Thanks Jaime. It’s more than just the pin, but the pin sync is what got me thinking about this. Why should I sync users via ldap and pins via axl, especially considering that cucm is ldap-integrated also? It seems to make more sense to just import users from cucm (via ldap) to begin with.

...but what to do with the users already imported from ldap? How to seamlessly ‘convert’ those ldap users to cucm users in bulk? Or should I leave the existing users as is? Or am I over-thinking it altogether and just keep importing from ldap?

What Jaime is saying is that AXL is required only for the PIN sync itself. CUCM and CUC can both be LDAP integrated. As long as the CUCM userID and the CUC alias are the same, the PIN should sync:

From the CUC Administration Guide:

PIN Synchronization between Unity Connection and Cisco Unified CM

Before using PIN Synchronization feature, make sure that:

• The alias of the user on Cisco Unity Connection must be same as the user ID on the Cisco Unified CM or the users should be integrated with Cisco Unified CM through AXL server or LDAP.
• Authentication Rules on Cisco Unity Connection must be same as the Credential Policies on Cisco Unified CM to reduce possible error conditions.

Maren

You're overthinking this. did you read in any doc that PIN sync would only work if your users were brought from CUCM via AXL?

I show how to do it here, both servers using LDAP

https://youtu.be/p6m4gPv0ikE

I was trying to be succinct, but I guess I wasn't very clear. Sorry about that.

I understand completely how the pin sync works. Today, I have ldap integration configured on both cucm and cxn with no axl servers defined within cxn. In my mind, it seems unnecessary to integrate both systems with ldap, and also if I'm going to configure the cucm integration...I might as well just use that for user imports as well. I see zero gain for using axl for pin sync and direct ldap integration for user imports -- why not simplify things and use axl for all of it (entirely and completely understanding that I don't 'have to'). That's what I intended this post to be about...not the pin sync requirements.

So guys, I appreciate the thoughts, but if anyone can speak to converting/migrating ldap-imported users to cucm/axl users, I'd appreciate it.

Ah, roger that.

One benefit of LDAP integration for CUCM and CUC separately is LDAP Authentication. Since CUCM v9, only LDAP synchronized are LDAP authenticated in CUCM. The same is true for CUC.

You can convert an LDAP users to a local user with a checkbox on the User Basics page. I don't know if doing that, and then doing an AXL sync (with UserID/Alias match, Primary Extension/Extension match) would 'pick up' the user via AXL. I'd say try it once and see if it works. If not, the next LDAP sync should re-pick-up the user.

That said, I haven't tried the un-associate-re-associate an LDAP user in Unity Connection for a couple of versions, so test first with a dummy user.

Maren

Wait... So in CUCM/CXN 11.5, if LDAP sync is configured on both, how would LDAP authentication be different than if it was LDAP <-> CUCM <AXL> CXN?

No idea how I missed that. That's pretty significant. Guess I'll be just adding the axl pin sync. Darn it.

+5 to both of you. Thanks!