[cisco-voip] LDAP Authentication when CUCM publisher is down.
Hi All, CUCM 10.5 Just trying to get some conformation, When LDAP Synchronization and authentication is enabled this is performed by the DirSync process that only runs on the CUCM Publisher. So If we lose the CUCM Publisher for whatever reason it would seem that the Authentication also fails due to the single point of failure of DirSync. Should LDAP authentication still work if the CUCM Publisher is still down. So for LDAP users this would stop them signing in to Jabber clients and UCCX agents who are ldap’ed synced logging into the finesse webpages. Does anyone know is SSO is resilient on the CUCM publisher or would SSO still work in a Publisher outage. Regards Matthew Collins ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.
This has been our experience as well. Glad you started this thread. It's seems like a huge single point of failure to me for such an integral part of the process. I suspect hunt group login would also be affected. Sent from my iPhone On Jul 6, 2015, at 5:02 AM, Matthew Collins mcoll...@block.co.uk wrote: Hi All, CUCM 10.5 Just trying to get some conformation, When LDAP Synchronization and authentication is enabled this is performed by the DirSync process that only runs on the CUCM Publisher. So If we lose the CUCM Publisher for whatever reason it would seem that the Authentication also fails due to the single point of failure of DirSync. Should LDAP authentication still work if the CUCM Publisher is still down. So for LDAP users this would stop them signing in to Jabber clients and UCCX agents who are ldap’ed synced logging into the finesse webpages. Does anyone know is SSO is resilient on the CUCM publisher or would SSO still work in a Publisher outage. Regards Matthew Collins ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.
You are correct about LDAP Authentication, needs the publisher to be up. I think SAML SSO is just CUCM and CUIMP and it rides on top of LDAP syncronization but I could be wrong brcause I don't play with SAML SSO that often. Thanks, Ryan Original Message From: Matthew Collins mcoll...@block.co.uk Sent: Monday, July 6, 2015 05:03 AM To: cisco-voip@puck.nether.net Subject: [cisco-voip] LDAP Authentication when CUCM publisher is down. Hi All, CUCM 10.5 Just trying to get some conformation, When LDAP Synchronization and authentication is enabled this is performed by the DirSync process that only runs on the CUCM Publisher. So If we lose the CUCM Publisher for whatever reason it would seem that the Authentication also fails due to the single point of failure of DirSync. Should LDAP authentication still work if the CUCM Publisher is still down. So for LDAP users this would stop them signing in to Jabber clients and UCCX agents who are ldap’ed synced logging into the finesse webpages. Does anyone know is SSO is resilient on the CUCM publisher or would SSO still work in a Publisher outage. Regards Matthew Collins ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
[cisco-voip] Hosted WebEx and ADFS
We have been running WebEx hosted in the cloud for years and doing SSO using ADFS. We are needing to front end our ADFS environment with a Proxy and when we enable the Proxy our WebEx environment no longer can authenticate our users. Has anyone successfully configured your WebEx environment using a Proxy with ADFS and if so what changes or configuration did you have to make with the WebEx site to get it functioning properly? Keith Dahl Director Network Technologies Colorado Community College System 1059 Alton Way – Bldg 758 Denver, CO 80230 (720) 858-2856 keith.d...@cccs.edumailto:keith.d...@cccs.edu ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.
My suspicion is it has to do with controlling the number of queries being issued and from where or perhaps and more specifically, tracking the failover itself. Once the failover occurred, the identity of the cucm-side ldap sync would change and AD servers might not handle that gracefully. I don't see why not but in a trusted-cert/LDAPS scenario it might have issues? Still seems like there could be a stateful token or something that could be passed around to whatever the active ldap sync node happens to be. Thanks, Ryan Original Message From: Lelio Fulgenzi le...@uoguelph.ca Sent: Monday, July 6, 2015 09:16 AM To: cisco-voip@puck.nether.net Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down. This has been our experience as well. Glad you started this thread. It's seems like a huge single point of failure to me for such an integral part of the process. I suspect hunt group login would also be affected. Sent from my iPhone On Jul 6, 2015, at 5:02 AM, Matthew Collins mcoll...@block.co.uk wrote: Hi All, CUCM 10.5 Just trying to get some conformation, When LDAP Synchronization and authentication is enabled this is performed by the DirSync process that only runs on the CUCM Publisher. So If we lose the CUCM Publisher for whatever reason it would seem that the Authentication also fails due to the single point of failure of DirSync. Should LDAP authentication still work if the CUCM Publisher is still down. So for LDAP users this would stop them signing in to Jabber clients and UCCX agents who are ldap’ed synced logging into the finesse webpages. Does anyone know is SSO is resilient on the CUCM publisher or would SSO still work in a Publisher outage. Regards Matthew Collins ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.
LDAP authentication is used by Tomcat and isn’t just restricted to the Publisher server - Subscriber nodes handle this as well. DirSync is specific to synchronization of LDAP attributes and only runs on the Pub, so synchronization would definitely be affected if the Publisher is offline. I suggest to check out the Tomcat Security logs off CUCM for more info on user authentication against LDAP and your source of failure. So to answer your question, LDAP authentication should still work when the Publisher is offline. For the UCCX agent concern, authentication of agents occur over AXL to CUCM, so if the AXL server is the Publisher, and that’s offline or experiencing issue w/ Tomcat during an authentication attempt by the UCCX agent, then I would imagine seeing a failure. AXL and Tomcat Security logs off the UCM side should shed some light on that problem As for SSO, I checked w/ my teammate and, in his experience, SSO can be handled by Subscriber nodes assuming the metadata was imported to those servers - authentication occurs against the IdP and not CUCM so this seems logical to me as well. Hope this helps. - Dan From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Lelio Fulgenzi Sent: Monday, July 06, 2015 9:16 AM To: cisco-voip@puck.nether.net Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down. This has been our experience as well. Glad you started this thread. It's seems like a huge single point of failure to me for such an integral part of the process. I suspect hunt group login would also be affected. Sent from my iPhone On Jul 6, 2015, at 5:02 AM, Matthew Collins mcoll...@block.co.ukmailto:mcoll...@block.co.uk wrote: Hi All, CUCM 10.5 Just trying to get some conformation, When LDAP Synchronization and authentication is enabled this is performed by the DirSync process that only runs on the CUCM Publisher. So If we lose the CUCM Publisher for whatever reason it would seem that the Authentication also fails due to the single point of failure of DirSync. Should LDAP authentication still work if the CUCM Publisher is still down. So for LDAP users this would stop them signing in to Jabber clients and UCCX agents who are ldap’ed synced logging into the finesse webpages. Does anyone know is SSO is resilient on the CUCM publisher or would SSO still work in a Publisher outage. Regards Matthew Collins ___ cisco-voip mailing list cisco-voip@puck.nether.netmailto:cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.
So, Would it make sense to run it on a sub as well since the DB replicates within the cluster? Just a thought. I apologize for any typo's! Sent from my iPhone On Jul 6, 2015, at 9:28 AM, Ryan Huff ryanh...@outlook.com wrote: My suspicion is it has to do with controlling the number of queries being issued and from where or perhaps and more specifically, tracking the failover itself. Once the failover occurred, the identity of the cucm-side ldap sync would change and AD servers might not handle that gracefully. I don't see why not but in a trusted-cert/LDAPS scenario it might have issues? Still seems like there could be a stateful token or something that could be passed around to whatever the active ldap sync node happens to be. Thanks, Ryan Original Message From: Lelio Fulgenzi le...@uoguelph.ca Sent: Monday, July 6, 2015 09:16 AM To: cisco-voip@puck.nether.net Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down. This has been our experience as well. Glad you started this thread. It's seems like a huge single point of failure to me for such an integral part of the process. I suspect hunt group login would also be affected. Sent from my iPhone On Jul 6, 2015, at 5:02 AM, Matthew Collins mcoll...@block.co.uk wrote: Hi All, CUCM 10.5 Just trying to get some conformation, When LDAP Synchronization and authentication is enabled this is performed by the DirSync process that only runs on the CUCM Publisher. So If we lose the CUCM Publisher for whatever reason it would seem that the Authentication also fails due to the single point of failure of DirSync. Should LDAP authentication still work if the CUCM Publisher is still down. So for LDAP users this would stop them signing in to Jabber clients and UCCX agents who are ldap’ed synced logging into the finesse webpages. Does anyone know is SSO is resilient on the CUCM publisher or would SSO still work in a Publisher outage. Regards Matthew Collins ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.
FYI - Just ran a quick test in a lab environment - LDAP user authentication against a Subscriber node while the Publisher’s network adapter is disconnected. Works as expected. Also running CUCM 10.5 but this (DirSync Synchronization vs. Tomcat Security authentication) also applies going back to 7.x as far as I recall. Hope this helps - Dan From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Daniel Pagan Sent: Monday, July 06, 2015 9:45 AM To: Lelio Fulgenzi; cisco-voip@puck.nether.net Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down. LDAP authentication is used by Tomcat and isn’t just restricted to the Publisher server - Subscriber nodes handle this as well. DirSync is specific to synchronization of LDAP attributes and only runs on the Pub, so synchronization would definitely be affected if the Publisher is offline. I suggest to check out the Tomcat Security logs off CUCM for more info on user authentication against LDAP and your source of failure. So to answer your question, LDAP authentication should still work when the Publisher is offline. For the UCCX agent concern, authentication of agents occur over AXL to CUCM, so if the AXL server is the Publisher, and that’s offline or experiencing issue w/ Tomcat during an authentication attempt by the UCCX agent, then I would imagine seeing a failure. AXL and Tomcat Security logs off the UCM side should shed some light on that problem As for SSO, I checked w/ my teammate and, in his experience, SSO can be handled by Subscriber nodes assuming the metadata was imported to those servers - authentication occurs against the IdP and not CUCM so this seems logical to me as well. Hope this helps. - Dan From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Lelio Fulgenzi Sent: Monday, July 06, 2015 9:16 AM To: cisco-voip@puck.nether.netmailto:cisco-voip@puck.nether.net Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down. This has been our experience as well. Glad you started this thread. It's seems like a huge single point of failure to me for such an integral part of the process. I suspect hunt group login would also be affected. Sent from my iPhone On Jul 6, 2015, at 5:02 AM, Matthew Collins mcoll...@block.co.ukmailto:mcoll...@block.co.uk wrote: Hi All, CUCM 10.5 Just trying to get some conformation, When LDAP Synchronization and authentication is enabled this is performed by the DirSync process that only runs on the CUCM Publisher. So If we lose the CUCM Publisher for whatever reason it would seem that the Authentication also fails due to the single point of failure of DirSync. Should LDAP authentication still work if the CUCM Publisher is still down. So for LDAP users this would stop them signing in to Jabber clients and UCCX agents who are ldap’ed synced logging into the finesse webpages. Does anyone know is SSO is resilient on the CUCM publisher or would SSO still work in a Publisher outage. Regards Matthew Collins ___ cisco-voip mailing list cisco-voip@puck.nether.netmailto:cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.
“LDAP authentication should still work when the Publisher is offline” This is not my experience. From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Daniel Pagan Sent: Monday, July 6, 2015 9:45 AM To: Lelio Fulgenzi; cisco-voip@puck.nether.net Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down. LDAP authentication is used by Tomcat and isn’t just restricted to the Publisher server - Subscriber nodes handle this as well. DirSync is specific to synchronization of LDAP attributes and only runs on the Pub, so synchronization would definitely be affected if the Publisher is offline. I suggest to check out the Tomcat Security logs off CUCM for more info on user authentication against LDAP and your source of failure. So to answer your question, LDAP authentication should still work when the Publisher is offline. For the UCCX agent concern, authentication of agents occur over AXL to CUCM, so if the AXL server is the Publisher, and that’s offline or experiencing issue w/ Tomcat during an authentication attempt by the UCCX agent, then I would imagine seeing a failure. AXL and Tomcat Security logs off the UCM side should shed some light on that problem As for SSO, I checked w/ my teammate and, in his experience, SSO can be handled by Subscriber nodes assuming the metadata was imported to those servers - authentication occurs against the IdP and not CUCM so this seems logical to me as well. Hope this helps. - Dan From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Lelio Fulgenzi Sent: Monday, July 06, 2015 9:16 AM To: cisco-voip@puck.nether.netmailto:cisco-voip@puck.nether.net Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down. This has been our experience as well. Glad you started this thread. It's seems like a huge single point of failure to me for such an integral part of the process. I suspect hunt group login would also be affected. Sent from my iPhone On Jul 6, 2015, at 5:02 AM, Matthew Collins mcoll...@block.co.ukmailto:mcoll...@block.co.uk wrote: Hi All, CUCM 10.5 Just trying to get some conformation, When LDAP Synchronization and authentication is enabled this is performed by the DirSync process that only runs on the CUCM Publisher. So If we lose the CUCM Publisher for whatever reason it would seem that the Authentication also fails due to the single point of failure of DirSync. Should LDAP authentication still work if the CUCM Publisher is still down. So for LDAP users this would stop them signing in to Jabber clients and UCCX agents who are ldap’ed synced logging into the finesse webpages. Does anyone know is SSO is resilient on the CUCM publisher or would SSO still work in a Publisher outage. Regards Matthew Collins ___ cisco-voip mailing list cisco-voip@puck.nether.netmailto:cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip itevomcid ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
[cisco-voip] Cisco 8841/51 not sending DTMF...
We have a site with new Cisco 8841 and 51 phones (CUCM 10.5.2), running 10.2.2.16, and they are not sending DTMF externally... or internally to voicemail. An IP Communicator does send DTMF without issue. Any known issues with these new phones? Jonathan ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Cisco 8841/51 not sending DTMF...
Are you sip to cuc ab d the pstn? If so, what is your dtmf support in your trunks? Thanks, Ryan Original Message From: Jonathan Charles jonv...@gmail.com Sent: Monday, July 6, 2015 04:11 PM To: cisco-voip@puck.nether.net Subject: [cisco-voip] Cisco 8841/51 not sending DTMF... We have a site with new Cisco 8841 and 51 phones (CUCM 10.5.2), running 10.2.2.16, and they are not sending DTMF externally... or internally to voicemail. An IP Communicator does send DTMF without issue. Any known issues with these new phones? Jonathan ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.
I'll be interested to hear your results if you try! I'm not sure that an ACL would do the trick though, probably would just show up in the traces as a time out. You'd probably have to stop the tomcat service on the pub (something to tell the cluster not to try and use the PUB as a bind source), which is pretty destructive on the pub in a working production environment (disclaimer: I do not advocate you do that). Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down. From: le...@uoguelph.ca Date: Mon, 6 Jul 2015 10:12:53 -0400 To: ryanh...@outlook.com CC: dpa...@fidelus.com; cisco-voip@puck.nether.net The worst case scenario, which we ran into, was a scenario where the pub is up and accepting auth requests but not able to process them. In our case the cluster was up for almost 300 days, and there were memory error alerts popping up. It would be nice for the system to understand this issue and go to the next node to try the auth process. Interesting note about LDAPS. We are using that. Not sure if that poses additional issues. Wish there was an easy way to test this out in production. Perhaps a quick ACL to block phone agent and desktop agent access to the pub and see what happens. And then another test where the ACL blocks access to the LDAP server temporarily. Sent from my iPhone On Jul 6, 2015, at 10:04 AM, Ryan Huff ryanh...@outlook.com wrote: Hi Dan! Thanks for the clarification/correction I just happen to have a few 3-node cluster hanging around and I just tried this 5 times in a mix of 9.1.1, 10.0 and 10.5 and here is what I found: 3 times LDAP auth was a seamless failover to the sub 2 times LDAP auth did not work on the sub until I bounced the tomcat service on the sub, then it worked fine. I'm wondering if that, on the times it doesn't work in a failover (because I have experienced it a few times) a simple service bounce is all that is needed? I suppose another cause of LDAP auth failover NOT working (but not always intuitive) would be cluster over wan (nodes in the cluster are not all on the same segment) and the sub node that LDAP auth is trying to bind from can't talk to the AD server. From: dpa...@fidelus.com To: le...@uoguelph.ca; cisco-voip@puck.nether.net Date: Mon, 6 Jul 2015 13:45:08 + Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down. LDAP authentication is used by Tomcat and isn’t just restricted to the Publisher server - Subscriber nodes handle this as well. DirSync is specific to synchronization of LDAP attributes and only runs on the Pub, so synchronization would definitely be affected if the Publisher is offline. I suggest to check out the Tomcat Security logs off CUCM for more info on user authentication against LDAP and your source of failure. So to answer your question, LDAP authentication should still work when the Publisher is offline. For the UCCX agent concern, authentication of agents occur over AXL to CUCM, so if the AXL server is the Publisher, and that’s offline or experiencing issue w/ Tomcat during an authentication attempt by the UCCX agent, then I would imagine seeing a failure. AXL and Tomcat Security logs off the UCM side should shed some light on that problem As for SSO, I checked w/ my teammate and, in his experience, SSO can be handled by Subscriber nodes assuming the metadata was imported to those servers - authentication occurs against the IdP and not CUCM so this seems logical to me as well. Hope this helps. - Dan From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Lelio Fulgenzi Sent: Monday, July 06, 2015 9:16 AM To: cisco-voip@puck.nether.net Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down. This has been our experience as well. Glad you started this thread. It's seems like a huge single point of failure to me for such an integral part of the process. I suspect hunt group login would also be affected. Sent from my iPhone On Jul 6, 2015, at 5:02 AM, Matthew Collins mcoll...@block.co.uk wrote: Hi All, CUCM 10.5 Just trying to get some conformation, When LDAP Synchronization and authentication is enabled this is performed by the DirSync process that only runs on the CUCM Publisher. So If we lose the CUCM Publisher for whatever reason it would seem that the Authentication also fails due to the single point of failure of DirSync. Should LDAP authentication still work if the CUCM Publisher is still down. So for LDAP users this would stop them signing in to Jabber clients and UCCX agents who are ldap’ed synced logging into the finesse webpages. Does anyone know is SSO is resilient on the CUCM publisher or would SSO still work in a Publisher outage. Regards Matthew Collins ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] LDAP Authentication when CUCM publisher is down.
The worst case scenario, which we ran into, was a scenario where the pub is up and accepting auth requests but not able to process them. In our case the cluster was up for almost 300 days, and there were memory error alerts popping up. It would be nice for the system to understand this issue and go to the next node to try the auth process. Interesting note about LDAPS. We are using that. Not sure if that poses additional issues. Wish there was an easy way to test this out in production. Perhaps a quick ACL to block phone agent and desktop agent access to the pub and see what happens. And then another test where the ACL blocks access to the LDAP server temporarily. Sent from my iPhone On Jul 6, 2015, at 10:04 AM, Ryan Huff ryanh...@outlook.com wrote: Hi Dan! Thanks for the clarification/correction I just happen to have a few 3-node cluster hanging around and I just tried this 5 times in a mix of 9.1.1, 10.0 and 10.5 and here is what I found: 3 times LDAP auth was a seamless failover to the sub 2 times LDAP auth did not work on the sub until I bounced the tomcat service on the sub, then it worked fine. I'm wondering if that, on the times it doesn't work in a failover (because I have experienced it a few times) a simple service bounce is all that is needed? I suppose another cause of LDAP auth failover NOT working (but not always intuitive) would be cluster over wan (nodes in the cluster are not all on the same segment) and the sub node that LDAP auth is trying to bind from can't talk to the AD server. From: dpa...@fidelus.com To: le...@uoguelph.ca; cisco-voip@puck.nether.net Date: Mon, 6 Jul 2015 13:45:08 + Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down. LDAP authentication is used by Tomcat and isn’t just restricted to the Publisher server - Subscriber nodes handle this as well. DirSync is specific to synchronization of LDAP attributes and only runs on the Pub, so synchronization would definitely be affected if the Publisher is offline. I suggest to check out the Tomcat Security logs off CUCM for more info on user authentication against LDAP and your source of failure. So to answer your question, LDAP authentication should still work when the Publisher is offline. For the UCCX agent concern, authentication of agents occur over AXL to CUCM, so if the AXL server is the Publisher, and that’s offline or experiencing issue w/ Tomcat during an authentication attempt by the UCCX agent, then I would imagine seeing a failure. AXL and Tomcat Security logs off the UCM side should shed some light on that problem As for SSO, I checked w/ my teammate and, in his experience, SSO can be handled by Subscriber nodes assuming the metadata was imported to those servers - authentication occurs against the IdP and not CUCM so this seems logical to me as well. Hope this helps. - Dan From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Lelio Fulgenzi Sent: Monday, July 06, 2015 9:16 AM To: cisco-voip@puck.nether.net Subject: Re: [cisco-voip] LDAP Authentication when CUCM publisher is down. This has been our experience as well. Glad you started this thread. It's seems like a huge single point of failure to me for such an integral part of the process. I suspect hunt group login would also be affected. Sent from my iPhone On Jul 6, 2015, at 5:02 AM, Matthew Collins mcoll...@block.co.uk wrote: Hi All, CUCM 10.5 Just trying to get some conformation, When LDAP Synchronization and authentication is enabled this is performed by the DirSync process that only runs on the CUCM Publisher. So If we lose the CUCM Publisher for whatever reason it would seem that the Authentication also fails due to the single point of failure of DirSync. Should LDAP authentication still work if the CUCM Publisher is still down. So for LDAP users this would stop them signing in to Jabber clients and UCCX agents who are ldap’ed synced logging into the finesse webpages. Does anyone know is SSO is resilient on the CUCM publisher or would SSO still work in a Publisher outage. Regards Matthew Collins ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip