11-04-2009 04:20 AM - edited 03-18-2019 10:47 AM
Hi,
I'm trying to integrate CM 7 with AD. The problem i'm facing is that when I try to write the user search base string I run out of characters, 254 is the limit.
I need help to correctly write the string to match the (organizational units) OU's I want to synchronize.
Attached is a screen shot of the Active Directory structure and also a list of the OU's I want to synch.
11-04-2009 06:20 AM
LDAP doesn't work that way. You cannot specify multiple sibling elements in a single LDAP string. Also, UCM has a limit of five LDAP synchronizations so you will likely need to reorganize your AD structure to become more hierarchical. I doubt you want to synchronize EVERY user account into the corporate directory.
Example (entire domain):
DC=corkcoco,DC=localgov
Example:
OU=AreaOperationsSouth,DC=corkcoco,DC=localgov
Example:
OU=CentralOperationsSouth,DC=corkcoco,DC=localgov
Remember that UCM will synch every user object account with these OUs, including any child OUs as long as the minimum fields are populated.
You will have to develop a custom LDAP filter If you want to exclude accounts. In 7.x this is a little involved because it requires a direct SQL update (search the forum). You would need to identify a common field that you can filter by for every account.
11-04-2009 06:41 AM
Yup just ran into the Max 5 limit as I got your reply. I'll look into the direct SQL update.
11-04-2009 08:27 AM
Ok so I restructured AD to work around the issue but now I have run into a separate issue, all users are coming up as inactive. I have the UserID attribute on CM set to employeeNumber but its called EmployeeID on AD I think that might be the issue. Here's the error I get in the trace:
2009-11-04 15:52:56,819 ERROR [DirSync-DBInterface] common.DSDBInterface (DSDBInterface.java:276) - DSDBInterface.updateUserInfo LDAP data discarded: Missing LDAP attribute: Attribute Count=8 AgreementId=8426585a-7a9b-95c8-cfdd-41b4debad1de
middlename=exampled telephonenumber=8315 lastname=Lucey
firstname=example mailid=example@example.com title= uniqueidentifier=c2317194f399a94180fde1ff663e080a department=Finance
2009-11-04 15:52:56,824 INFO [Thread-8] common.DSNcsClient (DSNcsClient.java:50) - DSNcsClient.process Process CN on directorypluginconfig with action=u
2009-11-04 15:52:56,831 INFO [Thread-8] common.DSNcsClient (DSNcsClient.java:50) - DSNcsClient.process Process CN on directorypluginconfig with action=u
Message was edited by: eoinwhite
11-04-2009 03:19 PM
First, you are exposing personally identifiable information in your postings and this forum is public. You may want replace the real-life user information with something else.
Second, I'm going to assume that you mean you have created the custom LDAP filter based on the employeeNumber. You cannot set the username in the LDAP System page to this attribute. If you are filtering by an attribute, it must actually exist within LDAP.
Third, LDAP Bind Account you are using needs to be granted "Read All Attributes" rights on the LDAP objects.
11-05-2009 02:31 AM
Thanks for the replies.
The cisco account in AD has read access to all ou's. The user id in call manager already is the same as employee id in ad. I'll look further and see what i can find.
Thanks
Message was edited by: eoinwhite
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide