beautypg.com

Adding h.350 objects, Create the organizational hierarchy, Add the h.350 objects – TANDBERG Security Camera User Manual

Page 187: Securing with tls, Ldap configuration

background image

187

D14049.03
MAY 2008

Grey Headline (continued)

TANDBERG

VIDEO COMMUNICATIONS SERVER

ADMINISTRATOR GUIDE

Introduction

Getting Started

Overview and

Status

System

Configuration

VCS

Configuration

Zones and

Neighbors

Call

Processing

Bandwidth

Control

Firewall

Traversal

Maintenance

Appendices

LDAP Configuration

Microsoft Active Directory

Securing with TLS

To enable Active Directory to use TLS, you must request and
install a certificate on the Active Directory server. The certificate
must meet the following requirements:

Be located in the Local Computer’s Personal certificate store.

This can be seen using the

Certificates

MMC snap-in.

Have the private details on how to obtain a key associated

for use with it stored locally. When viewing the certificate you
should see a message saying “You have a private key that
corresponds to this certificate’’.
Have a private key that does not have strong private key

protection enabled. This is an attribute that can be added to
a key request.
The Enhanced Key Usage extension includes the Server

Authentication object identifier, again this forms part of the
key request.
Issued by a CA that both the domain controller and the client

trust.
Include the Active Directory fully qualified domain name of

the domain controller in the common name in the subject
field and/or the DNS entry in the subject alternative name
extension.

To configure the VCS to use TLS on the connection to the LDAP
server you must upload the CA’s certificate as a trusted CA
certificate. This can be done on the VCS by navigating to:

Maintenance > Security.

Adding H.350 Objects

Create the Organizational Hierarchy

Open up the Active Directory

1.

Users and Computers

MMC

snap-in.
Under your BaseDN right-click and select

2.

New Organizational

Unit.

Create an Organizational unit called

3.

h350

.

It is good practice to keep the H.350 directory in its own
organizational unit to separate out H.350 objects from
other types of objects. This allows access controls to be

setup which only allow the VCS read access to the BaseDN and
therefore limit access to other sections of the directory.

Add the H.350 Objects

Create an

1.

ldif

file with the following contents:

# MeetingRoom1 endpoint
dn: commUniqueId=comm1,ou=h350,DC=X
objectClass: commObject
objectClass: h323Identity
objectClass: h235Identity
objectClass: SIPIdentity
commUniqueId: comm1
h323Identityh323-ID: MeetingRoom1
h323IdentitydialedDigits: 626262
h235IdentityEndpointID: meetingroom1
h235IdentityPassword: mypassword
SIPIdentityUserName: meetingroom1
SIPIdentityPassword: mypassword
SIPIdentitySIPURI: sip:MeetingRoom@X

Add the ldif file to the server using the command:

2.

ldifde -i -c DC=X -f filename.ldf

where:

is the base DN of your Active Directory

Server.

The example above will add a single endpoint with an H.323
ID alias of

MeetingRoom1

,

an E.164 alias of

626262

and a

SIP URI of

MeetingRoom@X

The entry also has H.235 and SIP

credentials of ID

meetingroom1

and password

mypassword

which are used during authentication.
H.323 registrations will look for the H.323 and H.235 attributes;
SIP will look for the SIP attributes. Therefore if your endpoint
is registering with just one protocol you do not need to include
elements relating to the other.

!

The SIP URI in the

ldif

file must be prefixed by

sip:

.

For information about what happens when an alias is not
in the LDAP database see the section

Alias Origin Setting

.