07-09-2013 11:51 AM - edited 03-19-2019 06:58 AM
Hello all,
I was hoping to get some ideas on the best way to do this. We are looking to deploy CUPS and in doing so migrate all of our existing local database users over to LDAP enabled users with their current Hard Phones as well as batch in their new soft/jabber phones. I have seen it is easy to go the other way, but we would really love to leverage the ldap credentials as part of the rollout. Has anyone done this or have any good ideas on how to best facilitate the task? Perhaps with the bat utility?
Many thanks in advance!
Solved! Go to Solution.
07-09-2013 11:58 AM
The best bet would be update all your UserID's to match your sAMAccountName in AD. Then setup your LDAP agreement and all those users who will match will sync up to AD without losing any associations.
Thanks,
Ryan
07-09-2013 11:58 AM
The best bet would be update all your UserID's to match your sAMAccountName in AD. Then setup your LDAP agreement and all those users who will match will sync up to AD without losing any associations.
Thanks,
Ryan
07-09-2013 12:00 PM
just to confirm I understand... If I take a userID that is currently a local DB account, and change it to match their sam account name and force an ldap sync, the ldap credentials will take over and all associations will remain?
07-09-2013 12:04 PM
That is correct. Make sure it case sensitive.
On the flip side, if you have a UserID that matches a sAMAccountName and you force it to be a local account, the next sync cycle will push it back to AD integrated. No way to change that behavior.
Thanks,
Ryan
07-09-2013 12:33 PM
It does not seem to be working that way for me... I forgot to mention we do have a filter in place for just ipPhone.
07-09-2013 12:56 PM
As a follow-up, here is what I did:
1. Converted a test users LDAP account back to an active local.
2. I then deleted this new active local account.
3. I then modified the old active local account userID to case sensitive match the sAMAccount name of the test user.
4. I forced an LDAP sync.
5. The active local user remained active local and did not become an ldap enabled account.
Second Test
1. I converted my LDAP enabled account to a local active account.
2. I then forced an ldap sync
3. My account stayed an active local account and did not re-convert to an ldap account.
07-09-2013 12:59 PM
You need to match, whatever you're using as the userID in CUCM against the LDAP values.
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/8_6_1/ccmcfg/b02ldsys.html
As long as you match it, the info from CUCM will be updated and the users will remain.
Then you can configure the LDAP authentication.
IF you have a filter it only affects which users will be synced, not the sync process or how they're matched.
HTH
java
if this helps, please rate
www.cisco.com/go/pdihelpdesk
07-09-2013 01:08 PM
I completely follow what you both are saying. I am just not sure why it isnt working that way in our environment. This is what we have set for what to sync, and my curren local database account userID matches by case my sAMAccountName
07-09-2013 02:02 PM
Ha, went back to the is it plugged in question and found out the sync wasnt working at all anymore (another hand in the pot fat fingered a custom mapping) Once it was removed, it works as described about. Thank you gents so much!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide