cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Inactive LDAP Synchronized User

21920
Views
120
Helpful
9
Comments

I have had to do this a few times recently, I put this together to remind me how to do it so I thought I would share.

Problem Description

A user attribute is changed in AD, for example a user moves site and requires a new Directory Number. After the change is made the UC administrator immediately runs LDAP synchronization. In some cases the delay caused by AD replication means the user is “not ready / provisioned” in AD and CUCM marks the user as Inactive. When a user is marked inactive, CUCM does not immediately remove them from the database so the account is essentially “suspended”*

*Any accounts marked inactive will be permanently deleted when the garbage collection process runs (every morning at 03:15). This results in an EM user potentially being without telephony services for 24 hours.

Solution

  • Convert the user from inactive to active using CLI “run sql…” command
  • Delete end user from CUCM
  • Synchronise LDAP on CUCM

 

Example

User 411001 moves from Liverpool to Manchester and is assigned 422002. The UC administrator makes the relevant change to the AD user and runs an LDAP synchronisation on CUCM. When the administrator tries to associate the User with a User Device Profile they notice the User Status is set to inactive.

Step 1: Login in the CUCM publisher CLI.

Step 2: Confirm inactive status (status=2)

admin:run sql select userid, status from enduser where status = '2'

 

userid   status

======                ======

411001     2

 

Step 3:  Change status to active.

admin:run sql update enduser set status=1 where status = "2"

Rows: 1

 

Step 4: Confirm active status (status=1)

admin:run sql select userid,status from enduser where userid = '411001'

 

userid   status

======  ======

411001     1

 

Step 5: Login to CUCM and go to User Management > End User

Step 6: Find the newly activated user, e.g. 411001 and convert to a local user.

 

Step 7: Once converted to a local user you can delete the user.

Step 8: Run another LDAP synchronisation on CUCM.

 

Comments
iboboewfs
Beginner

Very helpful.

this works for me.

Dan SJK
Beginner

thanks for the pointer, at the time we had several inactive users so the update enduser command would have affected them all. As such, I used the following instead:

 

run sql update enduser set status=1 where userid = '4814'

 

which updated the specific user only.

aelankoud
Beginner

than you for ths Tuto,

t's very helpful for me,

 

but I have one question : if I have multiple endusers (for me I have 280 endusers synchronized from LDAP), how to convert them on Local User simultaniously ?

 

thank you again.

akazempoor
Beginner

I did this and now when I do a ldap sync the users don't show up the ones I deleted. 

yes because they need to be updated in AD to the correct LDAP filters that you have used in the LDAP custom filter. They did not match and that it what caused them to become inactive in the first place.

josefranco
Beginner

Thanks for this @kevbo.

Very useful.

mdyoung22
Beginner

Very useful article and thanks for the update Dan SJK!

H-Alashi
Cisco Employee

Hello Kevbo,

many thanks for the great info

i have a question,

 how can i delete the users holding the status value= 2 >> inactive user with sql command

i have over 30k users and the VM is turned off during the collection garbage process regarding power restrictions.

 

i've tried with this command

admin:run sql delete from enduser where status= "2"
4303

im not sure how to correct.

 

aslo, this command retrived the needed info in the test environment

admin:run sql select*, status from enduser where status = '2'

 

but im not aware how to use delete command correctly.

please assist.

 

regards,

Haron

aneesap90
Beginner

Helpful.Thanks a lot

Create
Recognize Your Peers
Content for Community-Ad