CUCM - LDAP integration

Juan Delgado Gutierrez · ‎12-10-2024

Hello All,

We are trying to integrate an LDAP server (msft Active Directory) unsuccessfully so far.

I cannot see LDAP request in CUCM, however, connectivity between CUCM and LDAP is on place since i have checked that there is ping response from CUCM.

In CUCM side, there is not much to configure. I'm afraid that, in LDAP server side, I'm missing something.

Have you faced a similar issue?

Thanks,

Juan

Elliot Dierksen · ‎12-10-2024

You did not say if you were doing LDAP or LDAPS, so I'll assume LDAP. What is required is pretty well described in this link.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/11_5_1/sysConfig/CUCM_BK_SE5DAF88_00_cucm-system-configuration-guide-1151/CUCM_BK_SE5DAF88_00_cucm-system-configuration-guide-1151_chapter_0100101.html

The most common issue I have seen in LDAP integrations is that the service account needs to be able to read all attributes of user objects and have a password that does not expire.

Nithin Eluvathingal · ‎12-10-2024

Maybe the ping might be enabled; however, the ports used for LDAP/LDAPS might be blocked. When checking connectivity, it's always recommended to use the port it uses instead of just pinging.

As @Elliot Dierksen mentioned, the service account is often the cause of LDAP integration failures.

Maren Mahoney · ‎12-10-2024

In addition to double-checking the service account and its permissions (it has to have full read access to accounts) as mentioned by @Elliot Dierksen, the other mistake most folks make is the construction of their User Search Base. Your MS people can help you with the syntax for that.

Maren

Brad Magnani · ‎12-10-2024

@Juan Delgado Gutierrez wrote:

I cannot see LDAP request in CUCM, however, connectivity between CUCM and LDAP is on place since i have checked that there is ping response from CUCM.

What exactly do you mean by you don't see LDAP requests in CUCM? We need some more context about what you're trying to do and what you're seeing.

Quick tip, when you configure the Directory and Authentication pages, when you click "Save", CUCM connects to the IP/fqdn/port # of whatever LDAP servers you have configured to test the socket. If you go to those pages and simply click "Save", and you don't receive a connectivity failure banner at the top of the page, then your connectivity is good.

Maren Mahoney · ‎12-10-2024

@Brad Magnani - I was originally going to say something similar about CUCM (and CUC) reaching out with the credentials to the User Search Base when "Save" is clicked. But my experience is that depending on the exact version of CUCM sometimes it did and sometimes it didn't. (The last time it didn't was one of the v10 revs, to be fair.)

More recently, the credentials are checked for connectivity to the LDAP database itself but the User Search Base is not verified at "Save". I've experienced this with v12.5. I haven't checked v14 or v15 yet.

Maren

Brad Magnani · ‎12-10-2024

I quickly checked on a 14.x lab and after the LDAP bindResponse comes back successfully it does send a searchRequest for the baseObject which matches what's configured in the configured LDAP User Search Base field. I configured a search base that doesn't exist out in LDAP and did the test again, and it fails since that is also being validated in addition to the TCP socket. This behavior should be consistent on 15.x as well.

collinks2 · ‎12-10-2024

Is that when you perform full sync, you don't get to view users in cucm? If
yes, how did you create your ou? You can create a user for example cucmldap
and let the OU be managed by cucmldap
Also ensure that cucmldap is a member of Administrators, domain
admins,enterprise admins and schema admins