Active Directory Plugin on CM4.0.2a Problem.

dschlenzig · ‎11-11-2004

Hi, I have installed the AD plugin using the DCD ADMIN account and assigned rights accordingly to the root user OU which has numerous other OU's for each site and Cisco OU. This all seems fine, however I am unable to change the password for the CCMAdministrator, CCMSysUser and IPMASysUser using CCMPWDChanger. I get an error message saying "User ID CCMAdministrator is not valid". However if I change the User Search Base to CN=Users instead OU=Company_name it works. But then I can't browse the users? What am I missing?

Also is there a way of using the IP Phone entry in the telephone tab as the extension number instead of the telephone number on the General Properties of AD Users/Computers.

Thank in advance, Daniel

dschlenzig · ‎11-11-2004

Managed to find the answer to the first part of the question myself, "The User Creation Base must be contained within the User Search Base because Cisco CallManager has to be able to search for the system account users before authenticating them."

Which makes me wonder why they separated this in the first place as the user creation and search base was the same by default in version 3.

However I'm still looking for an answer to the second question on IP Phone extension in AD so if anyone knows I'd appreciate it.

Thanks, Daniel

jasyoung · ‎11-11-2004

"Managed to find the answer to the first part of the question myself, "The User Creation Base must be contained within the User Search Base because Cisco CallManager has to be able to search for the system account users before authenticating them."

Which makes me wonder why they separated this in the first place as the user creation and search base was the same by default in version 3."

Lots of folks want to integrate into the domain root. Think "dc=foo, dc=com" rather than "ou=PeopleGoHere, dc=foo, dc=com". The reason is that people generally create a bunch of OUs hanging off the root and want them all searched, so you have to start at the root. You generally don't want to add users to the root though, so you specify some OU/container within your hierarchy to keep them.

"However I'm still looking for an answer to the second question on IP Phone extension in AD so if anyone knows I'd appreciate it."

We've had the request before. There's no good way to do it. Would be nice if Cisco would make it a tunable.

You can make up a custom XML page for the phone that pulls the 'ipPhone' attribute instead of 'telephoneNumber'. We've done this. The problem is that the existing IP phone XML directory calls on a binary ActiveX control you can't easily modify to pull the telephone number out of a different LDAP attribute Same for the CCMAdmin pages. You would also have to do manual fixes for the Attendant Console directory. I'm not sure if you could convince IPMA to look at a different attribute for telephone number (you can for the Department attribute).

jdiegmueller · ‎11-11-2004

Specific the the IPMA piece, I had a customer request we use a different field for the Directory Number (ipPhone field in Active Directory), and we found it was trivial to modify IPMA for this purpose:

Simply modify ldapconfig.ini and change TELEPHONE_NUMBER=telephoneNumber to TELEPHONE_NUMBER=ipPhone

I'm unsure if this is still accurate today (11/11/2004) as I originally composed the email containing this information in Junary, 2004 -- but I have no reason to think it would have changed.

-jd