cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1064
Views
0
Helpful
6
Replies

LDAP Sync Query

bholashrestha
Level 1
Level 1

We have CUCM 9.1.2 in production synced with Microsoft AD. For a testing purpose we want to sync the same CUCM Server in production with different Microsfot AD which is in out lab environment (don't have CUCM in Lab environment)

I already have a directory importing users from Production AD

Directory1 ->> OU=Users,DC=ProdDomain,DC=com

I want to have another LDAP directory entry with different search base as follows.

Directory2->> Ou=TestUsers,DC=TestDomain,DC=com

These two domain do not talk to each other so there is no trust.

Is this possible to do this without causing any issues with the users already synced from ProdDomain.com. I will be doing some testing with Directory2.

Any advise/assistance would be greatly appriciated.

6 Replies 6

Yes its possible and there should not be any issue as in version 9.x we can configure upto 5 ldap directory/user search base.

The synchronization is performed by a process called Cisco DirSync, which is enabled through the Serviceability web page. When enabled, it allows one to five synchronization agreements to be configured in the system. An agreement specifies a search base that is a position in the LDAP tree where Unified CM will begin its search for user accounts to import. Unified CM can import only users that exist in the domain specified by the search base for a particular synchronization agreement.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/9x/uc9x/directry.html#wp1069361

Jaime Valencia
Cisco Employee
Cisco Employee

Are they part of the same forest?

HTH

java

if this helps, please rate

Thanks Jaime.

No they are not. Its completely separate.

The only supported method to do an integration in a multi-forest environment, is this:

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-version-80/111979-ucm-multi-forest-00.html

The link venperum posted also explains this, and you can find the same link within it.

I really cannot tell you if it will work, I've never tried it, but you're going to lose support by doing that, at least for all the time you want to have this configured.

As the SRND explains, you can have two discontinuous namespaces, but they need to be part of the same forest.

It will be up to you if you want to risk it, or spin up a CUCM for the lab.

HTH

java

if this helps, please rate

Thanks Jamie,

Sorry for not acknowledging promptly. Yes seems like it is bit risky and complex. The whole purpose for this exercise is I want to ensure something. To give you a bit of a background ..

We have a cucm cluster running version 9.1.2 with users imported from LDAP sync. Currently one of the LDAP attribute synced is Telephone Number. We want to change the attribut to ipPhone instead. As you know in CUCM version 9.X you can not change/update those attributes, instead you have to create a new LDAP directory (or copy existing one and make necessary changes).

My question is once we create a new LDAP directory entry and synced with AD what is going to happen to the phones and/or user device profile and role assigned to the existing users. Would it simply vanish or would it stay as it is? My concern is that because this is a completely new Directory entry (new name) it might import all the user fresh from AD without any associated device and role assignment (user previously had).

This is the reason I wanted to test syncing with different AD in the first place. I hope I have explained it properly. If its not clear please let me know. 

Thank you very much.

Unless the userID you have in CUCM is a perfect match for whatever field you chose to sync from LDAP, they will be marked as inactive users, and then deleted, and you'll get new users, with the new userID.

The only way to keep the users is to disable the LDAP sync, turn all users into local users, and then change the userIDs to match the new value, then create the new LDAP sync.

HTH

java

if this helps, please rate