Re: CUCM LDAP Change

bradshjo903 · ‎04-11-2019

Our company has recently been implementing Cisco Jabber, but recently have ran into an issue due to our unique setup.

Our company has 2 domains that are 2-way trusted. We have found out that we need to create an AD LDS instance to support authentication within CUCM for our 2 domains. In our current setup, Domain 1 uses the sAMAccountName as the LDAP Attribute for User ID, using the Microsoft Active Directory as the LDAP Server Type.

We know we need to setup the AD LDS instance, but we can't use the sAMAccountName as the LDAP Attribute for User ID, because between the 2 domains, there is multiple instances where the sAMAccountName is the same on both domains, thus not making it unique. What is unique is the email attribute field we could use. The big question is though, what would happen to all the current user accounts within CUCM if we changed the LDAP Attribute for User ID field from sAMAccountName to the email attribute. Trying to put together the picture how much work this would be, what could possibly break, etc.

In Domain 1, users have Cisco phones, voicemail, and Cisco Jabber as the tools they have. Our current version of CUCM is 11.5.1.12900-21. Let me know if any other information is needed to help with this issue.

Jaime Valencia · ‎04-11-2019

You would need to remove the LDAP sync, turn all your users into local users, then manually change the userID to the value you would use for the LDS integration, and finally enable the LDS integration so the userID matches the value in LDS, and they become LDAP active users.

For AD deployments, the ObjectGUID is used internally in Unified CM as the key attribute of a user. The attribute in AD that corresponds to the Unified CM User ID may be changed in AD. For example, if sAMAccountname is being used, a user may change their sAMAccountname in AD, and the corresponding user record in Unified CM would be updated.

With all other LDAP platforms, the attribute that is mapped to User ID is the key for that account in Unified CM. Changing that attribute in LDAP will result in a new user being created in Unified CM, and the original user will be marked inactive.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab11/collab11/directry.html

HTH

java

if this helps, please rate

Maren Mahoney · ‎04-12-2019

You will want to use either UserPrincipalName or email as a unique attribute for the UserID. Here is a reason to go with UPN:

Since you are LDAP integrated on only one domain at the moment: if you change the UserID attribute mapping to UPN and re-sync, CUCM is smart enough to figure out which user is which and will change the current users to the new UPN UserID attribute. I've done this remapping from sAMAccountName to UPN in my lab using this method and know it works. (Note: You'll need to delete the LDAP Directory, change the mapping, recreate and LDAP Directory and re-sync.)

I haven't remapped from sAMAccountName to mail myself, so I don't know if the same would apply there.

After that you would need to re-delete the LDAP Directory, change the synchronization type to AD LDS, and then re-create the LDAP Directory for this first domain and re-sync and make sure it works. Then add the second domain's agreement.

Be safe and peform a backup. And try the procedure out in a lab first if you can. It's a big change.

Maren

bradshjo903 · ‎04-17-2019