×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

EQUINOX + AADS + LDAP Issue

EQUINOX + AADS + LDAP Issue

EQUINOX + AADS + LDAP Issue

(OP)
hello to all,

after setting up AVAYA AURA CORE R8.0.1 + Equinox CONFERENCING + AADS , we try to use automatic configuration using URL of AADS.

when connecting equinox client for windows, successfully logged in with phone service using windows credential , but , on Equinox services and AMM , its return invalid username and password ,

what suggestion do you propose to resolve this issue ? thank you

RE: EQUINOX + AADS + LDAP Issue

There's a field for unified login that uses the same account for everything.

I'd reckon if you want your LDAP login to work, then your SMGR Identity must be your.name@email.com and you'd need to make sure your AMM LDAP config for 'username' matches the email attribute in AD

Are you able to login to everything individually and manually?

RE: EQUINOX + AADS + LDAP Issue

(OP)
yes , im able to login everything manually and all services (Phone, EQUINOX MEETING, AMM) are working fine,

but the customer wants to implement equinox clients automatically with their windows credential.

where can i find the AMM LDAP config for the matching the username

RE: EQUINOX + AADS + LDAP Issue

Are you using a dedicated AMM OVA? I believe at 8.0.1 that AMM is baked into the Presence snap-in now.
I don't think it should change much as far as login.

If you do everything manually, is it your email/windows pw for AMM that works for you? Or is it like userPrincipalName? Like kyle555@tek-tips.com or TEK-TIPS\kyle555?
In the AMM LDAP setup you define what attributes match in AAM like "login name" to an LDAP attribute.

So, if you're using "unified login" with a single LDAP credential - like email address - you'd have to make sure that each service uses each the same LDAP attribute.

Just a thought.
What's your AADS autoconfig file look like? ESMSSO enabled?

RE: EQUINOX + AADS + LDAP Issue

(OP)
for the deployement of AMM service , yes we are switching to PMM since the AMM OVA doesnt exist anymore,

on manually , i dont need to connect with email or windows credential, only with the extension number , example : 2050@domain.com (without any configuration of the LDAP integration) but when moving to unified login (using windows credential) , equinox client can get phone service but there is warning about Equinox services and Multimedia Messaging (invalid password or username).

So what i need to know it the best practice about the integration , is there some attributes on LDAP config for each services (Multimedia Messaging and Equinox meeting ) that should be same on SMGR user name ?

RE: EQUINOX + AADS + LDAP Issue

(OP)
## File Generation Notes
## Avaya Dynamic Configuration Service does not recognize User-Agent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36

SET SIP_CONTROLLER_LIST "192.28.9.20:5061;transport=TLS,192.28.9.20:5060;transport=TCP,192.28.9.20:5060;transport=UDP,192.28.9.18:5061;transport=TLS,192.28.9.18:5060;transport=TCP,192.28.9.18:5060;transport=UDP"
SET SIPPROXYSRVR 192.28.9.20
SET SIPPORT 5061
SET SIPSECURE 1
SET SIPENABLED 1
SET SIPDOMAIN domain.com
SET SIPUSERNAME 3030
SET SIPHA1 67de9fdc71ad1bdbce4f49cbe7adb922
SET UNIFIED_PORTAL_SSO 1
SET ESMSSO 1
SET ESG_RESOURCE_URL https://avayawebgateway.domain.com:443/csa/resourc......
SET UNIFIEDPORTALENABLED 1
SET ACSSECURE 1
SET ESMSRVR 192.28.9.30
SET ACSSRVR avayaaads.domain.com
SET ESMPORT 443
SET ACSPORT 443
SET CONFERENCE_PORTAL_URI https://avayawebgateway.domain.com:443/portal
SET ESMENABLED 1
SET ESMSECURE 1
SET ACSENABLED 1
SET CONFERENCE_FQDN_SIP_DIAL_LIST avayawebgateway.domain.com
SET ACSSSO 1
SET LOCKED_PREFERENCES "SIP_CONTROLLER_LIST,SIPPROXYSRVR,SIPPORT,SIPSECURE,SIPENABLED,SIPDOMAIN,SIPUSERNAME,SIPHA1,UNIFIED_PORTAL_SSO,ESMSSO,ESG_RESOURCE_URL,UNIFIEDPORTALENABLED,ACSSECURE,ESMSRVR,ACSSRVR,ESMPORT,ACSPORT,CONFERENCE_PORTAL_URI,ESMENABLED,ESMSECURE,ACSENABLED,CONFERENCE_FQDN_SIP_DIAL_LIST,ACSSSO"
SET OBSCURE_PREFERENCES ""

RE: EQUINOX + AADS + LDAP Issue

I haven't done the AADS in PS yet. It would appear that there's a default of "SIP handle + comm profile password" for PS+AMM. PS always was that way.

I think the 'best practice' flies in the face of what us PBX guys do. You get a system to build, maybe with DIDs or an extension range and if you're SIP, they all need SMGR Logins, so you make 555-555-1234@customer.com.

It's a bit tougher to get to first.last@customer.com when you don't know which extensions are going to which people.

If you rejig your account to have XMPP handle for Presence and AMM = email address, I wonder if logging in to AADS with Unified Login with your email+Windows Credentials gets AADS to say "Hey PS and AMM, I authenticated MisterRobot@lab.com!" and then PS and AMM see they have a guy named MisterRobot@lab.com and let you in easily.

I'm guessing 'best practice' probably revolves around SMGR login, SM handle, PS handle all = email address. Maybe you can get away with adding a second XMPP handle atop 2050@domain.com with MisterRobot@domain.com.

RE: EQUINOX + AADS + LDAP Issue

* didn't see your file... reading it now

RE: EQUINOX + AADS + LDAP Issue

Now, are your settings in AADS 'global'? You can set them per LDAP group and per user agent - like, safari on ios gets the iPhone settings which can be specific and different.

https://downloads.avaya.com/css/P8/documents/10104...
ctrl+f ESMSRVR

ESMSRVR = the AMM server it should try to connect to. Maybe it's more a config and less an authentication problem?

RE: EQUINOX + AADS + LDAP Issue

(OP)
the settings are applicable for LDAP Group already

RE: EQUINOX + AADS + LDAP Issue

If you switch over to manual config, is the AMM server populated? ESMSRVR should be a value provided by AADS.

You can go in the support part of the app and flush the settings to grab em again from AADS.

RE: EQUINOX + AADS + LDAP Issue

There are two distinct methodologies for Equinox client logins

1. Unified Login - allows customer to enter a single login/password value to attach to each service enabled for Unified Login
2. SSO - Kerberos ticketing. End user does not need to provide credentials for services. Requires SPN creation and import or Kerberos ticket into AADS.

Both of these have significant dependencies on exactly how each service is configured and of course the authentication domain used.

Many users do not have the same authentication value as e-mail value and e-mail value may not be configured int he authentication domain.
So did the System Manager/Presence/AMM get configured to use the userPrincipleName value from AD or mail?

I'm also assuming you are not using O365 EWS with MFA which will not work on the current release of Equinox.

While it is in the AADS documentation, you really need to have a strong background in Microsoft AD to catch all the nuances.



RE: EQUINOX + AADS + LDAP Issue

(OP)
the issue resolved by changing authentification type on PMM (from AVAYA to Entreprise) .

Now, we have only one issue , is the entreprise directory search on Avaya Equinox Client using Unified Login cannot retrive any of contacts , PMM and Equinox Conferencing working fine with Unified Login , only the search for contacts is unavailable i dnt know why !!

RE: EQUINOX + AADS + LDAP Issue

If you're logged in to AADS, you search AADS. If you ALSO have enterprise directory configured, you'll search that too.

But, AADS will scour SMGR and the LDAP source and consolidate that. It's why your SMGR login names and email addresses and attribute mapping are so important - otherwise AADS won't tie together SMGR+LDAP contacts.

To search the enterprise directory from the equinox client - to say, your equinox client hits up a LDAP on 389, you need to configure a user to search the directory - and your syntax for that would be a distinguished name.

Like, CN=kyle555,dc=tek-tips,dc=com and with my LDAP password. Or, some anonymous DN if you allow anonymous binds.

But, why? AADS lets you configure multiple LDAPs, and formerly supported only one for authentication. So, you could have LDAP msAD.customer.com with base DN for authentication as CN=UsersOfEquinox,dc=Users,dc=Tek-tips,dc=com
and add a 2nd directory for searching of msAD.customer.com with base DN dc=users,dc=tek-tips,dc=com and AADS would be the entity that's doing the searching in LDAP.

Be careful - the matching rules are different client side vs AADS side.

So, Equinox matches things it searched from LDAP vs AADS differently than the stuff AADS searches from SMGR and LDAP. If you're not e164 across the board, you'll get weird and double results.

RE: EQUINOX + AADS + LDAP Issue

(OP)
Issue resolved , we created the group AADSUSers on Ldap and applied for the users , nd then setting up the User role on AADS LDAP CONFig , now the users able to search for Ldap contact successfully


BEST REGARDS

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close