Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 3: Example Active Directory Structure
The diagram below shows an example Active Directory tree structure for corporation.int:
Part of the VCS configuration required for connecting to an LDAP server includes the specification of a set of
distinguished names (DNs). DNs comprise the following elements:
distinguished names (DNs). DNs comprise the following elements:
■
cn common name (leaves of the tree – usually, see Note below)
■
ou organizational unit (branches)
■
dc domain content (top of tree)
These elements are listed in a single line as comma separated values. No space should be placed immediately before
or immediately after the comma, but spaces are valid within the common names, organizational unit names and
domain content names.
or immediately after the comma, but spaces are valid within the common names, organizational unit names and
domain content names.
Using this example Active Directory structure you would define the VCS Bind DN as:
cn=vcs,ou=systems,ou=region1,ou=useraccounts,dc=corporation,dc=int
To support region 1 staff, the Base DN for accounts would be:
ou=region1,ou=useraccounts,dc=corporation,dc=int
To support worldwide staff, the Base DN for accounts would be:
ou=useraccounts,dc=corporation,dc=int
The Base DN for groups would be:
ou=groups,dc=corporation,dc=int
Note:
■
Depending on how the database was initially set up, sometimes cn= is not reserved just for the ‘leaves’. For
example, by default Microsoft AD databases have the Users in a ‘container’ (cn=) not and organizational unit
(ou=).
When configuring the VCS Bind DN and Base DN fields in VCS, it is important to use the same dc, ou, cn tags
and use them in the same order as specified in the database.
example, by default Microsoft AD databases have the Users in a ‘container’ (cn=) not and organizational unit
(ou=).
When configuring the VCS Bind DN and Base DN fields in VCS, it is important to use the same dc, ou, cn tags
and use them in the same order as specified in the database.
■
The VCS Bind DN is the directory structure to and including the object that specifies the account (in AD
terminology the Active Directory “user” object). The account name used to login to the VCS and the account
name used for SASL is the sAMAccountName; Security Access Manager Account Name (in AD the account’s
user logon name).
terminology the Active Directory “user” object). The account name used to login to the VCS and the account
name used for SASL is the sAMAccountName; Security Access Manager Account Name (in AD the account’s
user logon name).
■
The Base DN for accounts and Base DN for groups must be at or below the dc level (include all dc= values
and maybe ou= values too). Having a base DN of dc=int is not supported.
and maybe ou= values too). Having a base DN of dc=int is not supported.
15
Authenticating Cisco VCS Accounts Using LDAP Deployment Guide