beautypg.com

Adding h.350 objects, Create the organizational hierarchy, Add the h.350 objects – TANDBERG D14049.04 User Manual

Page 211: Securing with tls, Ldap configuration

background image

211

D14049.04
JULY 2008

Grey Headline (continued)

TANDBERG

VIDEO COMMUNICATIONS SERVER

ADMINISTRATOR GUIDE

Introduction

Getting Started

Overview and

Status

System

Configuration

VCS

Configuration

Zones and

Neighbors

Call

Processing

Bandwidth

Control

Firewall

Traversal

Appendices

Applications

Maintenance

LDAP Configuration

Securing with TLS

The connection to the LDAP server can be encrypted by enabling
Transport Level Security (TLS) on the connection. To do this you
must create an X.509 certificate for the LDAP server to allow
the VCS to verify the server’s identity. Once the certificate has
been created you will need to install the following three files
associated with the certificate onto the LDAP server:

The certificate for the LDAP server.

The private key for the LDAP server.

The certificate of the Certificate Authority (CA) that was used

to sign the LDAP server’s certificate.

All three files should be in PEM file format.
The LDAP server must be configured to use the certificate. To do
this:

Edit

1.

/etc/openldap/slapd.conf

and add the following

three lines:

TLSCACertificateFile
TLSCertificateFile

certificate>
TLSCertificateKeyFile

key>

The OpenLDAP daemon (

slapd

) must be restarted for the TLS

settings to take effect.
To configure the VCS to use TLS on the connection to the LDAP
server you must upload the CA’s certificate as a trusted CA
certificate. This can be done on the VCS by navigating to:

Maintenance > Security.

Adding H.350 Objects

Create the Organizational Hierarchy

Create an

1.

ldif

file with the following contents:

# This example creates a single

# organizational unit to contain the H.350

# objects
dn: ou=h350,dc=my-domain,dc=com
objectClass: organizationalUnit
ou: h350

Add the ldif file to the server using the command:

2.

slapadd -l

This organizational unit will form the BaseDN to which the
VCS will issue searches. In this example the BaseDN will be:

ou=h350,dc=my-domain,dc=com

.

It is good practice to keep the H.350 directory in its own
organizational unit to separate out H.350 objects from
other types of objects. This allows access controls to be

setup which only allow the VCS read access to the BaseDN and
therefore limit access to other sections of the directory.

Add the H.350 Objects

Create an

1.

ldif

file with the following contents:

# MeetingRoom1 endpoint
dn: commUniqueId=comm1,ou=h350,dc=my-

domain,dc=com
objectClass: commObject
objectClass: h323Identity
objectClass: h235Identity
objectClass: SIPIdentity
commUniqueId: comm1
h323Identityh323-ID: MeetingRoom1
h323IdentitydialedDigits: 626262
h235IdentityEndpointID: meetingroom1
h235IdentityPassword: mypassword
SIPIdentityUserName: meetingroom1
SIPIdentityPassword: mypassword
SIPIdentitySIPURI: sip:[email protected]

Add the

2.

ldif

file to the server using the command:

slapadd -l

The example above will add a single endpoint with an H.323 ID
alias of

MeetingRoom1

,

an E.164 alias of

626262

and a SIP URI

of

[email protected]

.

The entry also has H.235 and

SIP credentials of ID

meetingroom1

and password

mypassword

which are used during authentication.
H.323 registrations will look for the H.323 and H.235 attributes;
SIP will look for the SIP attributes. Therefore if your endpoint
is registering with just one protocol you do not need to include
elements relating to the other.

OpenLDAP

For information about what happens when an alias is not
in the LDAP database see the section

Alias Origin Setting

.

!

The SIP URI in the

ldif

file must be prefixed by

sip:

.

See also other documents in the category TANDBERG Hardware: