Showing results for 
Search instead for 
Did you mean: 

CUCM 7.1 LDAP Integration with Microsoft AD

Can someone please help? I am having difficulties populating my end user database in CUCM 7.1 with AD accounts that I want. Here is my dilemma.

I can configure my LDAP Directory settings within CUCM 7.1 with the follow Required Field...


This works. My active end user list will be populated with all of the AD objects. However, this includes a lot of accounts I do not want to show up.

Now, from one of my domain controllers I can create a query that returns only users who have any value in their ipPhone account attribute. It looks like this...


Is there anyway to combine these search criterias in CUCM 7.1 so my end user list is populated from my company's AD with only the accounts I want?


You have 72 hours grace period to delete and re-create the LDAP entry without losing any user config on CUCM.


Thanks for the reply Michael.

I have more of a background in CME and now starting to do more full UC deployments so running into different scenarios in the real world that you would not run across in books. 

I will create a new LDAP server and delete the old one and then perform a full sync.

Thanks for the direction guys!

Looks like Michael may have jumped in the thread and answered the question. The users are "flagged" for deletion but aren't deleted until the next clean up cycle. Michael says that is 72 hours. I always thought it was 24 but Michael is a huge fan of LDAP support questions so I am sure he is right. Anyway, you can safely delete the sync agreement and recreate it. Just don't let too much time lapse between the two actions ;-).




HTH -Bill (b) (t) @ucguerrilla

Please remember to rate helpful responses and identify

Bill was right about 24 hours period.  I was wrong. 



Actually it varies but the 24 hours number is significant.  Here's how it works, there's a garbage collection process that runs nightly at 3AM on the Call Manager.  This process will look at all the inactive accounts and will purge them from the system as long as they have been inactive for 24hrs.  However assume you configure LDAP synchronization at 5PM and you perform a full sync at that time.  All non-matching accounts will be marked inactive, however they will not be deleted during the next 3AM purge process since they would not have been inactive for 24 hours, at this time they are only inactive for 10 hours.  Instead they will be purged the following day at 3AM because at that time these accounts will now have been inactive for more than 24 hours.  In fact they are inactive for 34 hours.  So it really depends on when the accounts are marked inactive as compared to the 3AM purge process.


I'm trying to do a LDAP search from our Corporate Directory (no sync with AD) and need to search the ipphone field and not the telephonenumber (until I figure how to transform over 40 North America E.164 numbers to internal extensions).  I'm using the attached file successfully for the telephonenubmer field but not sure what needs to be changed on the file to look for the ipphone field in AD. 



I know this is way late but I honestly didn't see your response until now. I am guessing you figured it out but for future reference:

Look for this code section:

    // Create the COM object and initial values

    var s = new ActiveXObject("LDAPSEARCH.LDAPSearchList");

    s.server = ldapserver;

    s.searchbase = ldapsearchbase;

    s.port = ldapport;

    s.AuthName = ldapuserid;

    s.AuthPasswd = ldappassword;

    s.AddReturnAttr("givenName, sn", "Name", "%2, %1", 31);

    s.AddReturnAttr("telephoneNumber", "Telephone", "%1", 31);

and change

   s.AddReturnAttr("telephoneNumber", "Telephone", "%1", 31);


    s.AddReturnAttr("ipPhone", "Telephone", "%1", 31);




HTH -Bill (b) (t) @ucguerrilla

Please remember to rate helpful responses and identify

Do you have a suggestion on how to make a filter with a OR statment?

We want to search by state,  using st=XX or ST=YY


This should work...


There is a "|" before the first "st" outside of the parenthesis which is the OR operator.


I am facing a problem with LDAP integration with CUCM, after integration i am able to found the user details in CUCM till few days back but all of sudden when AD admin add any user in AD those user details i am not able to view in CUCM, at the same time if i do any modifications in existing user profiles those changes reflecting well in CUCM, can you please help us on this, please provide your reply to


M.Madhusudhana Rao


Based on the fact changes made in AD on existing users is replicated to CUCM, I think it is safe to say that the sync agreement is healthy. The things I would look at would be:

- OU structure: Are the new users created in an OU that is part of your user search base path?

- Permissions: Has anything happened to the permission settings for the service account. What happens when you create a user in the same OU as user objects that are working? Can you look at the permissions on the user object and verify DirSync account has appropriate permissions.

- If the LDAP query is custom (i.e. something other than default) then do the new user objects have the appropriate attributes set?




HTH -Bill (b) (t) @ucguerrilla

Please remember to rate helpful responses and identify


Thanks for your response,as I communicated earlier both the users(new user and old user)under one OU only but I am not able to find the new user in CUCM.


M.Madhusudhana Rao

--- Original Message ---


On 7.x, if you want to do that, you need to use the AXL toolkit, which falls into developer support.

Or you can wait for 8.x, which should have the GUI to allow you configure the filter.




Seeking confirmation on this query.

We are synching CUCM with MS AD.  I would like the directory to only contain users that have an IP phone entry in the MS directory.  Is this correct?


If I run this and totally hose my directory... how do i rollback/remove this update/change?


Hello everyone!

In SRND there's the next information:

Such attributes as User ID, First Name,  Middle Name, Last Name, Manager ID, Department, Phone Number, Mail ID are imported from the LDAP directory into corresponding Unified CM user fields, and it describes the mapping between those fields. Some Unified CM user fields might be mapped from one of several LDAP attributes.

There're a list of additional attributes that are imported by the Dirsynch process and copied into the Unified CM database but are not displayed in the administrator user configuration web pages: objectGUID, OCSPrimaryUserAddress, Title, Home Phone Number, Mobile Phone Number, Mobile Phone Number.

I have a tsk to provide a solution of corporate directory which must have a possibility ti list Phone Number and Mobile Phone Number for each contact.

How can the additioanl attributs which imported from AD and copied into the Unified CM database but are not displayed in the administrator user configuration web pages can be used?



Recognize Your Peers
Content for Community-Ad