cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21318
Views
35
Helpful
30
Replies

CUCM 7.1 LDAP Integration with Microsoft AD

gear53x11
Level 1
Level 1

Can someone please help? I am having difficulties populating my end user database in CUCM 7.1 with AD accounts that I want. Here is my dilemma.

I can configure my LDAP Directory settings within CUCM 7.1 with the follow Required Field...

DC=COMPANY,DC=NAME,DC=INC

This works. My active end user list will be populated with all of the AD objects. However, this includes a lot of accounts I do not want to show up.

Now, from one of my domain controllers I can create a query that returns only users who have any value in their ipPhone account attribute. It looks like this...

(&(objectCategory=user)(ipPhone=*))

Is there anyway to combine these search criterias in CUCM 7.1 so my end user list is populated from my company's AD with only the accounts I want?

30 Replies 30

William Bell
VIP Alumni
VIP Alumni


Matt,

You have a couple of options.  If your directory tree has adequate hierarchy you can do one of two things:

1. Use permissions to deny read access for the DirSync service account you have established.  For example, if you had:

  • RootDSN
    • Users
      • Service Accounts
      • HQ
      • Regional
        • East
        • West
        • South
        • North

You could apply a permissions list where the DirSync account is blocked from reading Service Accounts.Users, East.Regional.Users, etc.

2. You can establish replication agreements from the CUCM to different OU contexts.  Again, this assumes that you aren't using a flat tree.  Also, you can only have a maximum of 5 replication agreements which hasn't been enough in my experience.  That is why I use option 1 or the following.

If you have a relatively flat tree or see another reason why the method described in #1 or #2 doesn't work, you can update the LDAP filter that the CUCM uses when estalbishing a DirSync replication agreement.  You can't modify this directly in CUCM 7.1 but you can use the SQL Query Toolkit that can be downloaded from your CUCM cluster node to update the database table that stores the LDAP filter.

It sounds like a hack, and it is.  At least it started out that way.  There are several folks doing this and I believe that Cisco is going to incorporate the ability to modify the LDAP filter in CUCM 8.x. I also heard that Cisco will carry forward any "hacked" LDAP filter entries when a customer upgrades from 6x/7x to 8x but don't quote me on that.

Anyway, I wrote a blog on how to do this as part of a series on the SQL Query Toolkit.  Instead of repeating the content here, I will just provide the URL.

http://www.netcraftsmen.net/resources/blogs/axl-sql-toolkit-part-3-updating-cucm-dirsync-ldap-filter-by-example.html

Hope this helps.

Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Bill, I have read through your 3 part series. Good info! So, on the 3rd part. I have my updateldapfilter.xml file created. It looks like this...




     

Basically, if there is any value in the ipPhone attribute I want that user to populate my database.

Then you follow your example with a couple of notes that I dont follow.

You say, " First, the LDAP filter uses the ampersand ("&") to denote a logical "AND"."       Should my update set filter be "&" instead of just "&"?

And then, I successfully ran the test.xml file. However, I dont get your comment, "This is the reason we ran the first query so we knew which value we could use as a unique key when doing an update."

Further questions...

1) Is this filter applied to all LDAP directories I have created through the web console?

2) Is this filter something I have to run periodically, or will the filter be "on" at all times?

This is all very new to me so I hope my questions arent too confusing. Thanks!!

Matt,

Glad to hear it helped.  In response to your questions.

>Then you follow your example with a couple of notes that I dont  follow.

>You say, " First, the LDAP filter uses the ampersand  ("&") to denote a logical "AND"."       Should my update set filter  be >?"&" instead of just "&"?

Yes, you will want to use "&" instead of "&".


>However, I dont get your comment, "This is the reason we ran the first  query so we knew which value we could use as a >unique key when doing an  update."

In the blog I was referring to the query in the "What is this table of which you speak?" section.  Basically, we ran a query to identify the unique key that you could use to ensure you were applying your LDAP filter to the correct integration type (e.g. Microsoft AD).

1) Is this filter applied to all LDAP directories I have created  through the web console?

I don't follow.  If you are asking whether the filter will apply to all LDAP synchronization agreements that you create then yes it will.  The LDAP filter you applied will affect all LDAP sync agreement using Microsoft AD.


2) Is this filter something I have to run  periodically, or will the filter be "on" at all times?

Once you set the filter you shouldn't have to reset it though I have not tested every upgrade path variant.

This is all very new to me so I hope my questions arent too confusing.  Thanks

Your questions are fine.  Hopefully my answers weren't too confusing.  Glad to hear that the post helped.

Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Once I posted my questions and read through your 3 part series again it started clicking. I was able to answer my own questions. Thanks for the few clarifications. My CUCM database is now being populated with the data I want. Thank you very much! Once again, great blog.

William, hope all is well. Another DB question...possibly. Is there any way to modify my CUCM end user list (AD Integrated) so that instead of the Department ID (from the Organization tab) the Office field (from the General tab) in AD is what gets populated for my end users? Thanks,

Unfortunately, I don't believe this is possible. The department field in the End User table of the CUCM database is statically mapped to the AD attribute 'department'.

Regards,

Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Hi

I was wondering why you might want to use another field? Do you have a particular app that reads the CCM user DB that you would like to see the other information in?

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Aaron, I found out that the dept. ID has other business drivers in our company. Therefore, I am not allowed to modify that field and the values in there are not granular enough. However, our office field has the detailed information that I am looking for. My business driver is the Cisco Attendant Console application. From the department drop down menu within that application I wish my attendant console users could see that granularity. Right now it's more general and not as easy for them to direct calls. I was hoping there was some easy way to do this.

Aaron,

I am looking for a way to change the telephoneNumber field.  The client has the full number in that field in AD, so when you do a search in the Corporate Directory it yields xxx-xxx-xxxx instead of their 3 digit extension.  They want to keep the full 10 digit number for other applications pulling that information.  But, from what I am reading, we cannot change the mapping of the Telephone Number field to pull an extension for the Corporate Directory to be able to be dialed when searched.  Does that make sense?

Or, if there is a way that I can make Call Manager dial that extension from the Corporate Directory by dropping the first 7 digits, that would work too.  Transformation patterns or something?

Thanks for an input.

-Roy

Roy,

Wow. Talk about variety ;-). In regards to telephoneNumber mapping, you have two options with AD:

1. Map the AD attribute 'telephoneNumber'

2. Map the AD attribute 'ipPhone'

I typically use the latter because the AD guys hardly ever touch this field. The only thing that needs to be worked out is:

a. A routine to export user data in the telephoneNumber field, "chop" the digits to what the user stations can dial, and re-import the updated attribute information. Any AD admin should be able to accomplish this small task.

b. Slightly more difficult is working this custom "chop" and rewrite to the ipPhone attribute into your standard operating procedures for provisioning users. Again, a routine (manual, automated, pseudo-automated) could be developed easily

Another option would be to use a custom Corporate Directory application which will present numbers that can be dialed from stations to the IP phone as part of the XML interchange. Basically, the custom corp. directory reads the full 10 and "chops" the dn appropriately. This is slightly more challenging than using the ipPhone attribute, but still not all that bad. I am doing this now for a customer that has different abbreviated dialing strings per-building. Fun.

HTH.

Regards,

Bill

Please remember to rate helpful posts.

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Thanks Bill for the answer...but can I clarify something?

If Call Manager will pull from the ipPhone field...how do I change that in Call Manager to pull from that field?

Thanks.

CUCM > System > LDAP > LDAP Directory.  When you add a NEW entry, you have the opportunity to map "Phone Number" (or whatever attribute) to "ipPhone"

Michael

http://htluo.blogspot.com

Roy,

You can define the attribute mappings in the configuration page for your directory sync setup. Go to System>LDAP>LDAP Directory. When you add a directory agreement you will see all of the attributes CUCM is interested in and how they are mapped at the bottom of the page. Go to the telephone number mapping and click the dropdown option to change the AD attribute mapping.

HTH.

Regards,

Bill

Please remember to rate helpful posts.

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Thanks Bill.  I guess since it is only on a new LDAP server where you can change it, I did not see that option.

Another quick question...if I setup a new LDAP server and want to delete the other one I have so that I can sync the correct fields I want, it warns me that all users will be deleted when I delete the old server.  Will that affect anything as far as having those users associated with phones and voicemail during the change to the new server?  Does that make sense?  I don't want to affect service during business hours...I wouldn't think it would, but I want to cover my bases at this point before I make any changes.

Thanks...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: