cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Unified Communications LDAP Custom Filters

430
Views
0
Helpful
6
Comments

I am currently working on separating our Contact Center users from our Corporate Users via LDAP Custom Filters so that we can apply specific Feature Group Template to our Contact Center users and a specific template to our Corporate users.  I did not find much documentation from Cisco relating to LDAP Custom Filters so I have done some searching and was able to piece together a filter that actually works when syncing a specific OU (Organizational Unit) in AD (Active Directory), for Contact Center users, and excluding that same OU when you sync all other OUs within that directory structure to get the remaining Corporate users.  So here is a mock-up directory structure to give a little more context:

 

  • domain.abc
    • City of location <Miami>
      • Departments
        • Accounting
        • HR
        • IT
        • Executives
        • ContactCenter

The LDAP search base would be:  OU=Miami,OU=Departments,DC=domain,DC=abc

We will setup 2 LDAP Directories to sync users from: LDAP_1 for all users except ContactCenter users and LDAP_2 for ContactCenter users only.

 

 

Now we want to apply Feature Group Template 1 to all users except ContactCenter users and Feature Group Template 2 to ContactCenter users. I was able to accomplish this by creating an LDAP Custom Filter.  Here is the filter I used so that I could setup an LDAP Directory specific for the Contact Center users and a separate LDAP Directory for all remaining users:

 

LDAP_Filter
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=organizationalUnit)(!(ou:dn:=ContactCenter)))

 

Now that I have created my LDAP Custom Filter I can apply to the LDAP Directory LDAP_1 that will sync all users.  With this filter applied it will not sync users in the ContactCenter OU.  The second LDAP Directory setup would be for any users that are specifically setup in the ContactCenter OU.  This way I can apply Feature Group Template 1 to LDAP Directory LDAP_1 for all users except ContactCenter users and Feature Group Template 2 to LDAP Directory LDAP_2 for ContactCenter users.

 

Comments
Advocate

Does this work for you? From previous experience CM can’t expand membership of a OU in a LDAP filter. You can work around this by expanding the membership from a group instead.

Roger,


I have come to find out that this is not working as I thought it was when I originally posted.  I am currently looking into the group assignments to figure out how to do that.  My initial thought would be to create 2 LDAP directories with the same search base and in the second LDAP Directory configuration filter on the <group_name_contactcenter> so that the Feature Group Template could be applied there for the ContactCenter users and not apply a filter for the first LDAP directory configuration so all users would get the standard Feature Group Template applied.

Advocate

I don’t have access to the filter we ended up creating for a similar thing at the moment. Tomorrow when I’m at work (from home) I’ll post an update for this so that you can use that as a reference.

Advocate

Example of a LDAP filter we use to only bring in admin users on our SME.

 

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(memberof:1.2.840.113556.1.4.1941:=CN=NVV.CallMgr_SuperUsers,OU=Groups,OU=NVV,OU=GLOBALAPP,OU=<Company name>,DC=tp1,DC=ad1,DC=<Domain>,DC=com))

 

 

 

Roger,

Listed below are the filters I have configured; modifying the one you provided to fit our environment and 2 group filters I setup:

 

QA LDAP User Filter:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(memberof:1.2.840.113556.1.4.1941:=CN=QA_VOIP_CORP,OU=Security,OU=Groups,OU=<City>,DC=<domain>,DC=qa)(memberof:1.2.840.113556.1.4.1941:=CN=QA_VOIP_CONTACT_CENTER,OU=Security,OU=Groups,OU=<city>,DC=<domain>,DC=qa)))

 

QA Group Filter1:

(&(objectClass=group)(CN=QA_VOIP_CORP))

 

QA Group Filter2:

(&(objectClass=group)(CN=QA_VOIP_CONTACT_CENTER))

 

I have configured 2 LDAP agreements so that each one will sync users and groups and filter out all users except those associated with the groups provided above.  After performing syncs on each agreement I am only seeing the users I want and was able to setup each agreement with a specified Feature Group Template.  Considering the users were already in UCM after fixing the LDAP agreements and applying these settings after the fact, I will have to create a couple more test users to see if the Feature Group Templates get applied as I have set them up.

 

Thank you for the added support as this has been a struggle to get through until now!

Advocate

Glad to hear that that you got it to work. A suggestion for next time you post on the community. Instead of creating a document you would likely get more attention and faster help if you post in the appropriate forum.