Based on your reply then the issue is either that the user's password is different in AD than in CUCM, the LDAP authentication configuration is incorrect, or the communication between CUCM and the LDAP authentication server is impaired.
1. You can test the first theory by having the user authenticate to the LDAP authentication server directly. Either via Windows logon, Exchange logon, or even mapping a network drive to the server. Your objecitive is to prove (or disprove) that the credentials are the same in AD and CUCM.
2. You can test the other two theories by staging a logon example and capturing the network messages exchanged between your CUCM publisher and the LDAP authentication server.
a. For testing set the LDAP channel to the authentication server to not use encryption.
b. Next, use a method similar to what is provided in the following URL to setup a network capture. You may want to add a filter on the LDAP server IP address to minimize noise in the capture file.
http://www.netcraftsmen.net/resources/blogs/networktraces-cisco-uc.html
Example with a filter:
admin:utils network capture file mycap count 100000 size all host all 10.3.2.21
Where 10.3.2.21 is changed to the IP address of your LDAP authentication server.
c. Next, attempt a logon to your CUCM publisher by going to the CCMUser page (https://publisherIPAddress/ccmuser)
d. After the logon fails, go to the console of the CUCM publisher (the one you opened in step 2b) and cancel the trace (Ctrl+C). Then retrieve the trace file as described in the above URL.
You can then review the trace file for errors or post it here for a community review. You may also be able to gleen some information from your application/system event logs on the publisher around the time of the test.
HTH.
Regards,
Bill
