Solved: LDAP Authentication with Local CUCM End Users

Matthew Martin · ‎05-16-2018

Hello All,

CUCM: 10.5(2)

We have never used the LDAP Sync/Authentication feature at all with CUCM. We currently have over 200+ end users configured in CUCM locally.

So today, I am testing the LDAP sync features by syncing users from a new OU I created in AD with a couple of fake/test users. When I ran the Perform Full Sync option from CUCM's LDAP settings page, the test users I created in AD were brought over to CUCM successfully.

Then, I tried to use one of the sync'ed ldap users to login to Cisco Jabber, but was getting Invalid Username or Password error...

After getting this error a bunch of times, I read that in order to use the AD User's password that is set in AD, you also need to enable "LDAP Authentication". In that page it says that enabling LDAP Auth will put the AD server in control of all end users' passwords.

Does this apply to only "Active LDAP Synchronized User", or does it apply to both the LDAP Sync'ed User as well as the "Enabled Local User", which were created locally in CUCM?

Thanks in Advance,

Matt

Maren Mahoney · ‎05-16-2018

It used to be true that you could have LDAP Auth with locally created users. But that was when LDAP was an all-or-nothing configuration in CUCM 8.6 and earlier. Nowadays, only LDAP synch'ed users are LDAP auth'ed.

From the v10 SRND (and also in v11 SRND):

LDAP authentication
This process enables the IMS library to authenticate user credentials of LDAP synchronized End Users against a corporate LDAP directory using the LDAP standard Simple_Bind operation. When this feature is enabled, End User passwords of LDAP synchronized End Users are authenticated against the corporate directory, while Application User passwords and passwords of local End Users are still authenticated locally against the Unified CM database. Cisco Extension Mobility PINs are also still authenticated locally.

HTH

Maren

View solution in original post

Maren Mahoney · ‎05-16-2018

It used to be true that you could have LDAP Auth with locally created users. But that was when LDAP was an all-or-nothing configuration in CUCM 8.6 and earlier. Nowadays, only LDAP synch'ed users are LDAP auth'ed.

From the v10 SRND (and also in v11 SRND):

LDAP authentication
This process enables the IMS library to authenticate user credentials of LDAP synchronized End Users against a corporate LDAP directory using the LDAP standard Simple_Bind operation. When this feature is enabled, End User passwords of LDAP synchronized End Users are authenticated against the corporate directory, while Application User passwords and passwords of local End Users are still authenticated locally against the Unified CM database. Cisco Extension Mobility PINs are also still authenticated locally.

HTH

Maren

Matthew Martin · ‎05-17-2018

Hey Maren, thanks for the explanation, much appreciated!

I enabled the LDAP Auth and it seems to be working correctly. Thank you!

I have one other question related to LDAP, but let me know if I should put this in a new Post.

Currently, we have all of our CUCM Users as Local users. Where they use their extension as their User-ID. I was wondering if there is any documented processes out there for converting Local Users to LDAP users? Which would change their User-ID to their sAMAccountName (*i.e. their username without the "@domain.com")..?

Thanks Again,
Matt

Maren Mahoney · ‎05-17-2018

When you do an initial sync of LDAP to CUCM, it will try to match up existing userIDs with newly LDAP replicated UserIDs (and the Last Name field must be the same as well in both systems).

Once LDAP users are sync'ed, it is possible to "change" the userID mapping from one field to another by:

Deleting the existing LDAP Authentication
Deleting the existing LDAP Directory (You will get a warning about users being deleted. This is true if you leave the users un-synced for more than 24 hours after deleting the LDAP Directory)
Changing the userID mapping parameter in LDAP System
Re-creating the LDAP Directory exactly and syncing.
Re-creating the LDAP Authentication.

CUCM is smart enough to recognize the existing users as the same as the newly-resynched users, and simply change their userIDs over to the new one.

This means that you will either need to manually change the userIDs in CUCM to the sAMAccountName prior to syncing. Or, populate the telephoneNumber field in Active Directory with their extensions and do an initial sync on that, then go through the above procedure to change over to sAMAccountName.

I highly encourage you to try this out in a lab before you do it, though to be on the safe side!

Matthew Martin · ‎05-17-2018

Thank Maren, I'll give it a try.

For testing, I just created a couple of test users in AD in a specific OU. Then I set that OU as the Search Space in the LDAP Directory configuration. So, I assume it would only modify users who are matched up in the OU I created in AD, which would be my test users.

Am I thinking correctly that using that OU in the search space would only affect those couple of test users I created?

Thanks Again,
Matt

Maren Mahoney · ‎05-17-2018

You are correct. Only users in the OUs indicated in the LDAP sync are affected by any LDAP actions. So, I suppose if you are using that for "lab" work, you should be OK if that's what you are asking.