CUCM 6.1 LDAP Integration with W2K3 AD

Unanswered Question
Sep 18th, 2008

RE:CUCM 6.1.2.1110-3. 1 X Pub / 2 x Sub.


We are in the process of installing a new CUCM cluster and are looking to integrate with MS W2K3 AD for user

authentication, however, the issue we have encountered is regarding permissions:


The AD domain contains 10k user accounts with 900 OUs. We wish to, initially, populate the CUCM with users from 10 of these OUs (approx 500 users). When a user is created in AD they automatically have read access to the full directory, our LDAP DN user, defined in the authentication agreement on CUCM, will therefore have read access to the whole AD. Since we want to populate users from 10 OUs (and more in the future) we canot set explicit authentication agreements for each OU. Also, if we

were to use permissions to filter users to be imported into CUCM, our AD admin would have to set explicit denys on each of the 890 OUs. Is there an alternative way of filtering to import just the users we need?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Justin Brenton Thu, 09/18/2008 - 16:10

Hi btmulgrew,


Integration will be complicated with this amount of OUs as you will need to carefully organize your OUs so that the proper user accounts will come across.


Group Policies may also be a issue with integration and permissions within CUCM, especially with password restrictions so you will need to determine if this is feasable.

Please review the below document as it will help you with this task.


From the below doc:


Figure 18-7 User Search Bases


To import the data into the Unified CM database, the system performs a bind to the LDAP directory using the account specified in the configuration as the LDAP Manager Distinguished Name, and reading of the database is done with this account. The account must be available in the LDAP directory for Unified CM to log in, and Cisco recommends that you create a specific account with permissions to allow it to read all user objects within the sub-tree that was specified by the user search base. The sync agreement specifies the full Distinguished Name of that account so that the account may reside anywhere within that domain. In the example in Figure 18-7, CCMDirMgr is the account used for the synchronization.


It is possible to control the import of accounts through use of permissions of the LDAP Manager Distinguished Name account. In this example, if that account is restricted to have read access to ou=Eng but not to ou=Mktg, then only the accounts located under Eng will be imported.


Synchronization agreements have the ability to specify multiple directory servers to provide redundancy. You can specify an ordered list of up to three directory servers in the configuration that will be used when attempting to synchronize. The servers are tried in order until the list is exhausted. If none of the directory servers responds, then the synchronization fails, but it will be attempted again according to the configured synchronization schedule.


http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/6x/directry.html#wp1045022



Hope this helps, Please rate if so


Regards,


Justin

Actions

This Discussion