1. User's Guide
  2. Registrar and Authentication
  3. Retrieving Information from Active Directory

Retrieving Information from Active Directory

The Oracle Enterprise Communications Broker performs SIP Digest authentication against users attempting to register. It can use pre-configured information from Active Directory to perform such authentication. Access to Active Directory uses standard LDAP processes to retrieve the information needed and to offload the processing from other resources to the Oracle Enterprise Communications Broker.

The Oracle Enterprise Communications Broker can obtain registration authentication information directly from Active Directory when you modify the Active Directory schema to include the Oracle-specific attributes and object classes that the Oracle Enterprise Communications Broker needs to authenticate users..

The Oracle Enterprise Communications Broker operates by issuing LDAP requests from Active Directory for data from "password" attributes, using Active Directory's standard sAMAccountName to match the Request URI username to create new attributes in Active Directory. One of these attributes must be populated with the digest realm. A Dynamic Link Library (DLL) installed on Active Directory intercepts the password change hashes and writes them to another attribute. The DLL then creates a hash of the username, digest realm, and password hash to be returned to the Oracle Enterprise Communications Broker within the LDAP response. The Oracle Enterprise Communications Broker extracts the password hash, compares it to the hash provided by way of SIP digest, authenticates, and registers the user when there is a match.

  • orclDigestRealmAttribute—Populated with digest realm.
  • orclDigestPwdAttribute—Populated with hash of Active Directory password during each password change.
  • orclAgentNameAttribute—Populated with user's agent for the purpose of routing. See Active Directory and Oracle ECB Routing in this document to understand how the Oracle Enterprise Communications Broker uses this attribute.

Oracle can provide the oidpwdcn.dll, scripts to create the needed attributes, scripts to populate the digest realm attribute, and a README.TXT with instructions on how to perform all procedures. Appendix C provides instruction on getting this methodology operational.

LDAP and Oracle ECB Authentication

Lightweight Directory Access Protocol (LDAP) is the Protocol that the Oracle Enterprise Communications Broker uses to perform queries to the Enterprise’s Active Directory to validate registration attempts in the Enterprise network. Requests and responses are sent/received based on the Oracle Enterprise Communications Broker’s LDAP configuration. The Oracle Enterprise Communications Broker's LDAP client queries an LDAP server, usually Active Directory for password information for a user attempting to register. This request and response process verifies that the user can get registration servers (authorization) and verifies that the user is who they say they are (authentication). Once both these stages complete successfully, the Oracle Enterprise Communications Broker registers the user.

The Oracle Enterprise Communications Broker, using LDAP, performs the following on a registration attempt:

  • Creates an LDAP search filter based on the dialed number and the configured LDAP attributes.
  • Sends an LDAP search query to the configured LDAP server.

You configure LDAP servers and filters, on the Oracle Enterprise Communications Broker.

The Oracle Enterprise Communications Broker keeps a permanent LDAP session open to all configured call servers. It sends an LDAP bind request on all established connections, to those servers. The first call server is considered the primary LDAP server, and all others are secondary LDAP servers. If a query request sent to the primary server fails, the Oracle Enterprise Communications Broker sends the request to the next configured LDAP server, until the request is successful in getting a response. If no response is received by the Oracle Enterprise Communications Broker, it replies to the registering endpoint with a (401? authentication failure?).

Configuring LDAP for Authentication

LDAP is the protocol that the Active Directory uses for general interaction between and LDAP client and an LDAP server. You can configure the LDAP server(s) in your network, and set the filters and the local policy that the LDAP server uses when handling inbound Lync and PBX calls in the Enterprise core network.

You can use the following objects in the Web GUI to configure LDAP:

  • LDAP Config—Configures the LDAP functionality on the Oracle Enterprise Communications Broker (i.e., name, state, LDAP servers, realm, authentication mode, username, password, LDAP search filters, timeout limits, request timeouts, TCP keepalive, LDAP security type, LDAP TLS profile, and LDAP transactions).
  • SIP Authentication—Configures the Active Directory attribute names for the Oracle Enterprise Communications Broker's query-digest-username-attribute and digest-hash-attribute fields. These fields specify where the Oracle Enterprise Communications Broker verifies authentication attempts.

See the section on Active Directory and Oracle ECM Routing for important information about:

  • LDAP messages
  • LDAP failure events
  • Oracle ECB limitations using LDAP

That information applies equally to the authentication functionality explained here.