We have a customer that wants to synchronize CCM with A/D through LDAP but needs to import users within specific OUs within in the top level domain. CCM v5 restricts LDAP directory integrations up to maximum 5. Is there a way to bypass this restriction and add more? We have tried adding an LDAP manager that has read rights to the specific OUs but CCM failed to add the users in that OU. We have used and Ldap browser and verified that the specific Ldap manager was able to read the users in the specific OUs. Should we add a user that has read read rights or even Domain Admin and the restrict that user from the OUs we do not want to import?
What is the recommended way to do this?
To import the data into the Unified CM database, the system performs a bind to the LDAP directory using the account specified in the configuration as the LDAP Manager Distinguished Name, and reading of the database is done with this account. The account must be available in the LDAP directory for Unified CM to log in, and Cisco recommends that you create a specific account with permissions to allow it to read all user objects within the sub-tree that was specified by the user search base. The sync agreement specifies the full Distinguished Name of that account so that the account may reside anywhere within that domain. In the example in Figure 17-7, CCMDirMgr is the account used for the synchronization.
It is possible to control the import of accounts through use of permissions of the LDAP Manager Distinguished Name account. In this example, if that account is restricted to have read access to ou=Eng but not to ou=Mktg, then only the accounts located under Eng will be imported.
Check Table Figure 17-7