cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
395
Views
40
Helpful
15
Replies
Highlighted
Beginner

CUCM LDAP Filter on Group

I have a working LDAP Filter on the IP Phone field in the AD User

 

(&(objectCategory=person)(objectClass=user)(ipPhone=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
 

 

 

 

 

However, I am having trouble creating a working LDAP filter on a custom group in AD. I have tried several

(&(objectCategory=person)(objectClass=user)(memberOf=VoIPGroup))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

 

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (memberOf=CN=VoIPGroup,OU=SecondOU,OU=FirstOU,DC=DomainName,DC=com))

 

 

Does anyone have any advice ?

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Got it working!!

This filter grabs all users within the group i specified below. A_VOIP-SoftPhone

 

Just FYI, if someone is reading this, I'm using DC=ad but some of you may use DC=com

an easy way of finding your path, go to your Active Directory Users and Groups, find your group, right click, properties, attribute editor, then find your distinguished name and that will be what you can use. You can then test this by adding a New "Saved Query" define the query, custom query, Advanced, then enter in your LDAP query and save. It should then show you the list of members in the group.

 

(&(objectclass=user)(objectcategory=person)(memberOf=CN=A_VOIP-SoftPhone,OU=Groups,DC=XXXX,DC=ad))

View solution in original post

15 REPLIES 15
Highlighted
VIP Advisor

This is an example of a filter that we use to filter on membership in a group.

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(memberof:1.2.840.113556.1.4.1941:=CN=NVV.CallMgr_SuperUsers,OU=Groups,OU=NVV,OU=GLOBALAPP,OU=Company,DC=tp1,DC=ad1,DC=company,DC=com))

 

Please rate all useful posts
Highlighted

Thank you for the information. I am trying to apply this LDAP filter to Cisco Directory Connector and I keep getting an error during a dry sync. I cant seem to add a filter based on your above advice.

 

Unhandled exception has occurred in your application.

Index was out of range. Must be non-negative and less than the size of the collection

 

Highlighted

What version of the Directory Connector do you use? We have up to recently used group membership as a filter criteria in DC and that worked.

Please rate all useful posts
Highlighted

3.5.1001.64523

 

I can go ahead and update it.

Highlighted

@Roger KallbergI appreciate your assistance.  I upgraded to 3.7.1001.64569

 

Ironically, I run the working sync I still get the warning message I described above. However, it does match many of the objects when I click continue. So the dry synch works.

 

But when I perform a dry sync on the User LDAP Filter on my Security Group, it doesnt match anything. Many of the users added to the system are in this group, so there should be many matches.

Highlighted

Would you mind to take a screenshot of the tab in the configuration for DC and post here?

Please rate all useful posts
Highlighted

For reference these are the settings that we have.

Snag_202f9ad.png

I blurred out any company specifics.

We are on this version currently, but have been on prior releases also when using member of group as a filter criteria.
Snag_2059c0e.png

Please rate all useful posts
Highlighted

Here is my screenshots

Capture2.JPGCapture.JPG

Highlighted

In the search path you have DC=ad and in the filter you have DE=ad. Likely one of them are incorrect, check this and test again.

You also should check that the search base is set to a point in your directory so that it sees all users that you want to bring into Control Hub.

Please rate all useful posts
Highlighted

Capture.JPG

 

 

Sorry about the typo, I got dumped out and retyped it queickly to post it here. But this is the sync that I ran

 

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(memberof:1.2.840.113556.1.4.1941:=CN=A_VOIP-SoftPhone,OU=Groups,,DC=XXXX,DC=ad))

 

Search base:OU=Groups,DC=XXXX,DC=ad

3.jpg

 

Highlighted

Just to make sure, do the search base DN “OU=Groups,DC=XXXX,DC=ad” contain the users that you want to bring into Control Hub based on the filter?

29B643A2-A325-4ED0-8A1E-FEB846D213D2.jpeg

Please rate all useful posts
Highlighted

Thank you for being patient and helping me with this.

 

the XXXX.ad domain > Groups has a group name A_VOIP_SoftPhone which has the members I want to sync. Many of these members were manually added via CSV (including myself) so should show matches during the dry run sync. Just checked the Group members and they are all there.

 

 

Highlighted


I do get that the group is there and that the users are members of the group, but what I ask is do that OU also actually contain the user objects as such? If not you would need to alter the search base to a point that is higher up in the directory tree. This setting point to where the search will start, it would search for users from this point and downwards in the directory tree.

Please rate all useful posts
Highlighted

That makes sense. My apologies, I am very good with the UCM side but not so much the AD hierarchy. I will get the right path and let you know how it goes.

Content for Community-Ad