LDAP Filters include inactive accounts

r.errington · ‎12-13-2012

I have reviewed the other discussions and I still don't get it. I am running CUCM 8.5 and want to integrate with LDAP. I will have the ipPhone field filled in on all the accounts I want to sync. I also need to include inactive accounts (meeting rooms etc). If I just use a custom filter (ipPhone=*) will that include inactive accounts. I have seen the discussion on 2169692 and I noticed that if I used

(&(ipPhone=*)(UserAccountControl:1.2.840.113556.1.4.803:=2)) it would only import the inactive users

Chris Deren · ‎12-13-2012

Correct, not having the useraccountcontrol should bring in inactive accounts.

HTH,

Chris

r.errington · ‎12-13-2012

hey Chris,

Cisco TAC says this will not work. The default filter wipes out the disabled accounts

Aaron Harrison · ‎12-13-2012

Hi

When you add a custom filter, it overrides the default. So the default one with the UserAccountControl attribute can be replaced with your (ipphone=*) one and all the accounts will import if they have ipphone set to anything.

Just as a side note, it does create a bit of a chicken and egg scenario if you filter based on ipPhone - basically if you do that you must assign a phone and DN (typically in CUCM), then set the DN in the ipPhone field in AD, go back to CUCM and force an LDAP sync before you can complete the configuration by linking the phone to the user (as the user doesn't exist in CUCM until you have populated the ipPhone field). It just disrupts your workflow a little...

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!