cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Walkthrough Wednesdays
1186
Views
0
Helpful
6
Replies
babablacksheep
Beginner

Unity connection LDAP synchronization

Hello all,  question on LDAP synchronization with Windows AD.  If an AD account is disabled, is that account included during the sync process in CUC?

 

I was looking at this doc, https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/design/guide/b_11xcucdg/b_11xcucdg_chapter_01010.pdf, but wasn't find the answer to my question.

 

thank you

6 REPLIES 6
Scott Pedersen
Beginner

If the account is disabled it will not sync. If the account is disabled after being synced it will be removed from Unity upon the next sync with AD.

Ratheesh Kumar
Collaborator

Hi there

When the LDAP user account for a Unity Connection user is disabled or deleted, or if an LDAP directory configuration is deleted from the Unity Connection system, the following occurs:

1. blank.gifInitially, when Unity Connection users try to sign in to a Unity Connection web application, LDAP authentication fails because Unity Connection is still trying to authenticate against the LDAP directory.

If you have multiple LDAP directory configurations accessing multiple LDAP user search bases, and if only one configuration was deleted, only the users in the associated user search base are affected. Users in other user search bases are still able to sign in to Unity Connection web applications.

2.blank.gif At the first scheduled synchronization, users are marked as “LDAP inactive” in Unity Connection.

Attempts to sign in to Unity Connection web applications continue to fail.

3.blank.gif At the next scheduled synchronization that occurs at least 24 hours after users are marked as “LDAP inactive,” all Unity Connection users whose accounts were associated with LDAP accounts are converted to Unity Connection standalone users.

For each Unity Connection user, the password for Unity Connection web applications and for IMAP email access to Unity Connection voice messages becomes the password that was stored in the Unity Connection database when the user account was created. (This is usually the password in the user template that was used to create the user.) Unity Connection users do not know this password, so an administrator must reset it.

The numeric password (PIN) for the telephone user interface and the voice user interface remains unchanged.

Note the following regarding Unity Connection users whose LDAP user accounts were disabled or deleted, or who were synchronized via an LDAP directory configuration that was deleted from Unity Connection:

  • The users can continue to sign in to Unity Connection by phone during the period in which Unity Connection is converting them from an LDAP-synchronized user to a standalone user.
  • Their messages are not deleted.
  • Callers can continue to leave messages for these Unity Connection users.
note.gif

Noteblank.gif LDAP phone numbers are converted to Unity Connection extensions only once, when you first synchronize Unity Connection data with LDAP data. On subsequent, scheduled synchronizations, values in the Connection Extension field are not updated with changes to the LDAP phone number. As a result, you can change the LDAP phone number as required, including specifying a completely different number, and the extension will not be overwritten the next time that Connection

 

 

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/design/guide/10xcucdgx/10xcucdg040.html

 

Hope this Helps

Cheers
Rath!
***Please rate helpful posts***

Adam Pawlowski
VIP Engager

It’s based on your filter.

Adam - That is incorrect. If a user is Disabled in Active Directory, they will not sync into the CUCM End User page, regardless of the LDAP filters.

@Dalton-Covene  See @Maren Mahoney 's reply in this thread. 

Maren Mahoney
Collaborator

As others have pointed out, by default users marked as Disabled in AD will not synchronize initially, and if they are set to Disabled after synchronization then CUCM/CUC will mark them for deletion and they will be purged after 24 hours. If you want to synchronize disabled users, or do not want disabled users to be "un-syncrhonized" you will need to use a custom LDAP filter.

The default LDAP filter is the following:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

The (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) is the part that checks to see if an account is disabled. And the "!" at the beginning of the argument says to not import if it is disabled..

Therefore, to have disabled accounts synchronize and/or to continue to be replicated after they are disabled the filter can be:

(&(objectclass=user)(!(objectclass=Computer)))

This will import users (all users - active and disabled), but not groups and not computers. The user account would have to be deleted altogether in order to have it stop being replicated to CUCM/CUC.

 

Maren

Content for Community-Ad

Spotlight Awards 2021