CUCM Error Message Failed to connect to ldap://x.x.x.1

Chris Austin · ‎03-23-2023

CUCM 14 with LDAP integration for user import/authentication.

Changed password now getting below error.

Error Message Failed to connect to ldap://x.x.x.1:389, check the server IP address or the network connection

Error Message Failed to connect to ldap://x.x.x.2:389, check the server IP address or the network connection

When I logged in to change the password I did not see any errors nor did I have reports of end users unable to log in. Password change didn't take due to error message.

We have 2 directories, we'll call it D1 and D2. D1 pulls from x.x.x.3 / x.x.x4 / x.x.x.1. D2 pulls from x.x.x.1 / x.x.x.2. LDAP Authentication is configured with x.x.x.3 / x.x.x.4 / x.x.x1.

No configuration has changed and this has been working for a few years.

To confirm network connectivity I can ping x.x.x.1 and x.x.x.2 from CUCM. I only get the error message for these 2 IP. I feel confident that CUCM is reaching all IP because if I try to use the old password I get an error with all 4 stating the username and password are incorrect. For D1 we removed x.x.x.1 and the password update took. For LDAP Authentication we removed x.x.x.1 and the password update took as well. So now I just have D2 the will not update password or sync. I worked with the server team and they confirmed that no changes were made except the password.

Server team ran Test-NetConnection hostname-1 -Port 389 using powershell on one of their servers and got a succesful response showing port 389 is open and should be working.

ComputerName           : hostname001
RemoteAddress          : x.x.x.1
RemotePort             : 389
InterfaceAlias         : OB-VM-NIC
SourceAddress          : x.x.x.204
PingSucceeded          : True
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded       : True

We are all stumped as to what could cause this to stop working. I'm aware of one change to the network that involved ISE but ISE is not applied to server ports so I believe this could not impact it and is a waste of time to chase. The server team states that there have been no changes to servers or AD policies. It seems that everything is unchanged except the password. Does anyone have any suggestions as where to look?

Nithin Eluvathingal · ‎03-23-2023

Check if the Distinguished user name and password works ?

May be the password used on LDAP directory might be expired.

ISE has no roll int this.

Jonathan Schulenberg · ‎03-24-2023

I have read your post twice and am still confused on what is/isn’t working; I’m struggling to follow the relationship between these two directories and the masked IPs. Any chance that you accidentally transposed them?

Anyway, the bigger question here is: what do you mean two directories? CUCM supports a single directory source. Assuming this is Active Directory that means a single Forest. If you want multiple Domains or Trees of that Forest, the you have to use User Principal Name and point at a Global Catalog server. If your LDAP Filter contains non-indexed attributes, you should seriously consider adding them to the index to minimize the load on your Domain Controllers. Multi-forest requires middleware such as AD Lightweight Directory Services.

So, what do you mean by “D1” and “D2”?

Chris Austin · ‎03-24-2023

There are 2 LDAP directories configured. D1 pulls users from cus.cuscorp.com and D2 pulls from cuscorp.com. Per System Configuration Guide for Cisco Unified Communications Manager, Release 11.5(1).

Scheduled Updates—You can configure Unified Communications Manager to synchronize with multiple LDAP directories at scheduled intervals to ensure that the database is updated regularly and user data is up-to-date.

Did I miss understand that statement? My user data updates/sync every night with both. I can see users from both. But that is not the issue. The issue is that the password had to be updated. After updating the password and clicking save it would update with IPs .3 and .4 but returned the error for .1 and .2.

Jonathan Schulenberg · ‎03-24-2023

In my opinion that's poorly worded. Multiple AD Domains within the same AD Forest are supported. The SRND Directory Integration and Identity Management chapter is the best resource for what is/isn't allowed here.

I was asking mostly because of Nithin's suggestion to use the proper Distinguished Name since that's what you're supposed to be using, not just a username. The DN would only work within a single Forest though.

Anyway, assuming it's not the non-secure bind deprecation that Roger is referring to, I'd try a generic LDAP client (e.g. Softerra LDAP Browser - not an endorsement, use at your own risk) from your PC and see if you can successfully bind with the exact same details that DirSync is using. If you can't it's not a CUCM problem. If you can I'd then run a PCAP from the publisher, since this is in the clear, and look at it in Wireshark.

Roger Kallberg · ‎03-24-2023

Apart from the suggestions you’ve got from others you should know that Microsoft has announced deprecation of unsecured LDAP. Based on this it’s highly advisable to switch to use secure LDAP. How to set this up is well documented. Just search for CM secure LDAP.