Solved: Integrating LDAP with existing local users in CUCM and Unity

Ken S · ‎12-01-2020

I am curious about integrating Active Directory with CUCM (12.5) and Unity. Currently Unity mailboxes are populated with AD usernames as the aliases. Most CUCM usernames are AD usernames. If I were to integrate AD with CUCM, what would happen to the users that already have an AD username?

Do I have to integrate CUCM and Unity at the same time?

If I were to integrate Unity, what would happen to the mailboxes that already have an AD as the alias? Greetings, options, etc?

Would Call Handlers be effected by the AD integration?

I appreciate any advice given.

Jaime Valencia · ‎12-01-2020

If the userID value in CUCM matches the userID value you chose for the directory integration, those users will turn into LDAP active users and will be updated with the information from LDAP.

If they don't match, they remain as local users.

There is no requirement to integrate both CUC and CUCM to LDAP, but it's the most common practice as otherwise users might end up with different passwords in each system, with both integrated, it's a better experience as it's the same user/pwd for everything.

Call handlers have nothing to do with the LDAP integration, they don't pull any kind of info from LDAP.

HTH

java

if this helps, please rate

View solution in original post

Nithin Eluvathingal · ‎12-01-2020

i would recommend integrating CUCM with AD and pull users from CUCM. using common pin option both cucm and unity user can have same pin.

go through below link for How to Enable Common PIN for CUCM and UCXN

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwiQmuyTj63tAhXQWhUIHdGPCRwQFjAAegQIBBAC&url=https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Fsupport%2Fdocs%2Funified-communications%2Funified-communications-manager-callmanager%2F20...

View solution in original post

Adam Pawlowski · ‎12-02-2020

I'll tell you about my experience if that helps . We don't use unified messaging/single inbox/video servers.

If you integrate Unity Connection with the UCM, I believe when the user's account is removed from the UCM - say when they fall out of your AD sync - Unity Connection will cull the user's account. If you sync from LDAP, when the account falls out of sync, it becomes non integrated, but nothing happens to the account. It breaks password authentication, and you have to go and fix it later if they come back, or delete it if you don't want it.

When I migrated to AD sync, it works differently in CUC than CUCM. You have to "integrate" the account in Unity Connection for it to sync if it already exists. It doesn't pull in and store the users the same way. If that's true, then you enable LDAP Directory in CUC and nothing happens with existing accounts. If you integrate the account with the directory, it greys out some of the user data fields, and changes authentication. That's about it for the basics. It doesn't change greetings, options, or other user settings.

The telephone number from AD in the telephoneNumber fields also doesn't do anything, it is a display attribute that is largely irrelevant to CUC. It shows up when you import a user to prefill the box, but you can override it.

If you're using provisioning tools or workflows, and your AD data, particularly email and telephoneNumber, contains a mix of real and made up or incorrect data, then you will probably have a bad time. But CUC inherently doesn't do anything to accounts that appear in the directory, UCM imports them and builds them or absorbs them into an existing account. UCM purges it when it goes away, CUC just disintegrates it.

View solution in original post

Ken S · ‎12-04-2020

Shaking my head. I was assuming that you can run the LDAP sync without saving the directory. Once I save the filter with the directory and ran the sync, I still got an error in the syslog, but the user populated.

View solution in original post

Nithin Eluvathingal · ‎12-01-2020

You can integrate CUCM with AD and for CUC u can pull users from CUCM. other way is You can integrate both with AD

Go through below docuemnt

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/administration/guide/b_cucsag/b_cucsag_chapter_01001.html

call handlers should not be effected.

Ken S · ‎12-01-2020

Thank you @Nithin Eluvathingal for the quick response. I have looked at this article, https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/12_5_1SU1/systemonfig/cucm_b_system-configuration-guide-1251su1/cucm_b_system-configuration-guide-1251su1_restructured_chapter_0100001.html, to integrate AD with CUCM, but the answers to my questions didn't seem to be clearly answered.

I will read through this document, but do you recommend integrating with CUC then pull in CUCM? Is that possible?

Nithin Eluvathingal · ‎12-01-2020

i would recommend integrating CUCM with AD and pull users from CUCM. using common pin option both cucm and unity user can have same pin.

go through below link for How to Enable Common PIN for CUCM and UCXN

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwiQmuyTj63tAhXQWhUIHdGPCRwQFjAAegQIBBAC&url=https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Fsupport%2Fdocs%2Funified-communications%2Funified-communications-manager-callmanager%2F20...

Jaime Valencia · ‎12-01-2020

If the userID value in CUCM matches the userID value you chose for the directory integration, those users will turn into LDAP active users and will be updated with the information from LDAP.

If they don't match, they remain as local users.

There is no requirement to integrate both CUC and CUCM to LDAP, but it's the most common practice as otherwise users might end up with different passwords in each system, with both integrated, it's a better experience as it's the same user/pwd for everything.

Call handlers have nothing to do with the LDAP integration, they don't pull any kind of info from LDAP.

HTH

java

if this helps, please rate

Ken S · ‎12-01-2020

Thank you @Jaime Valencia .

Is there any disadvantages of integrating with CUCM and pulling them to CUC?

What would happen to the mailboxes that already have an AD as the alias in CUC? Greetings, options, etc?

I just though of another situation. If a department has a generic account tied to an extension in CUC, what would happen if I integrate an AD account to CUC with the same extension/telephone number?

Adam Pawlowski · ‎12-02-2020

I'll tell you about my experience if that helps . We don't use unified messaging/single inbox/video servers.

If you integrate Unity Connection with the UCM, I believe when the user's account is removed from the UCM - say when they fall out of your AD sync - Unity Connection will cull the user's account. If you sync from LDAP, when the account falls out of sync, it becomes non integrated, but nothing happens to the account. It breaks password authentication, and you have to go and fix it later if they come back, or delete it if you don't want it.

When I migrated to AD sync, it works differently in CUC than CUCM. You have to "integrate" the account in Unity Connection for it to sync if it already exists. It doesn't pull in and store the users the same way. If that's true, then you enable LDAP Directory in CUC and nothing happens with existing accounts. If you integrate the account with the directory, it greys out some of the user data fields, and changes authentication. That's about it for the basics. It doesn't change greetings, options, or other user settings.

The telephone number from AD in the telephoneNumber fields also doesn't do anything, it is a display attribute that is largely irrelevant to CUC. It shows up when you import a user to prefill the box, but you can override it.

If you're using provisioning tools or workflows, and your AD data, particularly email and telephoneNumber, contains a mix of real and made up or incorrect data, then you will probably have a bad time. But CUC inherently doesn't do anything to accounts that appear in the directory, UCM imports them and builds them or absorbs them into an existing account. UCM purges it when it goes away, CUC just disintegrates it.

Ken S · ‎12-02-2020

Thank you @Adam Pawlowski . When you say,

@Adam Pawlowski wrote:

When I migrated to AD sync, it works differently in CUC than CUCM. You have to "integrate" the account in Unity Connection for it to sync if it already exists. It doesn't pull in and store the users the same way. If that's true, then you enable LDAP Directory in CUC and nothing happens with existing accounts. If you integrate the account with the directory, it greys out some of the user data fields, and changes authentication. That's about it for the basics. It doesn't change greetings, options, or other user settings.

when I integrate an AD account in Unity Connection and changes authentication do you mean PIN, password, or both? You say it doesn't change greetings, but will it wipe out the mailbox if voicemails are stored?

If the telephone number in AD doesn't have anything to do with in Unity Connection, how would the AD accounts associate with their extensions? IP Phone field?

Adam Pawlowski · ‎12-02-2020

I've answered twice and my reply has disappeared both times , hopefully you've seen the email reply.

Ken S · ‎12-03-2020

I have @Adam Pawlowski . Thank you!

Roger Kallberg · ‎12-03-2020

Maybe you could share the answer for the benefit of the community?

Adam Pawlowski · ‎12-02-2020

When you integrate it:

This does not impact your settings like greetings, messages, personal contacts etc. They remain in place. The password is locked, as are a number of user attributes which are synchronized. PIN is not impacted and doesn't sync from the directory.

There's a note in the help documentation:

" If you have already created Unity Connection users from LDAP data, this resynchronization imports updated LDAP data for the existing Unity Connection users. However, if new users have been added to the LDAP directory, this resynchronization does not create new Unity Connection users. You must manually create new Unity Connection users using either the Import Users tool or the Bulk Administration Tool. "

There's no automatic import.

The telephoneNumber in AD by default does nothing really except show up in the Corporate Phone Number field, which does ... something I've never figured out, and it shows up pre-populated when you import a user. it is a freely changeable field however. You can override what was there if it is incorrect.

You can choose to have the account User ID based on the telephoneNumber field if you wanted, instead of sAMAccountName. I'm not sure that's a good idea, but, in that case that would need to be the unique value to identify the account in the tree. I would not recommend selecting this option unless you knew this data was maintained correctly to support it.

Nothing is automatic inherently in Unity Connection with the account other than what it changes for the account resync, which does not include display name. In these products, the account sync is generally just tied to a status flag or value that says the account is "synchronized" and to where, for the purposes of authentication. It doesn't do anything else with user data.

e: this interface said it didn't like my blob and mangled my post

Ken S · ‎12-04-2020

I am trying to Sync with LDAP with custom filters, but getting "LDAPSync process completed on particular sync agreement with errors". I tried multiple custom filters, (sAMAccountName=vusertest), (ipPhone=xxxx) even reused a filter that my colleague created.

Is there something that I am missing?

Roger Kallberg · ‎12-04-2020

Can you explain what you want out of the filter and I might be able to give you some advice.

Ken S · ‎12-04-2020

I want to sync one user for now to make it an AD user. I tried different filters using account name, IP phone field, etc, but came back with an error and user was not added as an AD user.