06-20-2012 12:16 AM - edited 03-19-2019 05:07 AM
Looking at an existing deployment which is using LDAP Directories to synch with AD, the structure of this is not scalable with CUCMs limit of only 5 LDAP directories. Structure is below, not the best thought out design I reckon
The CUCM currently has 5 directories setup to search the Users OU in each city OU like this
ou=Users,ou=London,dc=Europe,dc=Domainroot,dc=net
ou=Users,ou=Paris,dc=Europe,dc=Domainroot,dc=net
ou=Users,ou=Berlin,dc=Europe,dc=Domainroot,dc=net
ou=Users,ou=Moscow,dc=Globe,dc=Domainroot,dc=net
ou=Users,ou=New York,dc=Globe,dc=Domainroot,dc=net
When the customer adds in new OUs such as Rome or Beijing then the CUCM is not getting info on the users in these, and cannot add new directory for them on CUCM as it is maxed at its limit of 5 already.
Looking at doing some sort of custom filter on this which will enable Rome and Beijing users to be included and provide for future growth. Can I delete the LDAP directory entries above, then add in ones just for the child domain like this...
dc=Europe,dc=Domainroot,dc=net
dc=Globe,dc=Domainroot,dc=net
....and then create some LDAP Custom Filter that will search each of the OUs such as London/Users, Paris/Users etc
Hope this makes sense and if anyone more familiar with AD and LDAP Custom filter capability on CUCM 8 can tell me if it is or isn't possible I'd be grateful
p.s. heard that the max LDAP directory count of 5 is being increased in CUCM 8.6 but can't find a value on what it is being increased to, if anyone knows the answer then please let me know
Solved! Go to Solution.
06-20-2012 04:06 AM
Based on the hierarchy you list above you can just create a new agreement based at DC=Globe,DC=Domainroot,DC=net. Custom filters are easier than they appear at first glance; just identify what attributes you want the account to have for it to be included. Here is the system default that gets used when you don't specify one:
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
This default filter selects entries for which the object class is a user but not a computer, and for which the account is not flagged as disabled.
If we use that as our starting point we just have to decide what additional criteria are appropriate. The most likely is to check that the object has a value in telephoneNumber (or ipPhone). You could use this if telephoneNumber was the extra criteria:
(&(telephoneNumber=*)(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
Additional details are available here:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx
Also the AD Explorer tool has a search function which shows you the LDAP filter for the search you just ran. You can use it to explore other options.
Please rate helpful responses.
06-20-2012 04:06 AM
Based on the hierarchy you list above you can just create a new agreement based at DC=Globe,DC=Domainroot,DC=net. Custom filters are easier than they appear at first glance; just identify what attributes you want the account to have for it to be included. Here is the system default that gets used when you don't specify one:
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
This default filter selects entries for which the object class is a user but not a computer, and for which the account is not flagged as disabled.
If we use that as our starting point we just have to decide what additional criteria are appropriate. The most likely is to check that the object has a value in telephoneNumber (or ipPhone). You could use this if telephoneNumber was the extra criteria:
(&(telephoneNumber=*)(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
Additional details are available here:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx
Also the AD Explorer tool has a search function which shows you the LDAP filter for the search you just ran. You can use it to explore other options.
Please rate helpful responses.
06-20-2012 04:56 AM
Thanks for the response Jonathan
We've already decided to try a directory of DC=Globe,DC=Domainroot,DC=net and then put in a filter of
(&(ipPhone=*)(!UserAccountControl:1.2.840.113556.1.4.803:=2)) which will be tested later out of hours, nice to know we're on the right track.
Appreciate the extra links to Microsoft info and that tool, will prove useful for the future.
Cheers
EDIT - the filter I wrote above is wrong, missing brackets, also added in a negate computer accounts query to it as per Jonathans advice. End result of filter should be
(&(ipPhone=*)(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide