05-28-2012 02:03 PM - edited 03-16-2019 11:22 AM
Hi guys
I'm with a big problem in my customer
The customer associate users (from LDAP) in owner ID (field) in the phones devices.
Well, sometimes (all weeks), employees are, how can I say, they take a "job-licensed" (sick, accident at work and another causes), and the employeer has your user id (on LDAP) disabled and CallManager disassociate the owner id of the phone.
When the employee come back to work, I need make associate again but I think are 40 peoples by week and I need query the callmanager see the desassociation and associate again....
Somebody get a similar scenarios? Do you have any suggestions?
Best Regards
Peterson
Solved! Go to Solution.
05-28-2012 02:28 PM
Hi
The default LDAP filter on CUCM is this:
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
The (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) clause basically checks if the account is disabled, and does not import it if it is disabled.
So - if you want disabled accounts to not be removed from CUCM, you can set a custom ldap filter like so:
(&(objectclass=user)(!(objectclass=Computer)))
User accounts would then only be removed from CUCM when the account is actually deleted from CUCM.
Regards
Aaron
05-29-2012 07:19 AM
Hi
Some reading for you: http://www.netcraftsmen.net/component/content/article/70-unified-communications/742-axl-sql-toolkit-part-3-updating-cucm-dirsync-ldap-filter-by-example.html
Regards
Aaron
05-28-2012 02:09 PM
I am a little unclear what you are requesting. Can you reframe yr question
Sent from Cisco Technical Support Android App
05-28-2012 02:17 PM
Hi Nik
Is very confuse.....I don't known how I can explain this case in english...is not a commom situation
UCM 7.x with LDAPsync
userA, userB, userC, userD, userN
IPPhone A ownerId = userA
IPPhone B ownerId = userB
IPPhone C ownerId = userC
Well, user A (John Smith) is very sick and need be in home for 3 months. So, the HR disable the account in Active Directory, then, CallManager disassociate the IPPhoneA and User A, so
IPPhone A =
Now...3 months later, John Smith returns to job and HR re-enable him acocunt in Active Directory, then I need manually re-associate IPPhone A and User A, so
IPPhone A = userA (again)
Now imagine, 40 users by week, checking user active/inactive, associating/disassociating....don't is a good process...So my question... what I can do for improve this tasks
Best Regards
Peterson
05-28-2012 02:12 PM
If the user is disabled in ldap and then the sync from cucm with ldap runs then that user is marked for deletion and the garbage service kicks in at 3 am every morning and it shall delete the inactive user.
Hope this helps else let me know if you had something else in your mind
Sent from Cisco Technical Support Android App
05-28-2012 02:28 PM
Hi
The default LDAP filter on CUCM is this:
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
The (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) clause basically checks if the account is disabled, and does not import it if it is disabled.
So - if you want disabled accounts to not be removed from CUCM, you can set a custom ldap filter like so:
(&(objectclass=user)(!(objectclass=Computer)))
User accounts would then only be removed from CUCM when the account is actually deleted from CUCM.
Regards
Aaron
05-29-2012 06:57 AM
Hi Aaron, my friend.
Well.... I thought in manipulate the ldap filter, change the default. But in UCM 7.1 don't have Ldap Filter or I have another way to change default ldap filters
Best Regards
Peterson
05-29-2012 07:19 AM
Hi
Some reading for you: http://www.netcraftsmen.net/component/content/article/70-unified-communications/742-axl-sql-toolkit-part-3-updating-cucm-dirsync-ldap-filter-by-example.html
Regards
Aaron
05-29-2012 07:55 AM
Thank you Aaron.
05-29-2012 10:40 AM
Hi Aaron
I did your suggestion.
I have read the blog, good material.
So I ran the xml file:
And ran the axltoolkit with sucessfull and now:
admin:run sql select ldap.name, ldf.tkldapserver as type, ldf.filter from ldapfilter as ldf inner join typeldapserver as ldap on ldf.tkldapserver = ldap.enum
name type filter
=========================================== ==== ================================================================================
Microsoft Active Directory 1 (&(objectclass=user)(!(objectclass=Computer))
Netscape or Sun ONE LDAP Server 2 (objectclass=inetOrgPerson)
Microsoft Active Directory Application Mode 4 (&(objectclass=user)(!(objectclass=Computer))(!(msDS-UserAccountDisabled=TRUE)))
OpenLDAP 3 (objectclass=inetOrgPerson)
admin:
I restarte Cisco TomCat and DirSync but the account disable not showed yet
Regards
Peterson
05-29-2012 11:08 AM
Petersom,
I think what Aaron suggested is this..
1. Create an LDAp filter with your LDAP system in CUCM.
2. Use that filter to import users from AD
3. Once the users have been imported and active, and are then deleted in AD because they are away for a few months, CUCM will not delete them.
4. Once they are back from their long holiday and you perform an LDAP sync, the users will be active again and their associations will be intact.
So this will work when you do a new LDAP sync with this filter. The existing users have already been marked to be deleted when disabled because they were imported using the default cucm filter.
NB: This will not import disabled users in AD. This is to help you in the future to prevent cucm from deleting users that have been marked inactive because their accounts were disabled in AD.
SO you will need to delete your existing LDAP configuration and create a new one using this filter.
Hope this is clearer..pls rate all usefu lposts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide