SOLVED: LDAP Manager Account / Jabber

JoshBeckett · ‎01-18-2019

Hello everyone,

I have recently taken over everything at my company dealing with our phone systems as well as a few other Cisco things. I have walked into this mess that a previous employee managed and didn't leave any documentation on it after he left.

Long story short, we had to disable the AD account we used for our LDAP Manager. A lot of mistakes were made with the initial setup and I have a lot of projects on my white board. I do not understand how to change the LDAP Manager account. I believe changing the account to one we have more secured and locked down will resolve the issue.

I have found online forums saying that the AD account only needs read-only attributes. The new account is in the same OU and CN as the previous account too. I even went as far to give the new one EA rights for testing just to see if it was a permission issue but it still tells me:

"Login Failure to Host ldap://xx.xxx.x.xx:xxxx, Please Re-Enter LDAP Manager Distinguished Name and Password"

If anyone has any ideas on where I can find documentation on how to resolve the issue or provide assistance, I would be eternally grateful.

Thanks!

Maren Mahoney · ‎01-18-2019

Yes, the account you use in CUCM to communicate with your AD server must have, at a minimum, read-only access to the LDAP database. It might be worthwhile to do a test sync with an AD-full-admin account configured in CUCM to see if the problem is related to the permissions or to your LDAP configuration in CUCM.

Also, you can run a trace in RTMT on the DirSync service and watch the interaction between CUCM and AD to see if that provides clues to the problem.

Here is a link to the chapter in the 11.5 system admin guide dealing with LDAP integration. LDAP integration hasn't changed so if you are running a different version the information will still be applicable.

CUCM System Configuration Guide - Chapter: Import Users From LDAP Directory

Let us know what you find out.

Maren