Hi Aaron!

Thanks for answering! We are already using a non-SSL connection to our AD on port 389. I don't think that response times are an issue here, because there's not much outside of the original search base DN.

Hi

I say 'non-SSL' as that allows you to troubleshoot delays with LDAP. It's OK to use SSL generally.

Use of 3269 avoids some lookups with 389, it's a common fix so that would be a good starting point to test.

And, of course... this is guesswork based on experience. If you want to know why it doesn't work, you look at the logs. Logs on the client, and CTIManager logs on CUCM.

Aaron

Hi Aaron!

a) I tried to change search base DN from OU=User,OU=company_DE,DC=company,DC=de to OU=company_DE,DC=company,DC=de which results in a still working CTI with Cisco Jabber. When shortening DN to DC=company,DC=de it stops working. 

b) I'm attaching SDL log and some output from PRT. 172.25.10.139 is the IP of the PC running Cisco Jabber. Hope this helps and someone can find something... 

(I've already opened a SR with our Gold Partner so that a TAC case can be opened this way...)

Hi

In your log I see an attempt to connect to 389:

01397644.043 |21:37:11.341 |AppInfo  |Authenticating with SSL not enabled (ldap://ldap.aida.de:389) 

Followed by lots of rebinds every few seconds:

01397644.074 |21:37:11.647 |AppInfo  |cisco_ldap_rebind:enter
01397644.075 |21:37:11.647 |AppInfo  |cisco_ldap_rebind:calling simple bind.
01397644.076 |21:37:11.988 |AppInfo  |cisco_ldap_rebind:enter
01397644.077 |21:37:11.988 |AppInfo  |cisco_ldap_rebind:calling simple bind.

Then it stops

01397692.000 |21:37:21.095 |SdlSig   |CtiHandlerShutdownRequest              |shutting_down                  |CTIHandler(2,200,22,1147)        |CTIHandler(2,200,22,1147)        |2,200,13,1150.5^*^*                      |[R:H-H:0,N:0,L:1,V:0,Z:0,D:0] mShutdownReason=2 mSequenceNumber=0 UserPkid=
01397692.001 |21:37:21.095 |AppInfo  |CQBEBuilder::BuildQbeMessage(): objectID=132
01397692.002 |21:37:21.095 |AppInfo  |CTIHandler::OutputQbeMessage: TcpHand=[2:200:13:1150] QbePref={0x0xf1383e9c,0x1c} pQbeMsg=0x0xf1383ea4 qbeMsgSize=0x1c tmpLen=0x24 msgSize_=0x24
01397692.003 |21:37:21.095 |AppInfo  |[CTI-APP] [CTIHandler::OutputCtiMessage      ]     CTI   ProviderClosedEvent    (  reason=2)
01397692.004 |21:37:21.095 |AppInfo  |[CTI-INFO] [CTIHandler::QBE_ProviderCleanup]     sent ProviderSubscriptionUnRegNotify for user juergensmann.ingo
01397693.000 |21:37:21.095 |SdlSig   |CtiUnsubscribeRegUnRegNotificationInd  |ready                          |CTIDeviceRegManager(2,200,24,1)  |CTIHandler(2,200,22,1147)        |2,200,13,1150.5^*^*                      |[R:N-H:0,N:1,L:1,V:0,Z:0,D:0]  CTIHandlerPid=(2,200,22,1147) LoginUserId=juergensmann.ingo

Have you tried my suggestion of using 3269 yet?

Yes, today I've tested port 3269 as well. It could only connect with SSL checked on, but CTI didn't work as well.

Then I tried to connect to port 3268, without SSL, and CTI is working. According to our Windows sysadmins it shouldn't be possible to authenticate against a GC, but logging into Jabber as well as CUCM does still work.

The servers are still the same, but use a different port. Personally I see no reason why it shouldn't work with port 389 as well, giving a timeout instead. We have now a TAC SR open and I'll report back any findings from the TAC to here.

Hi

Sounds like your AD folks need to go back to Microsoft school ;-)

Indeed, it was 3268 I meant to say but it has been some time since I've thought about this.

At any rate, it CAN work over 389, using 3268 just proves that the delay originates with your AD.

The difference between 389 and 3268 at a basic level is that the GC/3268 service contains a subset of AD attributes for EVERY object in the forest.

A normal DC contains EVERY attribute for every object in the domain.

Using 3268 means that for basic stuff the GC doesn't have to refer you to other DCs or domains.

The best way to troubleshoot this (and this is what Cisco will eventually ask, unless they just fob you off back to your MS guys with a 'it's AD timing out' conclusion) is to do a packet capture on your CUCMs for all DNS and LDAP (389/3268) traffic. 

That will show you CUCM resolving DCs, connecting to them, and you will see (in plain text) the referrals and so on. You'll probably see things like DNS responses timing out, or connection attempts to DCs that have long been removed but not properly cleaned up. Feel free to post or PM me the trace if you need help diagnosing it.

Regards

Aaron

Please rate helpful posts, and mark questions 'answered' when appropriate to highlight useful content.

Hi Aaron!

Also the change looked promising yesterday, this morning all users were unable to login. So I reversed the change back to its original setup.

We are investigating this now with a Cisco TAC engineer and I expect to have a Webex today on this topic... I'll keep you updated...

Ok, we had a Webex with the Cisco TAC engineer on Friday and he found out that the LDAP server is giving a login error when using the shorter LDAP auth search base DN. 

Why this is happening, is a different story, because when using a LDAP browser it is working. Maybe the LDAP user we are using in CUCM do not enough priviledges to access this higher level in LDAP subtree. We have to investigate this with our Windows admins next week. 

Other reasons that came to mind are: 

• CUCM LDAP auth search base needs to start with OU=...,
• CUCM LDAP auth search base cannot be shorter than the LDAP directory search base
• in both cases: CUCM does something different (comared to LDAP browser) in setting up the LDAP connection.

In any case: there's no quick fix or workaround - other than moving the subtree for our new office (and independent company) within our existing and working subtree. That's nothing completely and awfully bad, but it's somewhat contradicting the design goal to separate both companies as much as possible in our LDAP/Active Directory. I think we have to live with that, because the decision that needs to be taken (moving company inside others companys LDAP subtree (clean design) vs. working setup) will persist. 

Here is what the TAC engineer found out: 
---------------------------------------------------------------------------

The first difference in LoginCheckRequest in CTI are lines

03514824.073 |14:29:30.121 |AppInfo  |LDAP Search for User base: 'OU=User,OU=company_DE,DC=company,DC=de'
03531822.073 |14:36:43.462 |AppInfo  |LDAP Search for User base: 'DC=company,DC=de'

Then in working scenario there is
03514824.074 |14:29:30.124 |AppInfo  |LDAP Search complete. Code: 0
And after that there is process of getting control over Phone

Which is missing in nonworking. We are receiving different message from LDAP in nonworking

As response for
LDAP     229         searchRequest(3) "OU=User,OU=company_DE,DC=company,DC=de" wholeSubtree

Based on this that is LDAP, it is responding in different way.

Hi IngoJuergensmann,

Any update. I have the same issue here.

No, no news yet. We have still the SR with TAC open, but there's no process here and I'm quite busy with a large project to keep this going together with our Gold Partner. 

We had to move the user group inside the AD anyway because there were other problems with this user group being outside of the existing company structure in the AD. These problems resulted in not being able to logon to the Wifi network and such. 

For me it was a certificate issue. The self-signed certificate with root wasn't good enough it seems for CUCM so we bought a SSL certificate for the machine providing AD and it worked right away... What a huge waste of time but everything is working beautifully now.

Any updates? Same issue here