CUCM 7.1 LDAP Integration with Microsoft AD

Unanswered Question
Feb 15th, 2010

Can someone please help? I am having difficulties populating my end user database in CUCM 7.1 with AD accounts that I want. Here is my dilemma.

I can configure my LDAP Directory settings within CUCM 7.1 with the follow LDAP User Search BaseRequired Field...

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif";}

DC=COMPANY,DC=NAME,DC=INC

This works. My active end user list will be populated with all of the AD objects. However, this includes a lot of accounts I do not want to show up.

Now, from one of my domain controllers I can create a query that returns only users who have any value in their ipPhone account attribute. It looks like this...

(&(objectCategory=user)(ipPhone=*))

Is there anyway to combine these search criterias in CUCM 7.1 so my end user list is populated from my company's AD with only the accounts I want?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (7 ratings)
William Bell Mon, 02/15/2010 - 16:38


Matt,

You have a couple of options.  If your directory tree has adequate hierarchy you can do one of two things:

1. Use permissions to deny read access for the DirSync service account you have established.  For example, if you had:

  • RootDSN
    • Users
      • Service Accounts
      • HQ
      • Regional
        • East
        • West
        • South
        • North

You could apply a permissions list where the DirSync account is blocked from reading Service Accounts.Users, East.Regional.Users, etc.

2. You can establish replication agreements from the CUCM to different OU contexts.  Again, this assumes that you aren't using a flat tree.  Also, you can only have a maximum of 5 replication agreements which hasn't been enough in my experience.  That is why I use option 1 or the following.

If you have a relatively flat tree or see another reason why the method described in #1 or #2 doesn't work, you can update the LDAP filter that the CUCM uses when estalbishing a DirSync replication agreement.  You can't modify this directly in CUCM 7.1 but you can use the SQL Query Toolkit that can be downloaded from your CUCM cluster node to update the database table that stores the LDAP filter.

It sounds like a hack, and it is.  At least it started out that way.  There are several folks doing this and I believe that Cisco is going to incorporate the ability to modify the LDAP filter in CUCM 8.x. I also heard that Cisco will carry forward any "hacked" LDAP filter entries when a customer upgrades from 6x/7x to 8x but don't quote me on that.

Anyway, I wrote a blog on how to do this as part of a series on the SQL Query Toolkit.  Instead of repeating the content here, I will just provide the URL.

http://www.netcraftsmen.net/resources/blogs/axl-sql-toolkit-part-3-updating-cucm-dirsync-ldap-filter-by-example.html

Hope this helps.

Regards,
Bill

gear53x11 Mon, 02/15/2010 - 20:21

Bill, I have read through your 3 part series. Good info! So, on the 3rd part. I have my updateldapfilter.xml file created. It looks like this...

<?xml version="1.0" encoding="UTF-8"?>

       where tkldapserver=1"/>
     

Basically, if there is any value in the ipPhone attribute I want that user to populate my database.

Then you follow your example with a couple of notes that I dont follow.

You say, " First, the LDAP filter uses the ampersand ("&") to denote a logical "AND"."       Should my update set filter be "&amp" instead of just "&"?

And then, I successfully ran the test.xml file. However, I dont get your comment, "This is the reason we ran the first query so we knew which value we could use as a unique key when doing an update."

Further questions...

1) Is this filter applied to all LDAP directories I have created through the web console?

2) Is this filter something I have to run periodically, or will the filter be "on" at all times?

This is all very new to me so I hope my questions arent too confusing. Thanks!!

William Bell Mon, 02/15/2010 - 21:18

Matt,

Glad to hear it helped.  In response to your questions.

>Then you follow your example with a couple of notes that I dont  follow.

>You say, " First, the LDAP filter uses the ampersand  ("&") to denote a logical "AND"."       Should my update set filter  be >?"&amp" instead of just "&"?

Yes, you will want to use "&" instead of "&".


>However, I dont get your comment, "This is the reason we ran the first  query so we knew which value we could use as a >unique key when doing an  update."

In the blog I was referring to the query in the "What is this table of which you speak?" section.  Basically, we ran a query to identify the unique key that you could use to ensure you were applying your LDAP filter to the correct integration type (e.g. Microsoft AD).

1) Is this filter applied to all LDAP directories I have created  through the web console?

I don't follow.  If you are asking whether the filter will apply to all LDAP synchronization agreements that you create then yes it will.  The LDAP filter you applied will affect all LDAP sync agreement using Microsoft AD.


2) Is this filter something I have to run  periodically, or will the filter be "on" at all times?

Once you set the filter you shouldn't have to reset it though I have not tested every upgrade path variant.

This is all very new to me so I hope my questions arent too confusing.  Thanks

Your questions are fine.  Hopefully my answers weren't too confusing.  Glad to hear that the post helped.

Regards,
Bill

gear53x11 Mon, 02/15/2010 - 21:33

Once I posted my questions and read through your 3 part series again it started clicking. I was able to answer my own questions. Thanks for the few clarifications. My CUCM database is now being populated with the data I want. Thank you very much! Once again, great blog.

gear53x11 Tue, 04/13/2010 - 13:59

William, hope all is well. Another DB question...possibly. Is there any way to modify my CUCM end user list (AD Integrated) so that instead of the Department ID (from the Organization tab) the Office field (from the General tab) in AD is what gets populated for my end users? Thanks,

William Bell Tue, 04/13/2010 - 14:22

Unfortunately, I don't believe this is possible. The department field in the End User table of the CUCM database is statically mapped to the AD attribute 'department'.

Regards,

Bill

Aaron Harrison Tue, 04/13/2010 - 14:33

Hi

I was wondering why you might want to use another field? Do you have a particular app that reads the CCM user DB that you would like to see the other information in?

Aaron

gear53x11 Tue, 04/13/2010 - 14:45

Aaron, I found out that the dept. ID has other business drivers in our company. Therefore, I am not allowed to modify that field and the values in there are not granular enough. However, our office field has the detailed information that I am looking for. My business driver is the Cisco Attendant Console application. From the department drop down menu within that application I wish my attendant console users could see that granularity. Right now it's more general and not as easy for them to direct calls. I was hoping there was some easy way to do this.

Roy Cichon Tue, 04/13/2010 - 14:48

Aaron,

I am looking for a way to change the telephoneNumber field.  The client has the full number in that field in AD, so when you do a search in the Corporate Directory it yields xxx-xxx-xxxx instead of their 3 digit extension.  They want to keep the full 10 digit number for other applications pulling that information.  But, from what I am reading, we cannot change the mapping of the Telephone Number field to pull an extension for the Corporate Directory to be able to be dialed when searched.  Does that make sense?

Or, if there is a way that I can make Call Manager dial that extension from the Corporate Directory by dropping the first 7 digits, that would work too.  Transformation patterns or something?

Thanks for an input.

-Roy

William Bell Tue, 04/13/2010 - 15:08

Roy,

Wow. Talk about variety ;-). In regards to telephoneNumber mapping, you have two options with AD:

1. Map the AD attribute 'telephoneNumber'

2. Map the AD attribute 'ipPhone'

I typically use the latter because the AD guys hardly ever touch this field. The only thing that needs to be worked out is:

a. A routine to export user data in the telephoneNumber field, "chop" the digits to what the user stations can dial, and re-import the updated attribute information. Any AD admin should be able to accomplish this small task.

b. Slightly more difficult is working this custom "chop" and rewrite to the ipPhone attribute into your standard operating procedures for provisioning users. Again, a routine (manual, automated, pseudo-automated) could be developed easily

Another option would be to use a custom Corporate Directory application which will present numbers that can be dialed from stations to the IP phone as part of the XML interchange. Basically, the custom corp. directory reads the full 10 and "chops" the dn appropriately. This is slightly more challenging than using the ipPhone attribute, but still not all that bad. I am doing this now for a customer that has different abbreviated dialing strings per-building. Fun.

HTH.

Regards,

Bill

Please remember to rate helpful posts.

Roy Cichon Wed, 04/14/2010 - 06:16

Thanks Bill for the answer...but can I clarify something?

If Call Manager will pull from the ipPhone field...how do I change that in Call Manager to pull from that field?

Thanks.

htluo Wed, 04/14/2010 - 06:20

CUCM > System > LDAP > LDAP Directory.  When you add a NEW entry, you have the opportunity to map "Phone Number" (or whatever attribute) to "ipPhone"

Michael

http://htluo.blogspot.com

William Bell Wed, 04/14/2010 - 06:25

Roy,

You can define the attribute mappings in the configuration page for your directory sync setup. Go to System>LDAP>LDAP Directory. When you add a directory agreement you will see all of the attributes CUCM is interested in and how they are mapped at the bottom of the page. Go to the telephone number mapping and click the dropdown option to change the AD attribute mapping.

HTH.

Regards,

Bill

Please remember to rate helpful posts.

Roy Cichon Wed, 04/14/2010 - 06:48

Thanks Bill.  I guess since it is only on a new LDAP server where you can change it, I did not see that option.

Another quick question...if I setup a new LDAP server and want to delete the other one I have so that I can sync the correct fields I want, it warns me that all users will be deleted when I delete the old server.  Will that affect anything as far as having those users associated with phones and voicemail during the change to the new server?  Does that make sense?  I don't want to affect service during business hours...I wouldn't think it would, but I want to cover my bases at this point before I make any changes.

Thanks...

Roy Cichon Wed, 04/14/2010 - 06:56

Thanks for the reply Michael.

I have more of a background in CME and now starting to do more full UC deployments so running into different scenarios in the real world that you would not run across in books. 

I will create a new LDAP server and delete the old one and then perform a full sync.

Thanks for the direction guys!

William Bell Wed, 04/14/2010 - 06:59

Looks like Michael may have jumped in the thread and answered the question. The users are "flagged" for deletion but aren't deleted until the next clean up cycle. Michael says that is 72 hours. I always thought it was 24 but Michael is a huge fan of LDAP support questions so I am sure he is right. Anyway, you can safely delete the sync agreement and recreate it. Just don't let too much time lapse between the two actions ;-).

HTH.

Regards,

Bill

htluo Wed, 04/14/2010 - 07:05

Bill was right about 24 hours period.  I was wrong. 

+5

Michael

WSonnylal Mon, 06/07/2010 - 15:03

Actually it varies but the 24 hours number is significant.  Here's how it works, there's a garbage collection process that runs nightly at 3AM on the Call Manager.  This process will look at all the inactive accounts and will purge them from the system as long as they have been inactive for 24hrs.  However assume you configure LDAP synchronization at 5PM and you perform a full sync at that time.  All non-matching accounts will be marked inactive, however they will not be deleted during the next 3AM purge process since they would not have been inactive for 24 hours, at this time they are only inactive for 10 hours.  Instead they will be purged the following day at 3AM because at that time these accounts will now have been inactive for more than 24 hours.  In fact they are inactive for 34 hours.  So it really depends on when the accounts are marked inactive as compared to the 3AM purge process.

CHRIS KALETH Mon, 01/10/2011 - 06:24

Bill,

I'm trying to do a LDAP search from our Corporate Directory (no sync with AD) and need to search the ipphone field and not the telephonenumber (until I figure how to transform over 40 North America E.164 numbers to internal extensions).  I'm using the attached file successfully for the telephonenubmer field but not sure what needs to be changed on the file to look for the ipphone field in AD. 

Thanks

William Bell Thu, 07/21/2011 - 06:54

Chris,

I know this is way late but I honestly didn't see your response until now. I am guessing you figured it out but for future reference:

Look for this code section:

    // Create the COM object and initial values

    var s = new ActiveXObject("LDAPSEARCH.LDAPSearchList");

    s.server = ldapserver;

    s.searchbase = ldapsearchbase;

    s.port = ldapport;

    s.AuthName = ldapuserid;

    s.AuthPasswd = ldappassword;

    s.AddReturnAttr("givenName, sn", "Name", "%2, %1", 31);

    s.AddReturnAttr("telephoneNumber", "Telephone", "%1", 31);

and change

   s.AddReturnAttr("telephoneNumber", "Telephone", "%1", 31);

to:

    s.AddReturnAttr("ipPhone", "Telephone", "%1", 31);

HTH.

Regards,

Bill

Jeff Garner Tue, 02/16/2010 - 09:52

Do you have a suggestion on how to make a filter with a OR statment?

We want to search by state,  using st=XX or ST=YY

Thanks

gear53x11 Tue, 02/16/2010 - 10:21

This should work...

(&((objectCategory=user)(|(st=TX)(st=CO))))

There is a "|" before the first "st" outside of the parenthesis which is the OR operator.

madhusudhanam Thu, 07/21/2011 - 05:58

Hi,

I am facing a problem with LDAP integration with CUCM, after integration i am able to found the user details in CUCM till few days back but all of sudden when AD admin add any user in AD those user details i am not able to view in CUCM, at the same time if i do any modifications in existing user profiles those changes reflecting well in CUCM, can you please help us on this, please provide your reply to madhusudhanam@hcl.com

Regards,

M.Madhusudhana Rao

William Bell Thu, 07/21/2011 - 07:02

M.,

Based on the fact changes made in AD on existing users is replicated to CUCM, I think it is safe to say that the sync agreement is healthy. The things I would look at would be:

- OU structure: Are the new users created in an OU that is part of your user search base path?

- Permissions: Has anything happened to the permission settings for the service account. What happens when you create a user in the same OU as user objects that are working? Can you look at the permissions on the user object and verify DirSync account has appropriate permissions.

- If the LDAP query is custom (i.e. something other than default) then do the new user objects have the appropriate attributes set?

HTH.

Regards,

Bill

madhusudhanam Thu, 07/21/2011 - 07:13

Hi,

Thanks for your response,as I communicated earlier both the users(new user and old user)under one OU only but I am not able to find the new user in CUCM.

Regards,

M.Madhusudhana Rao

--- Original Message ---

htluo Mon, 02/15/2010 - 16:38

On 7.x, if you want to do that, you need to use the AXL toolkit, which falls into developer support.

Or you can wait for 8.x, which should have the GUI to allow you configure the filter.

Thanks!

Michael

http://htluo.blogspot.com

kristyorr Wed, 10/20/2010 - 16:17

Seeking confirmation on this query.

We are synching CUCM with MS AD.  I would like the directory to only contain users that have an IP phone entry in the MS directory.  Is this correct?

<?xml version="1.0" encoding="UTF-8"?>

       where tkldapserver=1"/>
     

ldapfilter as ldf inner join typeldapserver as ldap on ldf.tkldapserver =

ldap.enum"/>

If I run this and totally hose my directory... how do i rollback/remove this update/change?

mynewlogin Tue, 04/24/2012 - 01:27

Hello everyone!

In SRND there's the next information:

Such attributes as User ID, First Name,  Middle Name, Last Name, Manager ID, Department, Phone Number, Mail ID are imported from the LDAP directory into corresponding Unified CM user fields, and it describes the mapping between those fields. Some Unified CM user fields might be mapped from one of several LDAP attributes.

There're a list of additional attributes that are imported by the Dirsynch process and copied into the Unified CM database but are not displayed in the administrator user configuration web pages: objectGUID, OCSPrimaryUserAddress, Title, Home Phone Number, Mobile Phone Number, Mobile Phone Number.

I have a tsk to provide a solution of corporate directory which must have a possibility ti list Phone Number and Mobile Phone Number for each contact.

How can the additioanl attributs which imported from AD and copied into the Unified CM database but are not displayed in the administrator user configuration web pages can be used?

thanks!

Andrii

Aaron Harrison Tue, 04/24/2012 - 01:53

Hi

Those fields all exist in the 'enduser' table in the CCM DB.

If you are writing a custom directory (which you must do if you want to modify the standard directory, and don't wish to purchase a directory app off-the-shelf) then you have two options:

- Base it on the CCM DB - in this case you'll access the 'mobile' column as you would access the 'firstname' or any other column

- Base it on LDAP directly - in this case you can access any AD attributes you like

Personally I would integrate to LDAP directly - it's not difficult, and LDAP is designed for this kind of function so it generally outperforms reads of the CCM DB which you would want to cache/store in your app to good performance. It would also alllow you to access any other information in AD (further numbers, personal information, pictures if you have them).

Aaron Harrison

Principal Engineer at Logicalis UK

Please rate helpful posts...

Actions

Login or Register to take actions

This Discussion

Posted February 15, 2010 at 4:25 PM
Stats:
Replies:30 Avg. Rating:5
Views:15398 Votes:0
Shares:0

Related Content

Discussions Leaderboard