cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8642
Views
19
Helpful
8
Replies

CUCM 9.1 - Convert LOCAL user to LDAP

Chris Schuerger
Level 1
Level 1

Here is my situtation - Brand new 9.1.x cluster.  LDAP was not ready, so local users we configured so that I could import the phones.  In previous versions of CUCM, once LDAP intergation was enabled, the existing local users would be replaced by the LDAP imported users.  SOME of my users have now been added to LDAP on the AD server, but it doesn't look like those accounts in CUCM have converted themselves to LDAP.  I know you can switch back the other way (LDAP account switched to Local Account), but once ALL of my users have been added to LDAP, will they change in CUCM to LDAP users?  If so, what is the process?

There were between 4-6 users in LDAP when I integrated, before I made any local accounts.  Those users synced and show as LDAP users in CUCM.  The rest of the users (about 85 others) were created manually.  I see that at least 1 of my manually created users has been added to the LDAP server, though I still see him as a CUCM local user...will I need to export these users, allow them to sync from LDAP, then update them from my export?  If so, that's a real bummer.

8 Replies 8

Jaime Valencia
Cisco Employee
Cisco Employee

I did this in may lab for testing purposes, created a local user and it was working fine, added him to LDAP using same userID, went to LDAP page and performed a full sync and he was converted to an LDAP user.

HTH

java

if this helps, please rate

www.cisco.com/go/pdihelpdesk

HTH

java

if this helps, please rate

Hi,

I have a LDAP which it's not acurate (phone number), so I covert the users from LDAP to local, and changed the phone number of all the users I had to change.

 

But when the CUCM auto-synced with the LDAP, it changed back all the changes I had made.

Because it's a central LDAP (with different countries) I cannot disable the LDAP sync.

 

How can I have local users with the same userID as the LDAP users but the sync doesn't change the local user?

 

thanks

 

You cannot, if the userID matches an LDAP user, it will convert into an LDAP user, no way around that.

Not sure if permissions on LDAP can be granular to a user level, if they're, simply configure your bind user to not have permissions over those users.

Otherwise, you'll need to have them with a different userID, or correct your LDAP info

HTH

java

if this helps, please rate

Jaime,

A customer tonight had certs expire which caused LDAP not to work on port 3269. I converted his account to local which got him into Finesse.

I changed the LDAP ports to 3268 so LDAP is working again. He wants his local account back to an LDAP account. I did a full sync like you said above but his local account is staying local and not converting back to LDAP.

I tried changing the local userID and then doing a full LDAP sync but that still didn't bring his AD account into CUCM.  I'm trying to avoid deleting the local account and then rebuilding everything.  Any ideas as to why the local account with same userID as LDAP account is not getting converted to an LDAP account?

Thx

J

Disregard.  The local account converted back to LDAP after garbage clean up overnight.

Thx all,

John

If permissions are not granular to the user object level, is it feasible to place the users you do not want synchronized, into a group called CiscoLocal and use an LDAP query filter similar to this to exclude them?:


(&(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!memberOf=CN=CiscoLocal,OU=NY,OU=NY Exchange,DC=Corp,DC=MyDomain,DC=com)

Hi Jaime, just asking i have the same issue, the local user id (cucm direcotry) is the same as LDAP, if i sync with Ldap as you say it will convert the users to ldap, the users i have have some configuratoin like SNR and other access it will be integrated or i must enter the SNR for example again? 

Regards,

Nothing will change in the config, the user will just now show as active LDAP user.

HTH

java

if this helps, please rate