Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1702
Views
10
Helpful
6
Replies

Impossible to create LDAP SYNC user on CUCM with Prime Collab Provisioning

Go to solution
Clement BONNAL
Level 1
Level 1

‎10-18-2014 01:18 AM

Hello,

Previously, I use Prime Provisionning to create and provision services for static users, it works.

For the same Customer, CUCM and Unity user are now imported from LDAP.
I add the changes in Provisioning processors (LDAP Auth + Sync).

At this time, it's impossible to create new users on CUCM from Provisioning !

Here is my procedure :

- I do a LDAP sync on prime to detect my new AD user.
- I select it and provision services to push on CUCM
- Orders stuck in being provisioned state...

On the CUCM, the user doesn't appear at all.

Is something wrong in my method ?

Do I need to make a LDAP sync on the CUCM to import users, next user synchro on processor in Prime, then edit user ?

Thanks

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Anthony Gerbic
Cisco Employee
Cisco Employee

‎10-20-2014 10:46 PM

Clement,

I suspect you have LDAP sync turned on in CUCM. If CUCM is set to sync and does not already have the userID in it's database it will reject a user add.

This is a recognized problem with having both products set to sync. There are some solutions:

  1. Always sync CUCM before you sync Prime Collaboration Provisioning (PCP).  This way the new user will already be in CUCM and then will accept a provisioning order from PCP.  The frequency of LDAP sync on CUCM will determine how often PCP can push new users to CUCM.
  2. If PCP tries to provision a user but it is rejected by CUCM, provisioning will attempt to send it for 24 hours. There is an assumption that CUCM will sync daily so at some point CUCM will get the userID and then when PCP tries to provision, it will be accepted.
  3. Use the latest CUCM 10.5(x) with a patch that provides the Authenticate Only setting setting. You will have to check with TAC or CUCM Marketing/TMEs for more information.  In this case, CUCM will authenticate admins and Jabber clients against AD, but will take users from PCP immediately.  The CUCM eng/marketing team has recommended we move away from syncing CUCM when PCP is doing the syncing from AD. CUCM does not need to sync when PCP is present. This eliminates the race condition between which app synced first.

Regards

View solution in original post

6 Replies 6

Go to solution
Anthony Gerbic
Cisco Employee
Cisco Employee

‎10-20-2014 10:46 PM

Clement,

I suspect you have LDAP sync turned on in CUCM. If CUCM is set to sync and does not already have the userID in it's database it will reject a user add.

This is a recognized problem with having both products set to sync. There are some solutions:

  1. Always sync CUCM before you sync Prime Collaboration Provisioning (PCP).  This way the new user will already be in CUCM and then will accept a provisioning order from PCP.  The frequency of LDAP sync on CUCM will determine how often PCP can push new users to CUCM.
  2. If PCP tries to provision a user but it is rejected by CUCM, provisioning will attempt to send it for 24 hours. There is an assumption that CUCM will sync daily so at some point CUCM will get the userID and then when PCP tries to provision, it will be accepted.
  3. Use the latest CUCM 10.5(x) with a patch that provides the Authenticate Only setting setting. You will have to check with TAC or CUCM Marketing/TMEs for more information.  In this case, CUCM will authenticate admins and Jabber clients against AD, but will take users from PCP immediately.  The CUCM eng/marketing team has recommended we move away from syncing CUCM when PCP is doing the syncing from AD. CUCM does not need to sync when PCP is present. This eliminates the race condition between which app synced first.

Regards

Go to solution
Clement BONNAL
Level 1
Level 1
In response to Anthony Gerbic

‎10-21-2014 12:17 AM

Hi,

Thank you for this answer.
So I decided to contact TAC to get the better solution.

I suppose this is the reason why when you create a LDAP directory on CUCM 10.5, you have an information message that say DirSync service may be disabled if CUCM is used in combination with Prime.

Clement

0 Helpful

Go to solution
Aman Soi
VIP Alumni
VIP Alumni
In response to Clement BONNAL

‎10-21-2014 12:35 AM

Hi Clement,

 

Can u share the findings of TAC ?

[+5] to Tony.

 

regds,

aman

0 Helpful

Go to solution
Clement BONNAL
Level 1
Level 1
In response to Aman Soi

‎03-03-2015 12:20 AM

Hi Aman,

I didn't contact the TAC, as I use the 1st solution proposed by Anthony.

If the customer need to provision an user immediately, I advice him to make manual sync in CUCM, next manual sync in Unity, next manual sync in PCP, then provision services.

Otherwise, he provision users only in PCP, as I set lowest time (6 hours) for the LDAP sync on both Unity and CUCM.

Some other bugs in PCP during provision (checkboxes not checked on the line call forwards, problems to integrate/associate user/line for presence in Jabber, etc...) make me wait for 10.6

0 Helpful

Go to solution
jefflocktsg
Level 1
Level 1
In response to Clement BONNAL

‎04-15-2016 06:21 AM

I do not understand why the product works this way since a 10.x deployment of CUCM is allowed to have both local end users and ldap synchronized users. The problem here is that you cannot even create a static user for a lobby phone in PCP and add to CUCM.

0 Helpful

Go to solution
mikeputz1
Level 1
Level 1
In response to jefflocktsg

‎08-15-2016 03:52 PM

Lobby phones are going to be a part of the 'pseudo' user role unless they have a specific user tied to that phone. Pseudo users are not synchronized with CUCM. 

0 Helpful
Customers Also Viewed These Support Documents