LDAP only import AD users whose IP Phone attribute is not empty

Unanswered Question
May 21st, 2009

In Cisco SRND, the only way to import users with Cisco phones is to putting them into different OUs. However, in our case, it is not possible, since we have multiple business units, and each business unit has its own USERS OU. Plus it is hard to maintain accurately who has Cisco phone who does not.

Is there a way to only sync import users whose IP Phone attribute in AD is not empty, or by Group Membership, or any other suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.2 (6 ratings)
elavoie Tue, 05/26/2009 - 11:46

Hi Daniel, you must use a LDAP Filter to import only users that have someting in the ipPhone field. With the help of AXL Toolkit you will be able to modify the default filter with this :

If you need more help let me know...We use this on each of our customer.

pwenger Mon, 07/06/2009 - 04:45


I like to apply a filter like this. Can you please give me a hint how to do this?

Kind regards


elavoie Mon, 07/06/2009 - 05:24

You must install AXL SQL Toolkit on your PC. It's a plugin under Application/Plugins in CUCM Admin Page.

Then rename sample.xml file to sample.org copy the attached sample.xml file to axl directory.

Finally run this from your PC:

java -cp .\classes;.\lib\saaj-api.jar;.\lib\saaj-impl.jar;.\lib\mail.jar;.\lib\activation.jar;.\lib\jaxm-api.jar;.\lib\jaxm-runtime.jar;.\lib\xercesImpl.jar;.\lib\xml-apis.jar AxlSqlToolkit -username=ccmdministrator -password=123456 -host=x.x.x.x

You need to put your username, password and host according to your setup.

You can edit sample.xml to reflect the filter you want to use. In my example we grab all valid user with something in the ipPhone field from AD.

Before modifying filter you can view the current filter using this in your query

pwenger Mon, 07/06/2009 - 06:30


I downloaded the axlsqltoolkit.zip file, but I can't find a .exe file to install on my client.



pwenger Mon, 07/06/2009 - 06:53

Just did it once again, downloaded the file, extracted it to local drive, but there is no .exe file to install. I'm running CUCM 7.1(2)



elavoie Mon, 07/06/2009 - 07:03

Sorry, you don't need to install. just run :

java -cp .\classes;.\lib\saaj-api.jar;.\lib\saaj-impl.jar;.\lib\mail.jar;.\lib\activation.jar;.\lib\jaxm-api.jar;.\lib\jaxm-runtime.jar;.\lib\xercesImpl.jar;.\lib\xml-apis.jar AxlSqlToolkit -username=ccmdministrator -password=123456 -host=x.x.x.x

in DOS Prompt under c:\axl

pwenger Thu, 07/09/2009 - 00:37


okay, I understand so far. When I run the command under C:\axl I recieve this:

Exception in thread "main" java.lang.UnsupportedClassVersionError: Bad version number in .class file

at java.lang.ClassLoader.defineClass1(Native Method)

at java.lang.ClassLoader.defineClass(ClassLoader.java:620)

at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)

at java.net.URLClassLoader.defineClass(URLClassLoader.java:260)

at java.net.URLClassLoader.access$100(URLClassLoader.java:56)

at java.net.URLClassLoader$1.run(URLClassLoader.java:195)

at java.security.AccessController.doPrivileged(Native Method)

at java.net.URLClassLoader.findClass(URLClassLoader.java:188)

at java.lang.ClassLoader.loadClass(ClassLoader.java:306)

at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:268)

at java.lang.ClassLoader.loadClass(ClassLoader.java:251)

at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)


What I'm missing?



elavoie Thu, 07/09/2009 - 03:39

You probably have more than one java.exe in your PC. Search for java.exe and run the command in the java folder. Try different java.exe until it work.

mattepps645 Thu, 10/22/2009 - 05:15


I have a proproject now whereby the Customer wants us to filter the LDAP synchronisation to only pull in users with the IpPhone Field set in their AD.

I have followed the procedures here from my PC and with a CUCM 6.1(2) on VMWare. Admittedly I have no AD but was just trying the process to see what happened.

Anyway, it appears to have worked - i.e. no error messages were given and obviously nothing has happened with CUCM.

So this leads to a question. Now I have confidence on how to run this process, how do I actually carry it out in a Live Network. What I will be deploying is:

1. CUCM 7.1(2)

2. Microsoft AD

3. LDAP Synchronisation probably using a Sync agreement that starts at the root of the customers AD (they aren't a large customer)

So the question is, when and how do I apply the filter ? There is no setting in CUCM Admin to reference a filter so is it a case of doing a full synchronisation then running the filter script from an Admin PC to actually strip out any users without an IP Phone field entry ?

If this filter has to be applied after synchronisation then does it have to be run every day if LDAP synchronisation is configured to run every night ?

Many thanks,


mattepps645 Thu, 10/22/2009 - 10:51

OK Thanks Eric.

I'm still a little confused though as earlier in the thread you mentioned the following:

"you must use a LDAP Filter to import only users that have someting in the ipPhone field. With the help of AXL Toolkit you will be able to modify the default filter with this :

So how is this pushed to CUCM and what does this do that is different from:-

java -cp .\classes;.\lib\saaj-api.jar;.\lib\saaj-impl.jar;.\lib\mail.jar;.\lib\activation.jar;.\lib\jaxm-api.jar;.\lib\jaxm-runtime.jar;.\lib\xercesImpl.jar;.\lib\xml-apis.jar AxlSqlToolkit -username=ccmdministrator -password=123456 -host=x.x.x.x

in DOS Prompt under c:\axl

This appears to be two separate scripts so I am wondering what the order of work is once I have configured the LDAP Synchronisation in CUCM Admin ?

Many thanks,


elavoie Fri, 10/23/2009 - 04:06

Hi Matt, java -cp....is the commande to issue from your PC to push the script into the CCM and

is what you need to put into sample.xml file. You will find this file where you will extract the AXLToolkit Tools.

mattepps645 Fri, 10/23/2009 - 08:53


excellent, i get it now !!

Just one last question if I may.

Do I carry out this process before or after I configure and run LDAP synchronisation on CUCM ? I understand that the filter remains on CUCM but am wondering if you can apply it before initial synchronisation.

Best wishes,


elavoie Fri, 10/23/2009 - 09:08

Hi Matt

You can run it before or after. If you apply it before you'll only see user who match the filter in End User page. If you apply after you'll see all of AD user in End User page. The username who match the filter will be mark as Active and other to Inactive. The Inactive End user will disappear from End user page over the next day.

You can also call Bell Team to help you ! ;-)



abid.ahmed Mon, 02/22/2010 - 07:20

Hi All,

i follow the same instruction as in blog for LDAP filter, after i run this  statement  still i am having problem, i can see the user in the coporate directory which does not have Ip Phone. i restart the services DirSyn. Please help me out.


This Discussion