05-16-2018 12:05 PM - edited 03-19-2019 01:21 PM
Hello All,
CUCM: 10.5(2)
We have never used the LDAP Sync/Authentication feature at all with CUCM. We currently have over 200+ end users configured in CUCM locally.
So today, I am testing the LDAP sync features by syncing users from a new OU I created in AD with a couple of fake/test users. When I ran the Perform Full Sync option from CUCM's LDAP settings page, the test users I created in AD were brought over to CUCM successfully.
Then, I tried to use one of the sync'ed ldap users to login to Cisco Jabber, but was getting Invalid Username or Password error...
After getting this error a bunch of times, I read that in order to use the AD User's password that is set in AD, you also need to enable "LDAP Authentication". In that page it says that enabling LDAP Auth will put the AD server in control of all end users' passwords.
Does this apply to only "Active LDAP Synchronized User", or does it apply to both the LDAP Sync'ed User as well as the "Enabled Local User", which were created locally in CUCM?
Thanks in Advance,
Matt
Solved! Go to Solution.
05-16-2018 03:27 PM - edited 05-16-2018 03:27 PM
It used to be true that you could have LDAP Auth with locally created users. But that was when LDAP was an all-or-nothing configuration in CUCM 8.6 and earlier. Nowadays, only LDAP synch'ed users are LDAP auth'ed.
From the v10 SRND (and also in v11 SRND):
LDAP authentication
This process enables the IMS library to authenticate user credentials of LDAP synchronized End Users against a corporate LDAP directory using the LDAP standard Simple_Bind operation. When this feature is enabled, End User passwords of LDAP synchronized End Users are authenticated against the corporate directory, while Application User passwords and passwords of local End Users are still authenticated locally against the Unified CM database. Cisco Extension Mobility PINs are also still authenticated locally.
HTH
Maren
05-16-2018 03:27 PM - edited 05-16-2018 03:27 PM
It used to be true that you could have LDAP Auth with locally created users. But that was when LDAP was an all-or-nothing configuration in CUCM 8.6 and earlier. Nowadays, only LDAP synch'ed users are LDAP auth'ed.
From the v10 SRND (and also in v11 SRND):
LDAP authentication
This process enables the IMS library to authenticate user credentials of LDAP synchronized End Users against a corporate LDAP directory using the LDAP standard Simple_Bind operation. When this feature is enabled, End User passwords of LDAP synchronized End Users are authenticated against the corporate directory, while Application User passwords and passwords of local End Users are still authenticated locally against the Unified CM database. Cisco Extension Mobility PINs are also still authenticated locally.
HTH
Maren
05-17-2018 08:36 AM
05-17-2018 10:49 AM
When you do an initial sync of LDAP to CUCM, it will try to match up existing userIDs with newly LDAP replicated UserIDs (and the Last Name field must be the same as well in both systems).
Once LDAP users are sync'ed, it is possible to "change" the userID mapping from one field to another by:
CUCM is smart enough to recognize the existing users as the same as the newly-resynched users, and simply change their userIDs over to the new one.
This means that you will either need to manually change the userIDs in CUCM to the sAMAccountName prior to syncing. Or, populate the telephoneNumber field in Active Directory with their extensions and do an initial sync on that, then go through the above procedure to change over to sAMAccountName.
I highly encourage you to try this out in a lab before you do it, though to be on the safe side!
05-17-2018 11:27 AM
05-17-2018 01:09 PM
You are correct. Only users in the OUs indicated in the LDAP sync are affected by any LDAP actions. So, I suppose if you are using that for "lab" work, you should be OK if that's what you are asking.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide