- Creates an LDAP search filter based on the dialed number and the configured LDAP attributes.
- Sends an LDAP search query to the configured LDAP server.
You configure LDAP servers and filters, on the Communications Broker.
The Communications Broker keeps a permanent LDAP session open to all configured call servers. It sends an LDAP bind request on all established connections, to those servers. The first call server is considered the primary LDAP server, and all others are secondary LDAP servers. If a query request sent to the primary server fails, the Communications Broker sends the request to the next configured LDAP server, until the request is successful in getting a response. If no response is received by the Communications Broker, it replies to the registering endpoint with a (401? authentication failure?).
Configuring LDAP for Authentication
LDAP is the protocol that the Active Directory uses for general interaction between and LDAP client and an LDAP server. You can configure the LDAP server(s) in your network, and set the filters and the local policy that the LDAP server uses when handling inbound Lync and PBX calls in the Enterprise core network.
You can use the following objects in the Web GUI to configure LDAP:
- LDAP Config—Configures the LDAP functionality on the Oracle Enterprise Communications Broker (i.e., name, state, LDAP servers, realm, authentication mode, username, password, LDAP search filters, timeout limits, request timeouts, TCP keepalive, LDAP security type, LDAP TLS profile, and LDAP transactions).
- SIP Authentication—Configures the Active Directory attribute names for the Oracle Enterprise Communications Broker's query-digest-username-attribute and digest-hash-attribute fields. These fields specify where the Oracle Enterprise Communications Broker verifies authentication attempts.
See the section on Active Directory and Oracle ECM Routing for important information about:
- LDAP messages
- LDAP failure events
- Communications Broker limitations using LDAP
That information applies equally to the authentication functionality explained here.