cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
496
Views
5
Helpful
2
Replies
Highlighted
Beginner

Changing LDAP in CUCM 7.x/8.x on active production cluster

All,

If an existing cluster is integrated with an existing LDAP directory and that directory becomes unavailable for a prolonged amount of time (time exceeding when the accounts are both deactivated and fully removed), what will ultimately happen to functions that CUCM provides that used that authentication/directory source to be enabled?

e.g. 100 users are logged in with Extension Mobility and do not logout under normal circumstances.

Cheers

2 REPLIES 2
Collaborator

Changing LDAP in CUCM 7.x/8.x on active production cluster

Extension Mobility is authenticated by PIN rather than password so that will continue fine.

Access to things that use password authentication (if this is configured on CUCM) will fail - this would include ccmuser access, UCCX login etc.

The user accounts would stay - they would not be deleted.

If your LDAP failed I think you could disable LDAP authentication and just set local passwords on CUCM which should be an ok workaround - I have never done this but cannot see why it would be a problem.

Also with CUCM 9 you can convert LDAP synced users into local users.

Hall of Fame Cisco Employee

Changing LDAP in CUCM 7.x/8.x on active production cluster

If it goes up to the point you ask:

(time exceeding when the accounts are both deactivated and fully  removed)

I DO see a problem here.

The PIN is indeed local to CUCM, but that would only work for the time between when the user is deactivated and garbage disposal mechanism removes it from the DB. (SRND 9 explains this if anyone is interested)

Once the user is gone, so is the PIN, so is any user/device/line/UDP/remote destination/etc association.

Only application users are local to CUCM and have no dependency on LDAP once it's configured, any end user which is synced via LDAP, is either active / inactive and ultimately deleted.

AFAIK the only way to prevent this would be to disable all together the LDAP sync/auth.

HTH

java

If this helps, please rate

www.cisco.com/go/pdihelpdesk

HTH

java

if this helps, please rate
CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards