CCM v5 - Ldap integration

Answered Question
Sep 30th, 2007
User Badges:

Hi,


We have a customer that wants to synchronize CCM with A/D through LDAP but needs to import users within specific OUs within in the top level domain. CCM v5 restricts LDAP directory integrations up to maximum 5. Is there a way to bypass this restriction and add more? We have tried adding an LDAP manager that has read rights to the specific OUs but CCM failed to add the users in that OU. We have used and Ldap browser and verified that the specific Ldap manager was able to read the users in the specific OUs. Should we add a user that has read read rights or even Domain Admin and the restrict that user from the OUs we do not want to import?

What is the recommended way to do this?


George Georgiou

eNet Solutions

[email protected]

Correct Answer by gogasca about 9 years 8 months ago

Hi George,


To import the data into the Unified CM database, the system performs a bind to the LDAP directory using the account specified in the configuration as the LDAP Manager Distinguished Name, and reading of the database is done with this account. The account must be available in the LDAP directory for Unified CM to log in, and Cisco recommends that you create a specific account with permissions to allow it to read all user objects within the sub-tree that was specified by the user search base. The sync agreement specifies the full Distinguished Name of that account so that the account may reside anywhere within that domain. In the example in Figure 17-7, CCMDirMgr is the account used for the synchronization.


It is possible to control the import of accounts through use of permissions of the LDAP Manager Distinguished Name account. In this example, if that account is restricted to have read access to ou=Eng but not to ou=Mktg, then only the accounts located under Eng will be imported.


Check Table Figure 17-7


http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a008063748a.html#wp1055587


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
gogasca Sun, 09/30/2007 - 17:14
User Badges:
  • Green, 3000 points or more

Hi George,


To import the data into the Unified CM database, the system performs a bind to the LDAP directory using the account specified in the configuration as the LDAP Manager Distinguished Name, and reading of the database is done with this account. The account must be available in the LDAP directory for Unified CM to log in, and Cisco recommends that you create a specific account with permissions to allow it to read all user objects within the sub-tree that was specified by the user search base. The sync agreement specifies the full Distinguished Name of that account so that the account may reside anywhere within that domain. In the example in Figure 17-7, CCMDirMgr is the account used for the synchronization.


It is possible to control the import of accounts through use of permissions of the LDAP Manager Distinguished Name account. In this example, if that account is restricted to have read access to ou=Eng but not to ou=Mktg, then only the accounts located under Eng will be imported.


Check Table Figure 17-7


http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a008063748a.html#wp1055587


g-georgiou Thu, 10/04/2007 - 01:19
User Badges:

Hi,


I managed to solve my problem. Configured a domain admin account which had read rights to specific OUs with in the child domain. For some reason it took 6-7 days for the garbage collector to delete the inactive users.


Thanks for your help.

mymite060708 Fri, 10/24/2008 - 08:01
User Badges:

I need to add more than 5 LDAP directories, Can you explain more how you bypass this?


Thanks


Pete

g-georgiou Fri, 10/24/2008 - 08:49
User Badges:

Hi Pete,


You are referring to 5 different domains on separate LDAP hosts or to 5 different child OUs? If the latter then you need to create a user (Ldap manager in UCM) with RO access to the specific OUs and delegate control in the A/D. Now in UCM you will need to add the top-level OU. The Ldap agent will query the OU tree and import the users in the OUs where the Ldap manager has read access. For the other OUs users will not be imported since the user will not have access to.


Hope i have been helpful. Please rate if yes


./G

Actions

This Discussion