cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1528
Views
2
Helpful
7
Replies

updateUser - usage of convertUserAccount?

stephan.steiner
Spotlight
Spotlight

Hi

How is the convertUserAccount tag to be used in an updateUserCommand? It is an XFkType - so what's the value to be used and what does the tag do in the first place? The name makes it sound like it could be used to activate/deactivate ldap integration - but that can be achieved via other means, plus I'd expect to see some boolean value, not an XFkType.

Thanks

Stephan

7 Replies 7

npetrele
Cisco Employee
Cisco Employee

You use the convertUserAccount tag to convert an LDAP synchronized user to a local user.  I don't have an LDAP server to confirm this with, but I assume the value choices would be "t" and "f", or "true" and "false". 

The field does appear to want a uuid/LDAP name, i.e. it is a foreign key, not a boolean.

I would also go along with the supposition that the field is used to indicate that during the next LDAP sync operation (i.e. daily) the user should be converted - either from a local user to an LDAP user (by providing the uuid/name of the LDAP provider), or from an LDAP user to a local user (by nulling the existing LDAP field and leaving convertUserAccount null), or maybe converting from one LDAP provider to another.

Again, I'm spitballing here because I don't have an LDAP server to try it with, but it seems to me that this tag is the equivalent of the check box for "Convert LDAP Synchronized User to Local User" when using the administration web GUI. That's why I assume it's a string for a boolean value.

Do a search for "Convert User" on this page to see what I'm talking about:

Cisco Unified Communications Manager Administration Guide, Release 10.0(1) - End User Setup [Cisco Unified Communicatio…

If it took the guid/name of an ldap server, then it would be quite redundant, given that we have another means to convert the user: Convert LDAP User to local user (I've not tested the reverse way.. but I know adding a user so that it will get synced works (Let's improve LDAP Sync - a feature request)

So I've been doing some testing

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.cisco.com/AXL/API/10.5"><soapenv:Header/><soapenv:Body><ns:updateUser sequence="0"> <userid>service_hotline</userid><ldapDirectoryName>myDirectory</ldapDirectoryName><userIdentity>service_hotline@nxodev.intra</userIdentity><convertUserAccount>t</convertUserAccount></ns:updateUser></soapenv:Body></soapenv:Envelope>

Gets me

<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><soapenv:Fault><faultcode>soapenv:Server</faultcode><faultstring>User was not associated with this LDAP configuration name.</faultstring><detail><axlError><axlcode>5003</axlcode><axlmessage>User was not associated with this LDAP configuration name.</axlmessage><request>updateUser</request></axlError></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope>

I've tried leaving out ldapDirectoryName, and userIdentity, but it doesn't matter. Now, if I provide an empty userIdentity and ldapDirectoryName (as outlined here: https://communities.cisco.com/thread/49116), that converts the user to a local user. But.. then the <convertUserAccount> tag is pointless. I also tried leaving out just the userIdentity, or provide an empty userIdentity, it's always the same story. Used 'true' instead of 't', same story.

So..back to my original question.. what is the convertUserAccount tag good for and how do you use it?

I played with it and figured out how to use it. 

If you do a getUser on an LDAP synced user, you'll see this tag (assuming the ldap is ADFS):

               <ldapDirectoryName uuid="{some-long-id}">ADFS</ldapDirectoryName>

Convert the user to a local user this way:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.cisco.com/AXL/API/10.5">

   <soapenv:Header/>

   <soapenv:Body>

      <ns:updateUser sequence="?">

         <userid>username</userid>

         <convertUserAccount uuid="{some-long-id-copied-from-above}">ADFS</convertUserAccount>

      </ns:updateUser>

   </soapenv:Body>

</soapenv:Envelope>

Nathan Gageby
Level 4
Level 4

I was able to find this in a google search after several failed attempts.  I wanted to provide a littel bump and update the answer with more details and an example.   I hope this helps someone out there trying to learn. 

 

The issue as I see it is we want to delete a user account.  We are not able to do that because it is LDAP integrated.  We need to convert to a local user and then we can remove the account.  If this is to be done to one user no problem but what about all users or some other large group.  

 

We need to do a few things to get the user data and then set the switch to convert to local.  I am not going to cover deleting here since that could provide some risky code examples that I do not want to be responsible for and it is easy enough in the web interface. 

 

To begin I am using Python with Zeep.  Special thanks to afterthenumber.com for that tip.

 

After the typical zeep setup which is detailed here. https://github.com/CiscoDevNet/axl-python-zeep-samples

 

We need to use the following listUser,getUser, and updateUser.  I pulled these from this documentation. https://developer.cisco.com/docs/axl-schema-reference/

 

First we need a list of users. 

users = axl.listUser(searchCriteria = {'lastName':'%'},returnedTags={'firstName':'',
    'lastName':'','primaryExtension':'','userid':'','uuid':''})

This will get all users and the details for all items listed in the returnedTags section.

We then need to get the darn ldap uuid that caused me so much trouble. This sample assumes you have already iterated over the users so you can extract the userid.  That will be the case for the other code snippets that follow.  The structure of the loop is up to you so you can accomplish the desired result. 

get = axl.getUser(uuid=user.uuid,returnedTags={'ldapDirectoryName':''})
uuid = get['return']['user'].ldapDirectoryName

Now that we have the ldap content we can update the user allowing them to convert to a local account.

resp=axl.updateUser(userid=user.userid,convertUserAccount=uuid)

That will do it.  No we have a local user and can use any source to change as many users as we want.  I know there is extra data in here but that will allow you to use this for many other user update functions.  

 

Hope this helps and have a great day!

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: