04-17-2019 11:48 AM
Hello all, question on LDAP synchronization with Windows AD. If an AD account is disabled, is that account included during the sync process in CUC?
I was looking at this doc, https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/design/guide/b_11xcucdg/b_11xcucdg_chapter_01010.pdf, but wasn't find the answer to my question.
thank you
04-17-2019 11:50 AM - edited 04-17-2019 11:51 AM
If the account is disabled it will not sync. If the account is disabled after being synced it will be removed from Unity upon the next sync with AD.
04-18-2019 08:13 PM
Hi there
When the LDAP user account for a Unity Connection user is disabled or deleted, or if an LDAP directory configuration is deleted from the Unity Connection system, the following occurs:
1. Initially, when Unity Connection users try to sign in to a Unity Connection web application, LDAP authentication fails because Unity Connection is still trying to authenticate against the LDAP directory.
If you have multiple LDAP directory configurations accessing multiple LDAP user search bases, and if only one configuration was deleted, only the users in the associated user search base are affected. Users in other user search bases are still able to sign in to Unity Connection web applications.
2. At the first scheduled synchronization, users are marked as “LDAP inactive” in Unity Connection.
Attempts to sign in to Unity Connection web applications continue to fail.
3. At the next scheduled synchronization that occurs at least 24 hours after users are marked as “LDAP inactive,” all Unity Connection users whose accounts were associated with LDAP accounts are converted to Unity Connection standalone users.
For each Unity Connection user, the password for Unity Connection web applications and for IMAP email access to Unity Connection voice messages becomes the password that was stored in the Unity Connection database when the user account was created. (This is usually the password in the user template that was used to create the user.) Unity Connection users do not know this password, so an administrator must reset it.
The numeric password (PIN) for the telephone user interface and the voice user interface remains unchanged.
Note the following regarding Unity Connection users whose LDAP user accounts were disabled or deleted, or who were synchronized via an LDAP directory configuration that was deleted from Unity Connection:
Note LDAP phone numbers are converted to Unity Connection extensions only once, when you first synchronize Unity Connection data with LDAP data. On subsequent, scheduled synchronizations, values in the Connection Extension field are not updated with changes to the LDAP phone number. As a result, you can change the LDAP phone number as required, including specifying a completely different number, and the extension will not be overwritten the next time that Connection
Hope this Helps
Cheers
Rath!
***Please rate helpful posts***
04-23-2019 02:15 PM
04-27-2019 07:46 AM
04-29-2019 04:52 AM
@Dalton-Covene See @Maren Mahoney 's reply in this thread.
04-24-2019 11:07 AM
As others have pointed out, by default users marked as Disabled in AD will not synchronize initially, and if they are set to Disabled after synchronization then CUCM/CUC will mark them for deletion and they will be purged after 24 hours. If you want to synchronize disabled users, or do not want disabled users to be "un-syncrhonized" you will need to use a custom LDAP filter.
The default LDAP filter is the following:
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
The (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) is the part that checks to see if an account is disabled. And the "!" at the beginning of the argument says to not import if it is disabled..
Therefore, to have disabled accounts synchronize and/or to continue to be replicated after they are disabled the filter can be:
(&(objectclass=user)(!(objectclass=Computer)))
This will import users (all users - active and disabled), but not groups and not computers. The user account would have to be deleted altogether in order to have it stop being replicated to CUCM/CUC.
Maren
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: