Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
399
Views
5
Helpful
4
Replies

CCM v5 - Ldap integration

Go to solution
g-georgiou
Level 1
Level 1

‎09-30-2007 12:38 AM - edited ‎03-14-2019 11:48 PM

Hi,

We have a customer that wants to synchronize CCM with A/D through LDAP but needs to import users within specific OUs within in the top level domain. CCM v5 restricts LDAP directory integrations up to maximum 5. Is there a way to bypass this restriction and add more? We have tried adding an LDAP manager that has read rights to the specific OUs but CCM failed to add the users in that OU. We have used and Ldap browser and verified that the specific Ldap manager was able to read the users in the specific OUs. Should we add a user that has read read rights or even Domain Admin and the restrict that user from the OUs we do not want to import?

What is the recommended way to do this?

George Georgiou

eNet Solutions

g.georgiou@enet.com.cy

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gogasca
Level 10
Level 10

‎09-30-2007 05:14 PM

Hi George,

To import the data into the Unified CM database, the system performs a bind to the LDAP directory using the account specified in the configuration as the LDAP Manager Distinguished Name, and reading of the database is done with this account. The account must be available in the LDAP directory for Unified CM to log in, and Cisco recommends that you create a specific account with permissions to allow it to read all user objects within the sub-tree that was specified by the user search base. The sync agreement specifies the full Distinguished Name of that account so that the account may reside anywhere within that domain. In the example in Figure 17-7, CCMDirMgr is the account used for the synchronization.

It is possible to control the import of accounts through use of permissions of the LDAP Manager Distinguished Name account. In this example, if that account is restricted to have read access to ou=Eng but not to ou=Mktg, then only the accounts located under Eng will be imported.

Check Table Figure 17-7

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a008063748a.html#wp1055587

View solution in original post

4 Replies 4

Go to solution
gogasca
Level 10
Level 10

‎09-30-2007 05:14 PM

Hi George,

To import the data into the Unified CM database, the system performs a bind to the LDAP directory using the account specified in the configuration as the LDAP Manager Distinguished Name, and reading of the database is done with this account. The account must be available in the LDAP directory for Unified CM to log in, and Cisco recommends that you create a specific account with permissions to allow it to read all user objects within the sub-tree that was specified by the user search base. The sync agreement specifies the full Distinguished Name of that account so that the account may reside anywhere within that domain. In the example in Figure 17-7, CCMDirMgr is the account used for the synchronization.

It is possible to control the import of accounts through use of permissions of the LDAP Manager Distinguished Name account. In this example, if that account is restricted to have read access to ou=Eng but not to ou=Mktg, then only the accounts located under Eng will be imported.

Check Table Figure 17-7

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a008063748a.html#wp1055587

Go to solution
g-georgiou
Level 1
Level 1
In response to gogasca

‎10-04-2007 01:19 AM

Hi,

I managed to solve my problem. Configured a domain admin account which had read rights to specific OUs with in the child domain. For some reason it took 6-7 days for the garbage collector to delete the inactive users.

Thanks for your help.

0 Helpful

Go to solution
mymite060708
Level 1
Level 1
In response to g-georgiou

‎10-24-2008 08:01 AM

I need to add more than 5 LDAP directories, Can you explain more how you bypass this?

Thanks

Pete

0 Helpful

Go to solution
g-georgiou
Level 1
Level 1
In response to mymite060708

‎10-24-2008 08:49 AM

Hi Pete,

You are referring to 5 different domains on separate LDAP hosts or to 5 different child OUs? If the latter then you need to create a user (Ldap manager in UCM) with RO access to the specific OUs and delegate control in the A/D. Now in UCM you will need to add the top-level OU. The Ldap agent will query the OU tree and import the users in the OUs where the Ldap manager has read access. For the other OUs users will not be imported since the user will not have access to.

Hope i have been helpful. Please rate if yes

./G

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents