LDAP synchronization

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.8 (3 ratings)
Tommer Catlin Mon, 03/30/2009 - 07:39

You should be able to add more OU's to the LDAP sync. The authentication, you will probably have to use the root of the forest then.

The other way, re-arrange your OUs under one container, I know, not always possible, but might be the the only way.

Jaime Valencia Mon, 03/30/2009 - 08:18

Exactly how many OUs are you defining???

you can only have 5 OUs to sync



if this helps, please rate

craig.pollitt Fri, 11/05/2010 - 10:10

I have a slightly different situation I'm looking for an answer to-

We currently have UCM 7.1.5 pointed to our SunOne LDAP server for Directory and Authentication.  Since then, I've been asked whether I can point to our AD server instead- the main reason is to allow those users only configured in AD (generic shared accounts created by different OU admins) the ability to use CUPS/CUPC.  Right now, the LDAP UCM is pointing to is the master ds.  AD also points to it to get it's list of users.

I'm not sure the exact behavior will be in UCM when-

1) I attempt to add the AD server to the list--can multiple directory servers be configured?  Since my account is listed in both locations, how does UCM handle this?

2) How will the current end user db be impacted or affected by adding the AD server?  Will existing information contained in the end user db be erased/overwritten/merged/duplicated?

3) Depending on the first two answers- what would I expect to happen if I the go back and remove the existing LDAP server from the list?

Knowing the 5-OU limit highlighted in this thread (thanks!), there are other obstacles that we will have to work with, but I need to know UCM's expected behavior before even going down that road.

I'm probably not explaining the situation clearly enough, so please let me know if I need to clarify this further.


Craig L. Pollitt

Jaime Valencia Fri, 11/05/2010 - 12:22

If I understand this right you want to use both SunOne and AD???

If so, the answer is that you cannot.

Only one kind of LDAP integration is supported at any given time.

If you want to change, what you need to do, is delete the whole LDAP config and recreate for AD.

Existing users that match the userID property from DB and AD will be just updated, any other users will be removed.

There is already a fixed amount of time for the users to be deleted, so you'd need to go back before that if you don't want to lose them

Details here:

LDAP Directory Integration




If this helps, please rate


craig.pollitt Fri, 11/05/2010 - 13:24

I'm really trying to find out the expected behavior in UCM if I go from LDAP -> AD.  I have a lot of users that have different properties already configured (Device Assocation, Primary Phone, End User Group, etc) and didn't know how UCM would respond if I changed directories...and really didn't want it wiping my existing settings.  I didn't know if I could have a "soft move" where I added AD to the mix and then remove LDAP, but it sounds like I would have to remove LDAP first and then add AD, right?

So, if I understand you correctly- by doing the hard cutover, my End Users that are currently configured on UCM will retain their settings when I go to add AD and it performs a full sync?  Since the users are contained in both locations, all settings should be retained when the sync is completed.  Does it matter is we are currently point to uid and AD will us sAMAccountName?  Will it still match the users or will it create a new set using different unique ids in the UCM db?

Thanks for the link, good information.  I just want to be absolutely sure what to expect if (and when) I go to apply this change.


Tommer Catlin Fri, 11/05/2010 - 13:38

Ok, so here is the deal.  Since you have two different sources, you have only real option here:

Use a third party sync tool to pull from Sun and AD into one LDAP directory.  This new directory is what CUCM should pull from.  For CUCM, as long as you do not change their LDAP username, CUCM will keep all of your existing associations.   Id recommend though you plan on exporting them out in case you need to re-associate them later.

craig.pollitt Fri, 11/05/2010 - 13:58

That's what I was overlooking...if I do an export End User- as long as the uid/sAM is the same, when I go to sync to AD instead fo LDAP if something isn't applied correctly I can Update the End Users from the BAT to apply all of my existing settings...correct?


Tommer Catlin Fri, 11/05/2010 - 14:17

I believe, even if you break LDAP or AD sync in CUCM, you have 48 hours

until it removes everyone. IF you resync to a different source and the

UIDs?SAM match, then CUCM will simply leave them there.

I have done this with CUCM user IDs. If the user ID is the same is LDAP,

CUCM leaves it alone. But if there is a mismatch or a match not found, it

will delete them in 48 hours.

On Fri, Nov 5, 2010 at 1:59 PM, craig.pollitt <

William Bell Fri, 11/05/2010 - 15:01

Actually, I think that the clean up process runs at 03:15 hours every day. During the clean up process, any account that has been inactive for 24 hours is removed. So, if an account was marked inactive at 01:00 hours then it would NOT be removed at 03:15 since it has only been inactive for 2 hours and 15 minutes.  The next day (26 hours and 15 minutes later) it would be removed.




This Discussion