cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Walkthrough Wednesdays
1873
Views
0
Helpful
12
Replies
skirk1983
Beginner

No users in Directory groups in CUCM 11 and J4W 11.0.1

Hi all

 

We have just upgraded our UC platform to CUCM 11. I have therefore enabled Directory groups as described here: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/11_0_1/featureConfig/CUCM_BK_FE5123E0_00_cucm-feature-configuration-guide_1101/enterprise_groups.pdf

 

I can see the groups in CUCM 11, and I can add the groups in J4W 11 (see attached screenshot). But the groups are just empty with 0 members :(

The groups are Destribution lists, and not Security groups.

 

What are I'm missing?

 

Best regards


SKirk

12 REPLIES 12
Jaime Valencia
Hall of Fame Cisco Employee

That should be it, I did the same in my lab with CSR 11 and Jabber 11.0.1 and it worked just fine, I synced the users and groups from the same OU, and the groups contains users from that same OU, that might be something you have different.

HTH

java

if this helps, please rate

Hi Jamie

 

Well my users and groups are in two different OU's. Could it be that? However CSR 11 should support this.

I have added a new LDAP directory that points to the OU with groups, and select it to syc Users and groups.

 

Best regards

 

Skirk

Anyone?

Hm, it works. From two different OU's. I also have got two different OU's, one with users and other with groups.

After adding second LDAP directory, pointing to another OU I've performed full resync, restart my jabber, and after it I could add and see my groups with contacts in it. I added one test group to users OU - I can see it too. So it works.

Hi Victor

Hmm strange. I have added a second LDAP directory like you, and I can see the groups if I go to "User Management->User Settings->User Groups". So the groups are synced to the CUCM cluster. But our J4W 11.1.1 clients can't see the members of the groups :( I don't get it. 

If I go to File->New->Directory Group within the Jabber client, I'll can the group, but it shows 0 members when added to the buddy list.

Any ideas?

I don't understand - can you see groups, while adding them to Jabber?

Are you sure that groups are right and they contains users? You can make test groups and add users there?

It works now. I had to set sync to Users and Groups in both LDAP directory. 

Skirk,

I have a few LDAP strings but all pointing to different user containers. Now I want to add this new one pointing to an AD security group (with different users than the other strings).

So I have 2 questions that maybe you can help me with:

1) This LDAP string should be configured for 'users and groups' right? And using an LDAP filter like this?

(&(objectCategory=group)(memberOf=CN=A,OU=B,DC=C,DC=com))

What do you refer to when you said you had to set 'Users and groups' in both LDAP directory? I can see the groups inside the OU I am pointing to but no users in there when I go to "User Management->User Settings->User Groups"

2) This users in this security group will only allow me to see in Jabber a conctact list or Can I set permissions also for this users (in AD security group) as end users in CUCM?

I found this document that says that an AD security group does not work with my version, but a distribution group works... is this right? What version of CUCM were you using for this?

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/11_0_1/featureConfig/CUCM_BK_FE5123E0_00_cucm-feature-configuration-guide_1101/Enterprise_Groups.pdf#unique_934

Thank you in advance.

Hi,

I'll haven't defined any LADP filter, as all of our users is located in one OU, and all our groups is located in another OU. That’s why we have two LADP directories, and remember to turn on Synchronize on Users and Groups on both LDAP directories. Otherwise, the groups can't see the members. 

We are running CUCM version: 11.0.1.20000-2

As I'll remember, you can't use Security groups for this feature. Only Distribution lists is supported. 

HI,

 

Are you able to clarify the fix on this? My info -

- Ldap directory sync set to users and groups

- Groups are being synced and are visible in cucm

- These are not security groups

- Jabber client can see groups however they contain 0 users

 

Some groups are showing valid users...

 

If you go to the UCM, to the user groups, you should be able to find the group there. You can click on it to see which end users are in the group.

 

This doesn't mean that anything is going to happen when you add the group to Jabber, with group support enabled, just because you can see things there.

 

Those contacts still need to be eligible to be on your Jabber contact list in the first place, meaning they have a JID and are enabled for the service, otherwise they don't "exist ".

 

The group sync thing is a bit of a pain point as it sometimes isn't clear what happens. You have to tell the sync configuration to sync "users and groups " otherwise apparently the dirsync does not bother to collect the user group membership. You can then sync the groups from another OU if you want , and as long as you've synchronized the users then they will show up in there.

 

Similarly you can put the puzzle pieces together that the system isn't actually syncing members of the groups, just the group names, so if you have placed users into the groups that are not part of one or more user sync for your system, they don't show up there either. So if you have UserA and UserB both member of "Help Desk " as a group, and User A also part of " Knowledge Workers " , if you LDAP filter your user sync to memberOf "Knowledge Workers ", User B isn't going to be seen in your group from the UCM's perspective.

 

 

 

This setup seems counter productive if I understand all of the community comments.  If you have to create multiple entries - for groups and for users, I don't get the point of the groups add at all unless the OU has different users than the group provides.  It seems like the only point to sync a group is so you get only the users that you placed in that group AND if you then do a separate sync to the users OU, then don't you get whatever users are in that OU whether they are in the group you sync or not?  In my case, I have a users OU, but I have users in that OU from three regions.  In each cluster, I only want knowledge workers from that one region so we have groups built with that subset of users.  When I sync that group with the 'users and groups' radial, the group shows up under user groups, but none of the users are syncing or populating underneath it or in end users either.  We are using a distribution group versus security group as noted too.  TAC seems to be stumped by it as well.  Anyone here have more experience now with it or know someone who does?  Thanks in advance.

Content for Community-Ad

Spotlight Awards 2021