cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
545
Views
25
Helpful
7
Replies

CUCM and Unity LDAP Migration

j-garmatter
Level 1
Level 1

What does the process look like to change "LDAP Server Type" from OpenLDAP to Microsoft Active Directory in CUCM and Unity?

 

The System > LDAP > LDAP System Configuration page states "Please Delete All LDAP Directories Before Making Changes on This Page" and "Please Disable LDAP Authentication Before Making Changes on This Page".

If I delete the LDAP directories, won't my users be removed as well?

 

Is there any way to retain users and their associated devices while changing the LDAP server type?

7 Replies 7

I don’t think that you would be able to retain the users and the device associations as the underlying id for the users are different between the two LDAP system types. However the users would not disappear immediately, they would be present until the garbage collector process runs, this happens once per night at a predefined time.

What you could do is to export, with bulk administration, all of your current users and then re-import them to create local users, with the device assignment. Then when you sync with AD these users would be automatically changed to AD synchronised users as the user account name is matching.



Response Signature


Thanks for the reply Roger,

 

You mentioned that the underlying ID is different between the LDAP system types. Is that always the case?

For instance, I have uid set as the "LDAP Attribute for User ID" on OpenLDAP and plan to use sAMAccountName for MS AD. The value of uid is the same as the value of sAMAccountName in my directories. Would that make the user IDs the same from CUCM's point of view?

For AD if I'm not wrong it uses the AD ObjectGUID for the CM UniqueIdentifier, this is what is in reality used as the id for the user object with AD, not User ID as you would think. For OpenLDAP it uses another field in CM, here it is User ID if I'm not wrong. This can as you write be set to use uid, or a list of others. So as the underlying object used is different between the two LDAP systems in CM it would not see them as the same user even if the User ID is the same.



Response Signature


Certainly each end user object has a unique pkid in the enduser table. Where I was going with this is to create a BAT export prior to changing the LDAP source. The output of that user export could be bludgeoned into a user update BAT file that would be keyed off user ID. Not the easiest thing in the world, but it would also not be anywhere the most difficult kind of data conversion.

Totally agree with you on this @Elliot Dierksen. My intent with my prior response was to shine some light on the fact that there are differences between what LDAP system you use and how the synchronised data is stored in CM.



Response Signature


Some of that depends on if you are integrating using the same key. sAMAccountName is what I see most often with MS AD. The accounts will get marked as deleted in the garbage collection process in CUCM as @Roger Kallberg mentions. In Unity they will be converted to local accounts. There may be better ways to do this, but this is the query I use to find accounts that had been AD integrated but the AD account is now gone.

run cuc dbquery unitydirdb select alias, dtmfaccessid, ldaptype, ldapccmuserid from vw_user where ldaptype = '0' AND LDAPCCMUserId IS NOT NULL

If you did a bulk update to make them all local accounts prior to deleting the LDAP info, that should save them. If the account key is the same, you could do another bulk update afterwards to tie them to the new LDAP directory.

 

For CUCM I would suggest doing a BAT export of your users prior to making any changes. Once you get them active with the new LDAP directory, you'll have to hack on the export files to use them as user update files to restore the original values.

 

Use all this at your own risk!!!!! I have not tried this out, so be REALLY CAREFUL!

j-garmatter
Level 1
Level 1

Thanks everyone,

 

I'll have to test this process of "export -> convert to local -> modify export -> import as update" on the current system with a handful of users. I haven't any experience with the bulk administration side of things yet. I'll keep you posted on the results.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: