Solved: Re: Call Manager 11.5 - Manage users accounts

Euan · ‎05-24-2020

Hello team,
do you have a procedure to add advanced users as network admin with specific accounts from AD ? We are actually using a 1 local admin account and not the best practice. The aim is to enable them to log with their advanced account with AD advanced login and password?

Regards

Roger Kallberg · ‎05-28-2020

Yes it's possible but you'd need to create a custom LDAP filter to use with the directory sync.

LDAP filters in CM is a bit quirky to understand if you never worked with them before. I'd recommend that you read up on the topic and install an LDAP browser client on you PC so that you can test it out before you put it in use in CM. Worth knowing is that from what I've been able to find out you can't use DL's as part of a filter, but you can use groups. This is an example of a filter string that we use, memberof=CN=<group name>,OU=<OU name>,OU=<OU name>,DC=<AD domain>,DC=<domain>,DC=<domain>,DC=<domain>, with any identifying information replaced. You'd likely would need do adopt this to your needs and add more criterias to the filter string.

View solution in original post

Jaime Valencia · ‎05-24-2020

You can bulk apply permissions in the LDAP sync page, but those would apply to any new user that is synced with it. If you want special permissions for certain users in the OU/CN, that's not possible via that method. You would need to sync them, and then manually add the required permissions.

HTH

java

if this helps, please rate

Euan · ‎05-25-2020

Hello Jaime Valencia,

These accounts are in a different OU on LDAP and the actual synchonization don't import them.

Should I create or add another LDAP directory pointing to this specific OU and then add roles ? Actually a LDAP directory exist and import end users to cucm.

System>LDAP>LDAP Directory and add new

Thanks in advance

Jaime Valencia · ‎05-26-2020

Yes, create a new sync and adjust permissions as necessary

HTH

java

if this helps, please rate

Euan · ‎05-26-2020

Ok thank you Jaime. Is it another way to do that ?

thanks in advance

Roger Kallberg · ‎05-26-2020

You could change the search path on the original directory synchronisation that you already have to include objects from a higher point in your directory so that it would include both what you sync now and where you have the administrator accounts.

Euan · ‎05-27-2020

I don't want to change the search path on the original directory synchronisation.

I've created a group on LDAP and created a new search path on CUCM pointing to that group but it's not working. I've pointed this to the OU which have all network admin accounts and it's now working, then add the roles. I'm trying to find the way to point to a group or DL then I just have to add members to that group. Do you think it's possible ?

Regards

Roger Kallberg · ‎05-28-2020

Yes it's possible but you'd need to create a custom LDAP filter to use with the directory sync.

LDAP filters in CM is a bit quirky to understand if you never worked with them before. I'd recommend that you read up on the topic and install an LDAP browser client on you PC so that you can test it out before you put it in use in CM. Worth knowing is that from what I've been able to find out you can't use DL's as part of a filter, but you can use groups. This is an example of a filter string that we use, memberof=CN=<group name>,OU=<OU name>,OU=<OU name>,DC=<AD domain>,DC=<domain>,DC=<domain>,DC=<domain>, with any identifying information replaced. You'd likely would need do adopt this to your needs and add more criterias to the filter string.

Roger Kallberg · ‎05-28-2020

Even if not shown in the LDAP directory synchronization configuration CM always use an LDAP filter.
Standard default LDAP filter for users
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

At a minimum, if applicable for you that is, you should have this as part of the custom filter that you create.