cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
851
Views
20
Helpful
5
Replies
Highlighted
Beginner

Changing sAMAccountName to employeeNumber

Hi All,

We have AD server integrated with CUCM.

Previously we were using Employee Name [e.g aniket.raut] for login into jabber and now we have changed it to employee ID [e.g 841796] on AD server for all users.

At CUCM end we performed "Full Sync" under LDAP Directory configuration on CUCM admin page. Synchronization shows successful but users are not able to login into jabber using Employee ID [ i.e 841796] 

I found that LDAP attribute for UserID is set to sAMAccountName in LDAP system configuration. Do I need to change it to employeeNumber ?

While doing same it asked me to delete all LDAP directories and disable LDAP authentication.

If I do so will I loose all the end users present under User Management ? If yes how can I get back all users from LDAP server ?

Please help to get it resolve. Also let me know in case I am missing anything to change.

5 REPLIES 5
Highlighted
Hall of Fame Cisco Employee

You use neither Employee Name nor Employee ID to login, what you did does nothing related to the login, for the login, you use the UserID.

Yes, you need to change it, and in order to change it, you need to delete the sync agreements and authentication.

After you reconfigure the userID to point to any other field, once you re-enable LDAP sync/auth, all of those users will be marked as inactive, as what CUCM has (sAMAccountName) for userID, will not match the new userID (employeeNumber), thus, they all will be deleted by the garbage collector.

.At the same time, you'll get NEW users, using the employeeNumber for userID, which you would need to re-enable for all features, assign endpoints, lines, etc.

The only way to avoid that, is to disable LDAP, turn ALL the users into local users, and re-configure the userID to match their employeeNumber, BEFORE re-enabling LDAP, and creating the new agreements.

HTH

java

if this helps, please rate
Highlighted

I am guessing this has changed as we have migrated from samaccount to mail for user id and just deleted the directory, turn off auth, updated LDAP attribute, re-added directory, and enabled auth, and after sync all users retained all their assignments and access from our side on 11.5.

Highlighted

 
Highlighted
VIP Collaborator

I just did this in my lab and it worked without any problems.

 

When I removed the LDAP Directory the users became "Inactive LDAP Syncronized User", so I did not have to convert them to local users before deleting the LDAP Directory.

 

I deleted the LDAP Directory and Authentication, changed the attribute under LDAP System from sAMAccountName to employeeNumber, recreated the LDAP Directory and resynched. CUCM figured out which account was which and mapped everything perfectly. No loss of information or settings.

 

Once the change was made I was able to log in to Jabber with my new UserID which was now the employeeNumber.

 

I will say that, as you probably know, you will need to complete this changeover in a timely fashion as "Inactive LDAP Syncronized User" accounts will purge after 24 hours (unless that has changed). So make sure that after you make the change you look for anyone who is still showing as "Inactive" and fix their account.

Highlighted

Hello team 

i will have the same exercise next month where i will need to change from AD account ( sAM account to Email ) , the domain will stay the same . 

i have other platform which can be impacted : 

Unity connection : unity connection is reading from LDAP the same exercise  for UCM .

IMP : is user contact list need to be updated ?

Contact center : is there any impact ?