Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
831
Views
1
Helpful
4
Replies

LDAP sync issue between AD server and CUCM

Santhosh738
Level 1
Level 1

‎05-10-2023 11:04 PM - edited ‎05-11-2023 01:21 AM

Hello Guys..

We are getting below error when we tried to perform LDAP Directory full sync in CUCM for a LDAPS communication between AD server and CUCM using secured LDAP port numbers 636 and 3269. So newly created AD users are not reflecting in CUCM.

Capture1.PNG

We have noticed all the CUCM certificates(Tomcat, Call manager, IPsec, CAPF & TVS)  were expired in status and all are system generated self signed certificates.

We have successfully regenerated and validated the expired certificates but still getting the same error while perform full sync LDAP directory.

Previously Secured LDAP connection was working fine for this setup.

Some trust certificates are already there for tomcat ,call manager and other certificates.

Kindly suggest any specific trust certificates need to install or anything need to check further.

Thanks in advance.

Labels:
0 Helpful
4 Replies 4

b.winter
VIP
VIP

‎05-10-2023 11:14 PM

Is the CA-certificate, which signed the LDAP-server certificate in the Tomcat-Trust-store?
Is the LDAP-server certificate or the CA-certificate expired maybe?
Is the IP-address included in the LDAP-server certificate?
What if you work with a hostname in the LDAP-config in CUCM?
Have you taken a packet capture and check the TCP / TLS communication?

0 Helpful

Santhosh738
Level 1
Level 1
In response to b.winter

‎05-10-2023 11:50 PM

Which certificate you meant by LDAP-server certificate in CUCM? Is it Tomcat?

0 Helpful

b.winter
VIP
VIP
In response to Santhosh738

‎05-11-2023 12:03 AM - edited ‎05-11-2023 12:08 AM

LDAP-server certificate --> certificate of the LDAP server
Is it a self-signed or CA-signed certificate?
If self-signed: get the LDAP-server certificate, upload it into the CUCM tomcat-trust and restart the Tomcat-service.
If CA-signed: get the CA certificate, upload it into the CUCM tomcat-trust and restart the Tomcat-service.

CUCM needs to trust the LDAP-server certificate or the CA-certificate, which signed the LDAP-server certificate

That´s basic certificate / PKI knowledge and if you don't have it, you should learn about that. Otherwise you will always struggle when talking about certificates.

Santhosh738
Level 1
Level 1
In response to b.winter

‎05-11-2023 01:22 AM

Thanks for your information

0 Helpful
Customers Also Viewed These Support Documents