Re: LDAP sync issue between AD server and CUCM

iptsupport · ‎06-12-2023

Hello ,

I have user that responsible the sync between CUCM and

AD and all time is locked out.

when user locked out I can't sync in CUCM .

How I can check why the user locked out ?

my CUCM version is 12.5 .

Jonathan Schulenberg · ‎06-12-2023

That’s mostly a question for whatever LDAP product you’re using, not Cisco, but ensure the password is correct on LDAP Sync and Auth - CUCM and CUC.

iptsupport · ‎06-12-2023

The password is ok .

because I unlooked user in AD and the sync is working but sometimes is locked again.

How can export log to check why user locked ?

Jonathan Schulenberg · ‎06-12-2023

The LDAP server logs are beyond the scope of this forum. And clearly the password isn’t OK in at least one place. Hopefully the logs will tell you the source IPv4 address of the offending client to narrow the scope.

Jabber Basic Directory Integration is another location that the LDAP bind password may be used - although that really shouldn’t be the same account that DirSync is using for exactly this reason.

Roger Kallberg · ‎06-12-2023

That’s a question that is probably best if you ask the AD admin folks. They can see in their logs what is causing the account to be locked.

If not already done, a word of advice is to make sure that the account is not used for anything else than AD sync in CM. You wouldn’t believe how many times I’ve troubleshooted cases where this happened and the solution ended up being to create a new account that was solely used for CM AD sync.

Nithin Eluvathingal · ‎06-12-2023

As other members mentioned,this is something you must check with the AD admin. Pulling AD logs will help you in RCA. Probably the same user might be used in another application which has wrong password set and it keeps trying to authenticate.