02-15-2010 04:25 PM - edited 03-15-2019 09:25 PM
Can someone please help? I am having difficulties populating my end user database in CUCM 7.1 with AD accounts that I want. Here is my dilemma.
I can configure my LDAP Directory settings within CUCM 7.1 with the follow ...
DC=COMPANY,DC=NAME,DC=INC
This works. My active end user list will be populated with all of the AD objects. However, this includes a lot of accounts I do not want to show up.
Now, from one of my domain controllers I can create a query that returns only users who have any value in their ipPhone account attribute. It looks like this...
(&(objectCategory=user)(ipPhone=*))
Is there anyway to combine these search criterias in CUCM 7.1 so my end user list is populated from my company's AD with only the accounts I want?
02-15-2010 04:38 PM
Matt,
You have a couple of options. If your directory tree has adequate hierarchy you can do one of two things:
1. Use permissions to deny read access for the DirSync service account you have established. For example, if you had:
You could apply a permissions list where the DirSync account is blocked from reading Service Accounts.Users, East.Regional.Users, etc.
2. You can establish replication agreements from the CUCM to different OU contexts. Again, this assumes that you aren't using a flat tree. Also, you can only have a maximum of 5 replication agreements which hasn't been enough in my experience. That is why I use option 1 or the following.
If you have a relatively flat tree or see another reason why the method described in #1 or #2 doesn't work, you can update the LDAP filter that the CUCM uses when estalbishing a DirSync replication agreement. You can't modify this directly in CUCM 7.1 but you can use the SQL Query Toolkit that can be downloaded from your CUCM cluster node to update the database table that stores the LDAP filter.
It sounds like a hack, and it is. At least it started out that way. There are several folks doing this and I believe that Cisco is going to incorporate the ability to modify the LDAP filter in CUCM 8.x. I also heard that Cisco will carry forward any "hacked" LDAP filter entries when a customer upgrades from 6x/7x to 8x but don't quote me on that.
Anyway, I wrote a blog on how to do this as part of a series on the SQL Query Toolkit. Instead of repeating the content here, I will just provide the URL.
Hope this helps.
Regards,
Bill
Please remember to rate helpful responses and identify
02-15-2010 08:21 PM
Bill, I have read through your 3 part series. Good info! So, on the 3rd part. I have my updateldapfilter.xml file created. It looks like this...
Basically, if there is any value in the ipPhone attribute I want that user to populate my database.
Then you follow your example with a couple of notes that I dont follow.
You say, " First, the LDAP filter uses the ampersand ("&") to denote a logical "AND"." Should my update set filter be "&" instead of just "&"?
And then, I successfully ran the test.xml file. However, I dont get your comment, "This is the reason we ran the first query so we knew which value we could use as a unique key when doing an update."
Further questions...
1) Is this filter applied to all LDAP directories I have created through the web console?
2) Is this filter something I have to run periodically, or will the filter be "on" at all times?
This is all very new to me so I hope my questions arent too confusing. Thanks!!
02-15-2010 09:18 PM
Matt,
Glad to hear it helped. In response to your questions.
>Then you follow your example with a couple of notes that I dont follow.
>You say, " First, the LDAP filter uses the ampersand ("&") to denote a logical "AND"." Should my update set filter be >?"&" instead of just "&"?
Yes, you will want to use "&" instead of "&".
>However, I dont get your comment, "This is the reason we ran the first query so we knew which value we could use as a >unique key when doing an update."
In the blog I was referring to the query in the "What is this table of which you speak?" section. Basically, we ran a query to identify the unique key that you could use to ensure you were applying your LDAP filter to the correct integration type (e.g. Microsoft AD).
1) Is this filter applied to all LDAP directories I have created through the web console?
I don't follow. If you are asking whether the filter will apply to all LDAP synchronization agreements that you create then yes it will. The LDAP filter you applied will affect all LDAP sync agreement using Microsoft AD.
2) Is this filter something I have to run periodically, or will the filter be "on" at all times?
Once you set the filter you shouldn't have to reset it though I have not tested every upgrade path variant.
This is all very new to me so I hope my questions arent too confusing. Thanks
Your questions are fine. Hopefully my answers weren't too confusing. Glad to hear that the post helped.
Regards,
Bill
Please remember to rate helpful responses and identify
02-15-2010 09:33 PM
Once I posted my questions and read through your 3 part series again it started clicking. I was able to answer my own questions. Thanks for the few clarifications. My CUCM database is now being populated with the data I want. Thank you very much! Once again, great blog.
04-13-2010 01:59 PM
William, hope all is well. Another DB question...possibly. Is there any way to modify my CUCM end user list (AD Integrated) so that instead of the Department ID (from the Organization tab) the Office field (from the General tab) in AD is what gets populated for my end users? Thanks,
04-13-2010 02:22 PM
Unfortunately, I don't believe this is possible. The department field in the End User table of the CUCM database is statically mapped to the AD attribute 'department'.
Regards,
Bill
Please remember to rate helpful responses and identify
04-13-2010 02:33 PM
Hi
I was wondering why you might want to use another field? Do you have a particular app that reads the CCM user DB that you would like to see the other information in?
Aaron
04-13-2010 02:45 PM
Aaron, I found out that the dept. ID has other business drivers in our company. Therefore, I am not allowed to modify that field and the values in there are not granular enough. However, our office field has the detailed information that I am looking for. My business driver is the Cisco Attendant Console application. From the department drop down menu within that application I wish my attendant console users could see that granularity. Right now it's more general and not as easy for them to direct calls. I was hoping there was some easy way to do this.
04-13-2010 02:48 PM
Aaron,
I am looking for a way to change the telephoneNumber field. The client has the full number in that field in AD, so when you do a search in the Corporate Directory it yields xxx-xxx-xxxx instead of their 3 digit extension. They want to keep the full 10 digit number for other applications pulling that information. But, from what I am reading, we cannot change the mapping of the Telephone Number field to pull an extension for the Corporate Directory to be able to be dialed when searched. Does that make sense?
Or, if there is a way that I can make Call Manager dial that extension from the Corporate Directory by dropping the first 7 digits, that would work too. Transformation patterns or something?
Thanks for an input.
-Roy
04-13-2010 03:08 PM
Roy,
Wow. Talk about variety ;-). In regards to telephoneNumber mapping, you have two options with AD:
1. Map the AD attribute 'telephoneNumber'
2. Map the AD attribute 'ipPhone'
I typically use the latter because the AD guys hardly ever touch this field. The only thing that needs to be worked out is:
a. A routine to export user data in the telephoneNumber field, "chop" the digits to what the user stations can dial, and re-import the updated attribute information. Any AD admin should be able to accomplish this small task.
b. Slightly more difficult is working this custom "chop" and rewrite to the ipPhone attribute into your standard operating procedures for provisioning users. Again, a routine (manual, automated, pseudo-automated) could be developed easily
Another option would be to use a custom Corporate Directory application which will present numbers that can be dialed from stations to the IP phone as part of the XML interchange. Basically, the custom corp. directory reads the full 10 and "chops" the dn appropriately. This is slightly more challenging than using the ipPhone attribute, but still not all that bad. I am doing this now for a customer that has different abbreviated dialing strings per-building. Fun.
HTH.
Regards,
Bill
Please remember to rate helpful posts.
Please remember to rate helpful responses and identify
04-14-2010 06:16 AM
Thanks Bill for the answer...but can I clarify something?
If Call Manager will pull from the ipPhone field...how do I change that in Call Manager to pull from that field?
Thanks.
04-14-2010 06:20 AM
CUCM > System > LDAP > LDAP Directory. When you add a NEW entry, you have the opportunity to map "Phone Number" (or whatever attribute) to "ipPhone"
Michael
04-14-2010 06:25 AM
Roy,
You can define the attribute mappings in the configuration page for your directory sync setup. Go to System>LDAP>LDAP Directory. When you add a directory agreement you will see all of the attributes CUCM is interested in and how they are mapped at the bottom of the page. Go to the telephone number mapping and click the dropdown option to change the AD attribute mapping.
HTH.
Regards,
Bill
Please remember to rate helpful posts.
Please remember to rate helpful responses and identify
04-14-2010 06:48 AM
Thanks Bill. I guess since it is only on a new LDAP server where you can change it, I did not see that option.
Another quick question...if I setup a new LDAP server and want to delete the other one I have so that I can sync the correct fields I want, it warns me that all users will be deleted when I delete the old server. Will that affect anything as far as having those users associated with phones and voicemail during the change to the new server? Does that make sense? I don't want to affect service during business hours...I wouldn't think it would, but I want to cover my bases at this point before I make any changes.
Thanks...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide