Re: Changing from LDAP to LDAPS on CUCM

carl_townshend · ‎01-27-2020

Hi All

We need to change from LDAP to LDAPS on our CUCM.

I have change the port to 3269, do I need to tick the use TLS button?

also I assume this wont remove any of my users whilst we do it? I was worried about all the phones logging out?

cheers

alejo1521 · ‎01-27-2020

If not changes to the users accounts (UserID) are the same you should be OK. Check this link and follow recommendation from @Jaime Valencia AKA the guru ;)

https://community.cisco.com/t5/ip-telephony-and-phones/cucm-need-to-change-the-ad-ldap-domain-that-is-current/td-p/1855628

Chris Deren · ‎01-27-2020

Correct, you need to change the port and tick TLS checkbox, assuming your LDAP servers and CUCM cluster both trust the same CA, i.e. Tomcat cert is signed by the same CA as LDAP server is using.

There will be no impact to users as you are still pointing to the same LDAP server using the same username mapping attribute.

carl_townshend · ‎01-28-2020

Hi

I just checked our CUCM, there is a a root CA already on there from our domain controller, the type is trust-certs and it says the purpose is CallManager-trust

Would this be OK?

Cheers

Chris Deren · ‎01-28-2020

It needs to be in the Tomcat-Trust, but more importantly the actual Tomcat cert needs to be signed by the common CA and not be self signed. You can always test it by just updating the port and ticking the TLS checkbox on pressing Save as that does not trigger any sync automatically, etc. If you get an error it's descriptive enough to tell you it's cert related, if it saves without error then it works.

carl_townshend · ‎01-28-2020

Hi

Is it worth me trying as is ?

I assume this will not cause any issues?

Chris Deren · ‎01-28-2020

Correct, to be on a safer side you can try it on the LDAP Authentication page first as it uses the same connection.