LDAP Integration or Not?

CHRIS KALETH · ‎03-02-2010

What are the pros/cons of integrating the Cisco UC Manager 7.x/8.x with Microsoft LDAP? As a side note we are doing a AD migration from 2003 to 2008.

How will extension mobility users be authenticated? Does the EM user name need to be the AD username? What about the EM authentication? Does it use AD or EM?

Currently, we have Cisco user names as first.lastname but I want to change the user name to their extension (much easier to type when logging into EM).

Additionally, we will be using Microsoft OCS with the CUCIMOC plug-in. Not sure if this plays into the question.

Looking forward to responses!

dakeller · ‎03-03-2010

In CUCM 5.x and later, Cisco changed it's LDAP integration a schema extension model to a directory synch/authentication model. So from the LDAP standpoint, all CUCM needs is a directory manager account to synchronize users. Since EM users use PIN numbers to authenticate, and LDAP does not contain a PIN field in the schema, EM authenticaitons are handled locally on the CUCM. CUCM does not require EM users to be defined in LDAP (they could be a application user defined in CUCM), but EM users being an LDAP synched user is normal.

The last question about the current userids and the desire to change the userid to extensions...that might require a bit of clarification before answering. CUCM does allow you to specify the 'telephonenumber' as the userid to import into CUCM. So that is what your uses will need to use when logging in using EM...which is what you want. But if the same user wnated to log into the CUCM User pages to administer their phone devices and services, then they would need to use the same extension number (and not their first.lastname id). This might be confusing for your users.

I don't believe that OCS will cause any issues for you in this scenario.

Thanks,

Dan Keller

IPCBU TME

Live2 Bicycle · ‎03-03-2010

I am in the process of integrating UCM 7.1 with MS AD myself. What I have discovered so far as a pro are:

* When a user leaves and my AD disables the account I now can see that.

* Better interagtion with CUPS

* I am not creating multiple accounts anymore (Meetingplace, UCM, CUPS, Unity)

My migration was a little nerve racking because we have over 2000 extension mobility users. What I did to mitigate a lot of changes was to export every end user currently in UCM and import them into their own OU in MS AD.

When i get ready to flip the switch "supposably" then end users in UCM will not be over written or changed in anyway because they are in MS AD. This will allow a graceful migration to associate real domain users with their phones.

Extension mobility authentication settings are still stored in a UCM table. They are not controlled by MS AD.

In UCM we have everyones login as their 7 digit extension. In MS AD it is firstintial.lastname.

After I flipped the AD Integration ext mobility logins will switch to the MS AD login but it will still pull the pin from the table in UCM.

CUCIMOC integration will be more seemless if you are AD integrated just like my CUPS will be. You wont have to change field mappings.

I hope this helps. I have open a couple of tac cases as well as had my cisco account voice se researching this with me.

HTH

Del