Thanks Jaime,

I don't have access to the LDAP server. Would that be possible for you to share the information with me?

Regards,

MK

This is what I believe would sync the test users in CUCM OU but I cannot test as this is a production environnent and I don't have access to the LDAP server:

I need an expert confirmation before perfoming the test as I don't want to sync user from other OUs. 

ou=vt500;ou=Users;ou=QW;ou=IT;ou=CUCM;dc=XYZ;dc=com

Thanks,

MK

Should be:

OU=CUCM, OU=IT, OU=QW, OU=Users, OU=VT500, DC=XYZ, DC=com

You can confirm by running the following command on a domain controller:

dsquery user -name <name>*

Brandon

Thank you Brandon,

As I mentioned, I don't have access to the LDAP and domain controler. I have to send the command to one of the Windows admins.

The output of this command should show the users Under CUCM OU which are User1, User2, User3, User4?

Thanks,

MK

Thank you Brandon & Jaime,

I appreciate your help.

MK

Hi Guys,

I have one more question:

We have about 5000 Extension Mobility and 1000 other users in our CUCM database. From what I understand, after CUCM and LDAP sync, those users will be considered as local users and won't be deleted. Am I mistaken? Do those users requtire special considérations?

We are using CUCM version 10.5. 

Thanks,

MK

EM doesn't care if the users are local or LDAP, it uses the PIN which is local to CUCM

If you have only local users, and you enable LDAP and the userID from a local user matches an LDAP user, it will become an LDAP active user and will be updated with the LDAP info, but retain all the same CUCM config.

If there is no match in LDAP, will remain as a local user.

Thanks Jaime,

Does the LDAP Manager  Distanguish name in the LDAP Directory configuration page need to be a demain admin? Would a service account work as well?

Would you please point me to a good LDAP and CUCM Integration troubleshooting document?

It looks like I have configured everything but it is not working.

Thanks,

MK

Hello Guys,

It lools like I still need your help for some troubleshooting. The sync is not working!

I am attaching the config that I have in the CUCM. Could you please have a look and let me know if I am missing anything?

Thanks,

MK

Hi there

Could you try using LDAP Manager DN as 2LPCUCLdP@domain.com

Mark's great post

http://www.markholloway.com/blog/?p=1189

CUCM and Active Directory Integration

Step 1 – In CUCM Serviceability > Tools > Service Activation the Cisco DirSync box must be checked and the service Activated.

Step 2 – Go to Cisco Unified CM Administration > System > LDAP > LDAP System to identify what type of LDAP system to synchronize with and how to reference the users. Enable Synchronizing from LDAP Server must be checked. The attribute sAMAccountName refers to the logon name for the domain.

Step 3 – Click on System > LDAP > LDAP Directory and click Add New.

In this example the Active Directory domain in my lab is ccie.local and the IP address of the Domain controller is 142.100.64.18. The LDAP Manager Distinguished Name in this case is the default Windows system administrator account for my domain (administrator) but best-practice in a production deployment would be to use an isolated user account different than the default administrator account so it’s setup specifically for CUCM and Active Directory integration.  The LDAP User Search Base uses two attributes to make up a dn (distinguished name). This includes the cn (common name) and the dc (domain component). The rules of LDAP define the most significant part of the distinguished name is furthest to the right.  In this case it is dc=local. The last thing to note for this step is that synchronization occurs once per day at 6:00 AM. The smallest window of time to synchronize is six hours.

Step 4 – Click on System > LDAP > LDAP Authentication. This will authenticate CUCM End Users using Active Directory instead of the embedded CUCM directory.

At this point CUCM should be ready to synchronize with Active Directory. Before doing this, note that any End Users on the CUCM cluster that do not exist in Active Directory will be set to Inactive.  For example, I had user HQ4 created prior to configuring LDAP.  After configuring LDAP the user appears as Inactive under the End User listing. I went to my Windows 2008 Server and added user HQ4 to the domain ccie.local and the user is now active.

Click on System > LDAP > LDAP Directory then click Perform Full Sync Now

I have a total of six users in my Active Directory. Prior to performing the synchronization step in CUCM I had one End User called HQ4 that was managed locally using CUCM’s embedded LDAP directory.  I proceeded to create users HQ1, HQ2, HQ3, HQ4, SITEB1, and SITEB2 in Active Directory without having them present in CUCM (except for HQ4).

After performing the synchronization the users which were created in Active Directory are now appearing in the CUCM End User list and LDAP Sync status is showing Active.

Take note that when clicking on an End User the display of information is different compared to using the embedded database.

The following is a screenshot of the Active Directory Server Users.

Hope this helps!

Cheers
Rath!

***Please rate helpful posts***

Hi Cisco Rath,

I am actually using 2LPCUCLdP@domain.com. I just removed the domain name for the security purposes.

Do you see anything wrong with LDAP User Search Base value that I have in my configuration?

Please note that we are using telephoneNumber as LDAP Attribute for User ID in the LDAP System.

Thanks

Hi there

You can use telephoneNumber as LDAP Attribute for User ID. That's not an issue

Could you modify the search base to OU=CUCM,OU=TI,OU=LQ,OU=Utilisateurs,DC=le500,DC=loto-qubec,DC=com.

,  instead of ; 

Also add the ip address in LDAP Information if you are using Hostname

Hope this helps!

Cheers
Rath!

***Please rate helpful posts***