AD Integatration CM7 User Search Base

Unanswered Question
Nov 4th, 2009


I'm trying to integrate CM 7 with AD. The problem i'm facing is that when I try to write the user search base string I run out of characters, 254 is the limit.

I need help to correctly write the string to match the (organizational units) OU's I want to synchronize.

Attached is a screen shot of the Active Directory structure and also a list of the OU's I want to synch.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jonathan Schulenberg Wed, 11/04/2009 - 06:20

LDAP doesn't work that way. You cannot specify multiple sibling elements in a single LDAP string. Also, UCM has a limit of five LDAP synchronizations so you will likely need to reorganize your AD structure to become more hierarchical. I doubt you want to synchronize EVERY user account into the corporate directory.

Example (entire domain):






Remember that UCM will synch every user object account with these OUs, including any child OUs as long as the minimum fields are populated.

You will have to develop a custom LDAP filter If you want to exclude accounts. In 7.x this is a little involved because it requires a direct SQL update (search the forum). You would need to identify a common field that you can filter by for every account.

eoinwhite Wed, 11/04/2009 - 06:41

Yup just ran into the Max 5 limit as I got your reply. I'll look into the direct SQL update.

eoinwhite Wed, 11/04/2009 - 08:27

Ok so I restructured AD to work around the issue but now I have run into a separate issue, all users are coming up as inactive. I have the UserID attribute on CM set to employeeNumber but its called EmployeeID on AD I think that might be the issue. Here's the error I get in the trace:

2009-11-04 15:52:56,819 ERROR [DirSync-DBInterface] common.DSDBInterface ( - DSDBInterface.updateUserInfo LDAP data discarded: Missing LDAP attribute: Attribute Count=8 AgreementId=8426585a-7a9b-95c8-cfdd-41b4debad1de

middlename=exampled telephonenumber=8315 lastname=Lucey

firstname=example mailid=[email protected] title=  uniqueidentifier=c2317194f399a94180fde1ff663e080a department=Finance

2009-11-04 15:52:56,824 INFO  [Thread-8] common.DSNcsClient ( - DSNcsClient.process Process CN on directorypluginconfig with action=u

2009-11-04 15:52:56,831 INFO  [Thread-8] common.DSNcsClient ( - DSNcsClient.process Process CN on directorypluginconfig with action=u

Message was edited by: eoinwhite

Jonathan Schulenberg Wed, 11/04/2009 - 15:19

First, you are exposing personally identifiable information in your postings and this forum is public. You may want replace the real-life user information with something else.

Second, I'm going to assume that you mean you have created the custom LDAP filter based on the employeeNumber. You cannot set the username in the LDAP System page to this attribute. If you are filtering by an attribute, it must actually exist within LDAP.

Third, LDAP Bind Account you are using needs to be granted "Read All Attributes" rights on the LDAP objects.

eoinwhite Thu, 11/05/2009 - 02:31

Thanks for the replies.

The cisco account in AD has read access to all ou's. The user id in call manager already is the same as employee id in ad. I'll look further and see what i can find.


Message was edited by: eoinwhite


This Discussion