cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5237
Views
19
Helpful
17
Replies

Create local accounts with LDAP integration on CUCM 8.6

Fikri FIRAT
Level 5
Level 5

Hi all,

We need to implement such a configuration that we can add 'End Users' on our LDAP-integrated CUCM 8.6 for the use of Jabber Clients. The created users should log in using CUPS. Is such a config possible? How would it affect IM?

Regards,

Fikri

1 Accepted Solution

Accepted Solutions

Hi Fikri,

In addition to what Mr. AOK has said,you can get this under CUCM 9.x

regds,

aman

View solution in original post

17 Replies 17

Ayodeji Okanlawon
VIP Alumni
VIP Alumni

You cant do that on CUCM8.6. Once you have LDAP integration, you cant add end users locally. I understand your frustrations on having to depend on AD guys to add users for you etc, but thats the only way you can add users with LDAP configured

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Please rate all useful posts

Hi Fikri,

In addition to what Mr. AOK has said,you can get this under CUCM 9.x

regds,

aman

Hi,

Thanks for quick responses. To enlight the question further, I would like to extend my description. We have two different domains and the diferent CUCM clusters. On cluster X, domain A users are logging in using LDAP, on cluster Y, the users are of domain B, but there was no IM&P usage, and two domains are federated on CUPS. We need to deliver Jabber devices to the users of domain B, but can not enabe LDAP because of our Contact Center integration with the cluster Y. Therefore, we thought adding local users to the cluster X would enable the users to log in to their Jabber devices, along with Voice&Video capabilities. However, we are not sure whether or not the IM will work on the Jabber device when they log in using their manually created end users on cluster X. Any comments?

Regards,

Fikri

You cant add users locally on cluster X, unless I dont understand what you are saying. Your description says users on cluser X are ldap enabled. You want to add users in domain b to cluster X. Are you going to add them via AD/LDAP?

NB: jabber will work with users local to CUCM using UDS (user data services). You will need to change the jabber-config file to point to UDS, the default is EDS (AD/LDAP)

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Please rate all useful posts

The users in domain B will be manually created on cluster X, not via LDAP/AD. The functionality that I'm not sure about is the IM&P. Can the local users created on cluster X send/receive IM/P information to/from users coming from LDAP sync?

How are you going to do that. Cluster X has LDAP integration enabled! You cant add users locally.

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Please rate all useful posts

I am assuming that we are using CUCM v9.X. Then we'd have both LDAP-enabled users and manually created users. Isn't that correct?

Your thread says CUCM8.6. Yes thats possible in CUCM9.X. Like I said before IM and presence will work regardless of AD/LDAP or lack of it

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Please rate all useful posts

Thanks for your support, then what we need to do is to upgrade to CUCM 9.X

Hmm, I dont think it that simple and I am not sure it will work. You can only configure Jabber to use one directory type. If you configure Jabber to use EDS (AD/LDAP) It wont be able to search for users enabled locally. If you enable jabber to use UDS (CUCM directory), then it wont be able to search for users using AD.

What I meant when Jabber will work is that it will work if everybody uses the same directory integration

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Please rate all useful posts

Guys,

I would like to be more comfortable with the LDAP v9 I have some question if anybody would like to share is experience.

Thanks a lot !!!!!!!!!!!

Regardin that, I have 4 questions

let's say the customer  is with version 9 with all local user.

1)

If he want to change that to LDAP..  is there any possible impact the day you enable the LDAP ?

2)

when ldap is enable,   I think there is an option on users, to convert a local user to LDAP, progressively user per user  ( if you want ), is that right ?  

3 )

I guess, the user must match ( first name, last name )  with the LDAP,  if not it will not be able to convert to ldap user, is it right ?

4 ) what happend if there is a missmatch between the extension of the user in Call Manager and the one in Active Directory ?

Philippe,

1)

If he want to change that to LDAP..  is there any possible impact the day you enable the LDAP ?

Assuming you perform a full sync (manually or on a schedule) then, yes there is potential for impact. The DirSync process affects user objects immediately.

2)

when ldap is enable,   I think there is an option on users, to convert a local user to LDAP, progressively user per user  ( if you want ), is that right ?  

That is not my understanding. There is a way to manually convert a LDAP integrated user to a local user account. However, there is no way to manually convert an individual local user account to a LDAP integrated account.

3 )

I guess, the user must match ( first name, last name )  with the LDAP,  if not it will not be able to convert to ldap user, is it right ?

Actually, the DirSync process is only looking at a single attribute when synchronizing user accounts. That is the attribute specified under System > LDAP > LDAP System. For Microsoft AD, the attributes that can be used are: samAccountName, UPN, mail, telephoneNumber, or employeeNumber. With regards to first name and last name, DirSync will prefer the attributes stored in LDAP. Of course, the attribute maps specified in UCM will be honored.

4 ) what happend if there is a missmatch between the extension of the user in Call Manager and the one in Active Directory ?

I am not sure what you mean by "extension of the user in Call Manager". There are several attributes associated with an end user object that could be referenced/recognized as a phone number extension of the user itself. Each end user object has a "telephone number" field that may or may not have a value. This telephone number field is what is presented in the Corporate Directory and has nothing at all to do with the directory number assigned to a phone provisioned on the system.

End user objects also have an attribute called the "Primary Extension". To populate the Primary Extension, the end user must have a Device or Device profile associated with the end user object.

Phones also have extensions assigned and you can associated an extension on a device line to an individual user.

With regards to LDAP synchronization, the telephone number attribute of the end user object will use the value associated with the attribute mapped under the System > LDAP > LDAP Directory synchronization agreements. The Primary Extension has nothing at all to do with LDAP integration and will not be individually affected by a sync. The same is true for end user associations to an individual phone line. Both of these latter associations are CUCM-specific.

HTH.

-Bill (http://ucguerrilla.com)

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

William Bell,

thank a lot..

From my understanding..

When we add the LDAP

Local users that can match (Ldap attribute under (System > LDAP > LDAP System ))  will turn as LDAP users.

Users that doesnt match will stay local on CUCM

am I right ?..  I just want to confirm.

do you have any suggestion regarding potential bad impact or consideration when we activate LDAP, anything to do with unity by example ?

thanks for your answer !! 

ps : by the way..Really Nice  blog, I allready saw it before.. it's a good reference !

Phillippe,

That is my understanding. If you have created a local user on CUCM that does NOT match any LDAP synchronized user object then the local user will be preserved as an active local user. This was not the case in pre-9x versions. If, on the other hand, a matching user object exists in LDAP then the local user is converted to an LDAP user. I am assuming that your search base and LDAP filters allow the LDAP user object ot be synchronized, of course.

What I like to do when enabling LDAP is the following:

1. I export All Users using BAT. I save that file "just in case". It has most everything you need to restore the user accounts (device associations, etc.).

2. I actually execute a SQL query on the enduser table to get the user information for pre-LDAP sync'd users.

3. I either use Apache Studio or a perl script I developed to do a test run of the LDAP synchronization (using the DirSync account, search base, and LDAP filter).

4. I compare #2 and #3 to see if there is anything missing/out of sorts.

5. I resolve any issues found in item #4

I usually do not have any issues with LDAP sync once I complete the above steps.

I don't see how LDAP sync on CUCM would affect Unity. Did you mean Unity Connection? Unity Connection uses the same exact mechanism as CUCM. In fact, Unity Connection has a "hidden" (not the right word, but close) table that is used to store users learned from LDAP. That is why you actually have to import the LDAP users after you do a sync. That "hidden" table isn't associated with any Unity Connection config object (such as a VM/UM user) in any way until you execute the import.

You can import from CUCM as well and, yes, the CUCM user account could have been created via LDAP sync on the CUCM-side. However, there is no dynamic replication of that LDAP sync information between CUCM and Unity Connection. I honestly only use the CUCM sync when I have a Business Edition system, which I haven't worked with one of those in about 9 months or so.

Thanks for the comments on the blog and for reading. I need to get some free time add a bunch of entries that I have been stock piling.

HTH.

-Bill (http://ucguerrilla.com)

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: