Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8641
Views
19
Helpful
8
Replies

CUCM 9.1 - Convert LOCAL user to LDAP

Chris Schuerger
Level 1
Level 1

‎09-19-2013 10:48 AM - edited ‎03-16-2019 07:27 PM

Here is my situtation - Brand new 9.1.x cluster.  LDAP was not ready, so local users we configured so that I could import the phones.  In previous versions of CUCM, once LDAP intergation was enabled, the existing local users would be replaced by the LDAP imported users.  SOME of my users have now been added to LDAP on the AD server, but it doesn't look like those accounts in CUCM have converted themselves to LDAP.  I know you can switch back the other way (LDAP account switched to Local Account), but once ALL of my users have been added to LDAP, will they change in CUCM to LDAP users?  If so, what is the process?

There were between 4-6 users in LDAP when I integrated, before I made any local accounts.  Those users synced and show as LDAP users in CUCM.  The rest of the users (about 85 others) were created manually.  I see that at least 1 of my manually created users has been added to the LDAP server, though I still see him as a CUCM local user...will I need to export these users, allow them to sync from LDAP, then update them from my export?  If so, that's a real bummer.

Labels:
0 Helpful
8 Replies 8

Jaime Valencia
Cisco Employee
Cisco Employee

‎09-19-2013 01:46 PM

I did this in may lab for testing purposes, created a local user and it was working fine, added him to LDAP using same userID, went to LDAP page and performed a full sync and he was converted to an LDAP user.

HTH

java

if this helps, please rate

www.cisco.com/go/pdihelpdesk

HTH

java

if this helps, please rate

clemente
Level 1
Level 1
In response to Jaime Valencia

‎10-22-2015 08:53 AM

Hi,

I have a LDAP which it's not acurate (phone number), so I covert the users from LDAP to local, and changed the phone number of all the users I had to change.

 

But when the CUCM auto-synced with the LDAP, it changed back all the changes I had made.

Because it's a central LDAP (with different countries) I cannot disable the LDAP sync.

 

How can I have local users with the same userID as the LDAP users but the sync doesn't change the local user?

 

thanks

 

0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee
In response to clemente

‎10-22-2015 08:55 AM

You cannot, if the userID matches an LDAP user, it will convert into an LDAP user, no way around that.

Not sure if permissions on LDAP can be granular to a user level, if they're, simply configure your bind user to not have permissions over those users.

Otherwise, you'll need to have them with a different userID, or correct your LDAP info

HTH

java

if this helps, please rate
0 Helpful

Jon Clark1
Level 1
Level 1
In response to Jaime Valencia

‎01-07-2017 09:30 PM

Jaime,

A customer tonight had certs expire which caused LDAP not to work on port 3269. I converted his account to local which got him into Finesse.

I changed the LDAP ports to 3268 so LDAP is working again. He wants his local account back to an LDAP account. I did a full sync like you said above but his local account is staying local and not converting back to LDAP.

I tried changing the local userID and then doing a full LDAP sync but that still didn't bring his AD account into CUCM.  I'm trying to avoid deleting the local account and then rebuilding everything.  Any ideas as to why the local account with same userID as LDAP account is not getting converted to an LDAP account?

Thx

J

0 Helpful

Jon Clark1
Level 1
Level 1
In response to Jon Clark1

‎01-08-2017 04:06 PM

Disregard.  The local account converted back to LDAP after garbage clean up overnight.

Thx all,

John

0 Helpful

dgonzo715
Level 1
Level 1
In response to Jaime Valencia

‎01-29-2018 04:29 PM

If permissions are not granular to the user object level, is it feasible to place the users you do not want synchronized, into a group called CiscoLocal and use an LDAP query filter similar to this to exclude them?:


(&(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!memberOf=CN=CiscoLocal,OU=NY,OU=NY Exchange,DC=Corp,DC=MyDomain,DC=com)

0 Helpful

Dhyeem
Level 1
Level 1
In response to Jaime Valencia

‎07-12-2017 09:49 AM

Hi Jaime, just asking i have the same issue, the local user id (cucm direcotry) is the same as LDAP, if i sync with Ldap as you say it will convert the users to ldap, the users i have have some configuratoin like SNR and other access it will be integrated or i must enter the SNR for example again? 

Regards,

0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee
In response to Dhyeem

‎07-12-2017 09:54 AM

Nothing will change in the config, the user will just now show as active LDAP user.

HTH

java

if this helps, please rate
Customers Also Viewed These Support Documents