Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2206
Views
0
Helpful
1
Replies

Changing LDAP System from AD to ADAM in CUCM 7.1.5

rickgwynne
Level 1
Level 1

‎02-28-2011 07:27 PM - edited ‎03-19-2019 02:29 AM

Hello Guys,

First time poster here, so be gentle...

We have a query regarding LDAP Synchronisation in CUCM 7.1.5.

A brief background :

Our CUCM environment has expanded since we first put it in a couple of years ago. We originally had, and continue to have, a single LDAP System configured on CUCM for only one of our AD forests. 

We have a multi-forest AD environment, with us rolling out more and more CUCM enabled sites from our differing AD forests.

1 x CUCM 7.1.5 Pub (+ 2 x Subs)

1 x Presence

1 x MP

1 x UCCX

1 x Unity Connection

3 x Unity

We are building an AD LDS (ADAM) server to enable our multi-forest integration and LDAP synchronisation from CUCM. This is built based of this Cisco doco :

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_configuration_example09186a0080b2b103.shtml

Our question :

Changing the CUCM LDAP System (and thus also changing the LDAP Directory and Authentication)

From : "Microsoft Active Directory"

To : "Microsoft Acive Directory Application Mode" (ADAM)

AND : After running the first CUCM sync with the new ADAM server.

What impact will this have on the existing user accounts in CUCM (in terms of their Associated Devices and their Permissions Groups and Roles)?

Will they be overwritten and thus the above fields be blank? Leaving us having to manually add all that back in to our existing user base.

Or, (which we feel is most likely), will there be duplicate accounts created in CUCM?

The reason we feel there will be duplicates is due to the nature of multi-forest deployments and the issue of having the same usernames in two or more forests. All authentication requests must be performed using their User Principal Name (UPN), such as jdoe@company1.com, rather than the standard way of just using your userid : jdoe

Sorry for the long winded query.

Appreciate any thoughts/opinions on this.

Cheers,

Rick.

Labels:
0 Helpful
1 Reply 1

William Bell
VIP Alumni
VIP Alumni

‎03-04-2011 10:53 PM

Rick,

I haven't done this myself, so keep that in mind. As you say, be gentle.

Putting ADAM aside for the moment, in an LDAP sync configuration when you establish a sync agreement the CUCM does the following:

1. All user objects in the CUCM db are marked inactive

2. CUCM begins sync'ng with LDAP

3. For each user object learned from LDAP: The LDAP attribute chosen to map to the user ID in CUCM is compared to existing CUCM user objects.

- If a match is found, the account is activated

- attributes for first name, last name, telephoneNumber, etc. are then overwritten with the LDAP values (based on attribute mappings)

4. After the sync completes, any CUCM user object that did not have a LDAP object with the same user ID are still marked inactive. These objects will be purged during the next clean up interval

To give an example, I had a project where the customer was doing an upgrade from 4.1 to 7.1(3). As part of the upgrade, user objects were moved over to CUCM 7.1(3). Then we enabled LDAP sync. User objects were not deleted, nor were there duplicates. Configurations such as device associations were unaffected. The only thing we needed to do was check the CUCM user DB against LDAP user objects (running scripts against both) to find any mismatches between sAMAccountName and the CUCM user ID.

Assuming the sync process and behavior for activating/deactivating accounts is the same with an ADAM integration, then I wouldn't expect you to have an issue.

HTH.


Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

0 Helpful
Customers Also Viewed These Support Documents