Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9938
Views
10
Helpful
6
Replies

CUCM Custom LDAP Filters

Go to solution
ahochau_2
Level 1
Level 1

‎08-18-2011 11:50 AM - edited ‎03-16-2019 06:33 AM

Greetings,

Let me start by saying, I am not a programmer.  I have read RFC 4515 which makes my head spin, I'm sure it makes sense to some people and spent the better part of a day scouring websites and forums and am still failing to get the results I need. I have tried ADExplorer and Softerra's LDAP browser to test my filters. Thus far I can successfully add all users in AD, or none of the users in AD.

Users are spread throughout AD.  All users can be found in OU's labeled "Users" or some form of "Temporary Users".  I would like to filter and only have active users that are found in an OU that matches the naming.  It appears that the Cisco default filter of  (&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) is replaced when a custom filter is applied, it is not "anded".

If I add (|(ou=Temp*)(ou=users)) to the string, from what I understand, it should say "If ou= anything beginning 'Temp' or 'Users' in the dn," I should have met the goal.  However, my attempts have been less than successful. I when have the try the following:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))(|(ou=Temp*)(ou=users)))

IMHO this should be saying find any object that is a user, not a computer and not inactive and has Temp or Users in the fully distinguished name.  But it returns 0 matches for users.  I know the answer is right in front of me and I just can't see it.  Any help would be appreciated.

The next step would be to add contacts to the list as well which would allow us to get rid of the AD accounts for things like "Kitchen".  In my feeble mind means adding (objectclass=contact) to the filter, but maybe I am less than accurate in that assumption.

Any help in achieving the goal would be appreciated. 

Thanks,

Mark

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Steven Griffin
Level 4
Level 4
In response to ahochau_2

‎08-18-2011 03:03 PM

First, you can use CN in place of OU to denote the canonical name of the OU and it works the same.  Also, your query would have imported all users (depending on what part of the LDAP tree you started) and included users from the temp and users OU's as well.  I was scratching my head actually at why that query was written that way.  Also note that CUCM will not import contacts.  Only AD Users and inetOrgPerson objects who have a last name field that is not empty will be imported into CUCM.

Second, I agree with your frustration.  I've had numerous customers complain about the lack of features and flexability in LDAP integration.  It generally happens with non-trivial LDAP structures that grew organically to be complicated or were created that way on-purpose.

My general rule-of-thumb is to try and find a common denominator for the users you care about importing into CUCM.

Solutions that have worked in the past are:

  • Import based on group membership (a security group for example)
  • Import based on telephone or ipPhone field not being empty/null
  • Import based on location in LDAP tree (CN=,DC=domainname,DC=com)
  • Combination of the above

The group membership method is easiest to use but doesn't scale very well

This example imports users who are members of the security group CiscoPhoneUsers:

    (&(memberOf=CN=CiscoPhoneUsers,CN=Users,DC=domainname,DC=com))

Here is one I wrote for a multi-cluster installation.  It imports all users as log as they are NOT a member the named groups:

(&

     (!

          (|

               (memberOf=CN=TestAccounts,CN=Groups,DC=domainname,DC=com)

               (memberOf=CN=TerminatedEmployees,CN=Groups,DC=domainname,DC=com)

               (memberOf=CN=ExtensionMobility-AP,CN=Groups,DC=domainname,DC=com)

               (memberOf=CN=ExtensionMobility-EU,CN=Groups,DC=domainname,DC=com)

          )

     )

)

-Steven

Please help us make the communities better. Rate helpful posts!

View solution in original post

6 Replies 6

Go to solution
ahochau_2
Level 1
Level 1

‎08-18-2011 11:52 AM

Sorry, got an extra ) in there.  the fiter I am attempting to apply should read:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(ou=Temp*)(ou=users)))

0 Helpful

Go to solution
Steven Griffin
Level 4
Level 4
In response to ahochau_2

‎08-18-2011 12:53 PM

Mark,

The way LDAP Query arguements are written is not obvious to non-programmers.  All of us are taught to use the format:  method formally called infix notation.

     I.E. 5 x 5 = 25.

LDAP uses prefix notation, also called polish notation, which puts the operators first and then the values.

     I.E. x 5 5 = 25.  

In your case you need to put an additional OR statement (your operator) first and then append the values (|((ou=Temp*)(ou=users))) at the end. That way you are saying, in infix notation here, you want the default CUCM users or where users are in the temp OU or where users are in the users OU.

-Steven

Please help us make the communities better. Rate helpful posts!

Go to solution
ahochau_2
Level 1
Level 1
In response to Steven Griffin

‎08-18-2011 01:10 PM

If I understand correctly, you're saying the filter should then look like:

(|(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(ou=Temp*)(ou=users))

Wouldn't that translate to people speak as:

User Accounts, not computer accounts that are not inactive OR Organizational Unit begins with "Temp" OR Organizational Unit is Users.

0 Helpful

Go to solution
Steven Griffin
Level 4
Level 4
In response to ahochau_2

‎08-18-2011 01:21 PM

You want to OR the temp and users ou's right?

Probably something like this though I cannot be certain without looking at your LDAP structure:

(|(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))(|(ou=Temp*)(ou=users) ))

In infix the above should read like:

(objectclass=user) AND (!(objectclass=Computer)) AND (!(UserAccountControl:1.2.840.113556.1.4.803:=2))

OR

(ou=Temp*)

OR

(ou=users)

-Steven

Please help us make the communities better. Rate helpful posts!
0 Helpful

Go to solution
ahochau_2
Level 1
Level 1
In response to Steven Griffin

‎08-18-2011 02:24 PM

Thanks Steven.

If I put the | at the beginning I get users from all OUs.  I found an article at http://www.petri.co.il/forums/showthread.php?t=8964 that states the OU is not an attribute, it is an object.  As such, I cannot filter on OU and am back to the original problem of only having 5 search bases available to me. 

I have added the "telephoneNumber=*" to my search to allow me to find only the users that have the Telephone Number populated.  This helps with admin users that do not have a phone number specified.  I think the ultimate solution will be to create a new domain group called "Phone Directory Users" and add all users that need to appear in the directory to that group. I can then filter on "memberOf=".   I don't like it, but such is life.

I also found, through another article in the cisco forums, that if you want to add contacts, you need to change the UserID field to something other than "samAccountName" as contacts do not have that atribute.  This eliminates the "single sign-on" for users.  I don't like that either.

I think the best solution is to do something with an LDAP server between CUCM and AD, and if I were deploying in my own environment I would.  I would think the ability to add users from AD as well as create users in the LDAP server would be optimal, but since I set it up then hand over the keys, that is not a good solution for customers.  The perfect solution would be if the directory in CUCM were like the directory in Connections where you can have users that are synced as well as users created only on the server.   But I will keep dreaming.

Thanks for your help.

0 Helpful

Go to solution
Steven Griffin
Level 4
Level 4
In response to ahochau_2

‎08-18-2011 03:03 PM

First, you can use CN in place of OU to denote the canonical name of the OU and it works the same.  Also, your query would have imported all users (depending on what part of the LDAP tree you started) and included users from the temp and users OU's as well.  I was scratching my head actually at why that query was written that way.  Also note that CUCM will not import contacts.  Only AD Users and inetOrgPerson objects who have a last name field that is not empty will be imported into CUCM.

Second, I agree with your frustration.  I've had numerous customers complain about the lack of features and flexability in LDAP integration.  It generally happens with non-trivial LDAP structures that grew organically to be complicated or were created that way on-purpose.

My general rule-of-thumb is to try and find a common denominator for the users you care about importing into CUCM.

Solutions that have worked in the past are:

  • Import based on group membership (a security group for example)
  • Import based on telephone or ipPhone field not being empty/null
  • Import based on location in LDAP tree (CN=,DC=domainname,DC=com)
  • Combination of the above

The group membership method is easiest to use but doesn't scale very well

This example imports users who are members of the security group CiscoPhoneUsers:

    (&(memberOf=CN=CiscoPhoneUsers,CN=Users,DC=domainname,DC=com))

Here is one I wrote for a multi-cluster installation.  It imports all users as log as they are NOT a member the named groups:

(&

     (!

          (|

               (memberOf=CN=TestAccounts,CN=Groups,DC=domainname,DC=com)

               (memberOf=CN=TerminatedEmployees,CN=Groups,DC=domainname,DC=com)

               (memberOf=CN=ExtensionMobility-AP,CN=Groups,DC=domainname,DC=com)

               (memberOf=CN=ExtensionMobility-EU,CN=Groups,DC=domainname,DC=com)

          )

     )

)

-Steven

Please help us make the communities better. Rate helpful posts!
Customers Also Viewed These Support Documents