Solved: Presence LDAP Lookup Question - Disabled Accts

ecornwell · ‎09-08-2011

Hello,

We've started to notice a slight problem with our Presence (CUPS) 8.5 install. When people are doing directory searches, names are coming up for disabled users. We have a OU setup in AD for specific accounts that we have to keep that have been disabled. The OU is at the same level as the rest of our AD structure. Because of that, I don't see how we can exlude it from the base search. Is there any other way to have these accounts excluded from searches?

Thank you!

Christos Georgiadis · ‎09-13-2011

Seems like this one used to work on CUPC 7.x but not on 8.x anymore.

I made a mistake. I observe the same behaviour as you in the lab

I will try and do some tests and if anything useful I will repost

Regards,

Christos

EDIT: Ok I was wrong again It does seem to work. It is just that I made a mistake in the syntaxt. I should have added another parenthesis and an '&' in the filter

;&(!(userAccountControl:1.2.840.113556.1.4.803:=2))

So it should be

dc=domain, dc=com;&(!(userAccountControl:1.2.840.113556.1.4.803:=2))

Can you give it a try ?

You need to save the config and relogin to CUPC for this to take affect

View solution in original post

Christos Georgiadis · ‎09-08-2011

Hi,

Can you try putting the following

cn=users,dc=domain,dc=com;(!userAccountControl:1.2.840.113556.1.4.803:=2)

in the following location

Presence admin pages ---> Applications ---> Cisco Unified Personal Communicator ---> LDAP Profile

That should do the trick I think.

HTH,

Christos

ecornwell · ‎09-08-2011

Thanks for the response!

Should that take effect immediatly? I put it in but it didn't seem to help.

Edit: After a sign-out and back in, the results did change. I wasn't able to do any searching with the string in there.

Christos Georgiadis · ‎09-08-2011

Hi,

Yes you need to sign out first in order to take effect.

The cn=users,dc=domain,dc=com should be left as you had it originally. I just put it in the above command as an example. You just need to add the second part

;(!userAccountControl:1.2.840.113556.1.4.803:=2)

In my lab it seems to work

Regards,
Christos

ecornwell · ‎09-12-2011

I added everything after (and including) the semi-colon. I tried it again just to make sure. I wasn't able to lookup anyone in the directory that wasn't already on my contact list. We start our search at the root and are doing a recursive search if that helps. It loooked like:

dc=Value1,dc=Value2;(!userAccountControl:1.2.840.113556.1.4.803:=2)

Thoughts?

Christos Georgiadis · ‎09-13-2011

Seems like this one used to work on CUPC 7.x but not on 8.x anymore.

I made a mistake. I observe the same behaviour as you in the lab

I will try and do some tests and if anything useful I will repost

Regards,

Christos

EDIT: Ok I was wrong again It does seem to work. It is just that I made a mistake in the syntaxt. I should have added another parenthesis and an '&' in the filter

;&(!(userAccountControl:1.2.840.113556.1.4.803:=2))

So it should be

dc=domain, dc=com;&(!(userAccountControl:1.2.840.113556.1.4.803:=2))

Can you give it a try ?

You need to save the config and relogin to CUPC for this to take affect

ecornwell · ‎09-23-2011

That worked great!

Sorry it took me so long to respond. I saw the message on my BB and didn't see the edit. I was working on it again this morning and found something else that worked. Since all of the accounts were in a single OU, I was able to deny the user we use to look up the accounts the ability to view the OU. It had the same result. I removed that change and used yours, thank you very much for the help! I've marked it correct and gave you 5 stars!!!