Adding h.350 objects, Create the organizational hierarchy, Add the h.350 objects – TANDBERG Security Camera User Manual
Page 189: Securing with tls, Ldap configuration
189
D14049.03
MAY 2008
Grey Headline (continued)
TANDBERG
VIDEO COMMUNICATIONS SERVER
ADMINISTRATOR GUIDE
LDAP Configuration
Securing with TLS
The connection to the LDAP server can be encrypted by enabling
Transport Level Security (TLS) on the connection. To do this you
must create an X.509 certificate for the LDAP server to allow
the VCS to verify the server’s identity. Once the certificate has
been created you will need to install the following three files
associated with the certificate onto the LDAP server:
The certificate for the LDAP server.
•
The private key for the LDAP server.
•
The certificate of the Certificate Authority (CA) that was used
•
to sign the LDAP server’s certificate.
All three files should be in PEM file format.
The LDAP server must be configured to use the certificate. To do
this:
Edit
1.
/etc/openldap/slapd.conf
and add the following
three lines:
TLSCACertificateFile certificate> key> The OpenLDAP daemon ( slapd ) must be restarted for the TLS settings to take effect. Maintenance > Security. • Adding H.350 Objects Create the Organizational Hierarchy Create an 1. ldif file with the following contents: # This example creates a single # organizational unit to contain the H.350 # objects Add the ldif file to the server using the command: 2. slapadd -l This organizational unit will form the BaseDN to which the ou=h350,dc=my-domain,dc=com . It is good practice to keep the H.350 directory in its own setup which only allow the VCS read access to the BaseDN and Add the H.350 Objects Create an 1. ldif file with the following contents: # MeetingRoom1 endpoint domain,dc=com Add the 2. ldif file to the server using the command: slapadd -l The example above will add a single endpoint with an H.323 ID MeetingRoom1 , an E.164 alias of 626262 and a SIP URI of . The entry also has H.235 and SIP credentials of ID meetingroom1 and password mypassword which are used during authentication. OpenLDAP For information about what happens when an alias is not . ! The SIP URI in the ldif file must be prefixed by sip: .
TLSCertificateFile
TLSCertificateKeyFile
To configure the VCS to use TLS on the connection to the LDAP
server you must upload the CA’s certificate as a trusted CA
certificate. This can be done on the VCS by navigating to:
dn: ou=h350,dc=my-domain,dc=com
objectClass: organizationalUnit
ou: h350
VCS will issue searches. In this example the BaseDN will be:
organizational unit to separate out H.350 objects from
other types of objects. This allows access controls to be
therefore limit access to other sections of the directory.
dn: commUniqueId=comm1,ou=h350,dc=my-
objectClass: commObject
objectClass: h323Identity
objectClass: h235Identity
objectClass: SIPIdentity
commUniqueId: comm1
h323Identityh323-ID: MeetingRoom1
h323IdentitydialedDigits: 626262
h235IdentityEndpointID: meetingroom1
h235IdentityPassword: mypassword
SIPIdentityUserName: meetingroom1
SIPIdentityPassword: mypassword
SIPIdentitySIPURI: sip:[email protected]
alias of
H.323 registrations will look for the H.323 and H.235 attributes;
SIP will look for the SIP attributes. Therefore if your endpoint
is registering with just one protocol you do not need to include
elements relating to the other.
in the LDAP database see the section