02-15-2010 04:25 PM - edited 03-15-2019 09:25 PM
Can someone please help? I am having difficulties populating my end user database in CUCM 7.1 with AD accounts that I want. Here is my dilemma.
I can configure my LDAP Directory settings within CUCM 7.1 with the follow ...
DC=COMPANY,DC=NAME,DC=INC
This works. My active end user list will be populated with all of the AD objects. However, this includes a lot of accounts I do not want to show up.
Now, from one of my domain controllers I can create a query that returns only users who have any value in their ipPhone account attribute. It looks like this...
(&(objectCategory=user)(ipPhone=*))
Is there anyway to combine these search criterias in CUCM 7.1 so my end user list is populated from my company's AD with only the accounts I want?
04-14-2010 06:52 AM
You have 72 hours grace period to delete and re-create the LDAP entry without losing any user config on CUCM.
Michael
04-14-2010 06:56 AM
Thanks for the reply Michael.
I have more of a background in CME and now starting to do more full UC deployments so running into different scenarios in the real world that you would not run across in books.
I will create a new LDAP server and delete the old one and then perform a full sync.
Thanks for the direction guys!
04-14-2010 06:59 AM
Looks like Michael may have jumped in the thread and answered the question. The users are "flagged" for deletion but aren't deleted until the next clean up cycle. Michael says that is 72 hours. I always thought it was 24 but Michael is a huge fan of LDAP support questions so I am sure he is right. Anyway, you can safely delete the sync agreement and recreate it. Just don't let too much time lapse between the two actions ;-).
HTH.
Regards,
Bill
Please remember to rate helpful responses and identify
04-14-2010 07:05 AM
Bill was right about 24 hours period. I was wrong.
+5
Michael
06-07-2010 03:03 PM
Actually it varies but the 24 hours number is significant. Here's how it works, there's a garbage collection process that runs nightly at 3AM on the Call Manager. This process will look at all the inactive accounts and will purge them from the system as long as they have been inactive for 24hrs. However assume you configure LDAP synchronization at 5PM and you perform a full sync at that time. All non-matching accounts will be marked inactive, however they will not be deleted during the next 3AM purge process since they would not have been inactive for 24 hours, at this time they are only inactive for 10 hours. Instead they will be purged the following day at 3AM because at that time these accounts will now have been inactive for more than 24 hours. In fact they are inactive for 34 hours. So it really depends on when the accounts are marked inactive as compared to the 3AM purge process.
01-10-2011 06:24 AM
Bill,
I'm trying to do a LDAP search from our Corporate Directory (no sync with AD) and need to search the ipphone field and not the telephonenumber (until I figure how to transform over 40 North America E.164 numbers to internal extensions). I'm using the attached file successfully for the telephonenubmer field but not sure what needs to be changed on the file to look for the ipphone field in AD.
Thanks
07-21-2011 06:54 AM
Chris,
I know this is way late but I honestly didn't see your response until now. I am guessing you figured it out but for future reference:
Look for this code section:
// Create the COM object and initial values
var s = new ActiveXObject("LDAPSEARCH.LDAPSearchList");
s.server = ldapserver;
s.searchbase = ldapsearchbase;
s.port = ldapport;
s.AuthName = ldapuserid;
s.AuthPasswd = ldappassword;
s.AddReturnAttr("givenName, sn", "Name", "%2, %1", 31);
s.AddReturnAttr("telephoneNumber", "Telephone", "%1", 31);
and change
s.AddReturnAttr("telephoneNumber", "Telephone", "%1", 31);
to:
s.AddReturnAttr("ipPhone", "Telephone", "%1", 31);
HTH.
Regards,
Bill
Please remember to rate helpful responses and identify
02-16-2010 09:52 AM
Do you have a suggestion on how to make a filter with a OR statment?
We want to search by state, using st=XX or ST=YY
Thanks
02-16-2010 10:21 AM
This should work...
(&((objectCategory=user)(|(st=TX)(st=CO))))
There is a "|" before the first "st" outside of the parenthesis which is the OR operator.
07-21-2011 05:58 AM
Hi,
I am facing a problem with LDAP integration with CUCM, after integration i am able to found the user details in CUCM till few days back but all of sudden when AD admin add any user in AD those user details i am not able to view in CUCM, at the same time if i do any modifications in existing user profiles those changes reflecting well in CUCM, can you please help us on this, please provide your reply to madhusudhanam@hcl.com
Regards,
M.Madhusudhana Rao
07-21-2011 07:02 AM
M.,
Based on the fact changes made in AD on existing users is replicated to CUCM, I think it is safe to say that the sync agreement is healthy. The things I would look at would be:
- OU structure: Are the new users created in an OU that is part of your user search base path?
- Permissions: Has anything happened to the permission settings for the service account. What happens when you create a user in the same OU as user objects that are working? Can you look at the permissions on the user object and verify DirSync account has appropriate permissions.
- If the LDAP query is custom (i.e. something other than default) then do the new user objects have the appropriate attributes set?
HTH.
Regards,
Bill
Please remember to rate helpful responses and identify
07-21-2011 07:13 AM
Hi,
Thanks for your response,as I communicated earlier both the users(new user and old user)under one OU only but I am not able to find the new user in CUCM.
Regards,
M.Madhusudhana Rao
--- Original Message ---
02-15-2010 04:38 PM
On 7.x, if you want to do that, you need to use the AXL toolkit, which falls into developer support.
Or you can wait for 8.x, which should have the GUI to allow you configure the filter.
Thanks!
Michael
10-20-2010 04:17 PM
Seeking confirmation on this query.
We are synching CUCM with MS AD. I would like the directory to only contain users that have an IP phone entry in the MS directory. Is this correct?
If I run this and totally hose my directory... how do i rollback/remove this update/change?
04-24-2012 01:27 AM
Hello everyone!
In SRND there's the next information:
Such attributes as User ID, First Name, Middle Name, Last Name, Manager ID, Department, Phone Number, Mail ID are imported from the LDAP directory into corresponding Unified CM user fields, and it describes the mapping between those fields. Some Unified CM user fields might be mapped from one of several LDAP attributes.
There're a list of additional attributes that are imported by the Dirsynch process and copied into the Unified CM database but are not displayed in the administrator user configuration web pages: objectGUID, OCSPrimaryUserAddress, Title, Home Phone Number, Mobile Phone Number, Mobile Phone Number.
I have a tsk to provide a solution of corporate directory which must have a possibility ti list Phone Number and Mobile Phone Number for each contact.
How can the additioanl attributs which imported from AD and copied into the Unified CM database but are not displayed in the administrator user configuration web pages can be used?
thanks!
Andrii
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide