LDAP Filter using AXL Toolkit not working

Answered Question
Apr 3rd, 2010

Per previous posts instructions I have tried to apply a filter so if IP phone field is not populated in AD, a user will not appear in UCM user directory after sync.  We trying to get this working in lab before we apply in production.  Problem is after successfully applying filter, users with no IP Phone are still showing up in UCM Users (I created new users after applying filter with ip phone field populated, then ran sync)


Running UCM 7.1(3).

AD Structure for lab                ou=UCM, dc=lab, dc=local

Our sample.xml files in AXLtookit directory is below, as is command I run and sample respone which completes succesfully.  Anyone have any idea why users with iphone field blank are showing up in UCM after filter applied?

sample.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--DTD generated by XMLSPY v5 rel. 4 U (http://www.xmlspy.com)-->
<!DOCTYPE data [
    <!ELEMENT data (sql+)>
    <!ELEMENT sql EMPTY>
    <!ATTLIST sql
    query CDATA #IMPLIED
        update CDATA #IMPLIED
>
]>

<data>
<sql update="update ldapfilter set filter ='(&amp;(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(ipPhone=*)))' where tkldapserver=1"/>
<sql query="select * from ldapfilter where tkldapserver=1"/>
</data>

java -cp .\classes;.\lib\saaj-api.jar;.\lib\saaj-impl.jar;.\lib\mail.jar;.\lib\activation.jar;.\lib\jaxm-api.jar;.\lib\jaxm-runtime.jar;.\lib\xercesImpl.jar;.\lib\xml-apis.jar AxlSqlToolkit -username=Administrator -password=cisco1234 -host=172.16.3.5

---------------------------- update ldapfilter set filter ='(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(ipPhone=*)))' where tkldapserver=1 ----------------------------
<?xml version="1.0" encoding="UTF-8" standalone="no"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Header/><SOAP-ENV:Body><axl:executeSQLUpdateResponse xmlns:axl="http://www.cisco.com/AXL/API/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" sequence="1270299834064"><return><rowsUpdated>1</rowsUpdated></return></axl:executeSQLUpdateResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
---------------------------- select * from ldapfilter where tkldapserver=1 ----------------------------
<?xml version="1.0" encoding="UTF-8" standalone="no"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Header/><SOAP-ENV:Body><axl:executeSQLQueryResponse xmlns:axl="http://www.cisco.com/AXL/API/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" sequence="1270299834907"><return><row><pkid>c8b4c680-ead1-43c0-a264-27da8142c539</pkid><tkldapserver>1</tkldapserver><filter>(&amp;(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(ipPhone=*)))</filter></row></return></axl:executeSQLQueryResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>

Your help is appreciated.

I have this problem too.
0 votes
Correct Answer by Aaron Harrison about 6 years 9 months ago

Hi

Not that I'm aware of..

Correct Answer by Aaron Harrison about 6 years 9 months ago

Hi

There is only one filter at a time in the DB; you update the one row with that query you ran.

To reset it run the same thing you did before, but set the filter back to the original one as listed in Bill's article (http://www.netcraftsmen.net/component/content/article/70-unified-communi...).

Aaron

Correct Answer by William Bell about 6 years 9 months ago

Aaron is correct (+5 for accuracy and quickness), after you modify the LDAP filter in the database you will need to restart the DirSync service.

Also, I think you may want to adjust your LDAP search query a bit from:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(ipPhone=*)))

to:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(ipPhone=*))

You don't need the logical "OR" for the ipPhone attribute.  Another way to read the statement:

    objectclass=user  AND

    NOT objectclass=Computer  AND

    NOT UserAccountControl:1.2.840.113556.1.4.803:=2 AND

    ipPhone=*

HTH.

Regards,

Bill

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Aaron Harrison Sat, 04/03/2010 - 06:36

Hi

When I did this I found that the change didn't take effect until I restarted the DirSync service; allowing/forcing a resync wasn't enough.

Regards

Aaron

Correct Answer
William Bell Sat, 04/03/2010 - 07:02

Aaron is correct (+5 for accuracy and quickness), after you modify the LDAP filter in the database you will need to restart the DirSync service.

Also, I think you may want to adjust your LDAP search query a bit from:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(ipPhone=*)))

to:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(ipPhone=*))

You don't need the logical "OR" for the ipPhone attribute.  Another way to read the statement:

    objectclass=user  AND

    NOT objectclass=Computer  AND

    NOT UserAccountControl:1.2.840.113556.1.4.803:=2 AND

    ipPhone=*

HTH.

Regards,

Bill

UCcomp2007 Sat, 04/03/2010 - 09:29

Appreciate the quick response from both.

I have followed instructions (modified sample.xml per Williams syntax, then restarted dirsync service).  Still not working.  I then tried to use telephonNumber, and that didn't work either.  Now even new users I create in AD with telephon and ip phones field popluated show up in UCM (not do any other new users with field blank).

Can you provide me the syntax I need in sample.xml to remove filters?  Once filters are removed, I'll re-run with only syntax William suggested, then restart dirsync service).

Thanks,

UCcomp2007 Sat, 04/03/2010 - 09:34

Also while your were on the subject for ldap, is their a way to purge users immediatly from UCM (once you've removed in AD)?  I believe the garbage collector (or whatever it's called) only runs every 24 hours, so purged accounts in AD will still show up in UCM for at least 24 hours.

Regards,

UCcomp2007 Sat, 04/03/2010 - 10:28

It's working.  Thanks to both.

Great article on AXL Toolkit bill.

Regards,

William Bell Sat, 04/03/2010 - 11:15

Glad to hear it's working for you. I am also glad you found the article on the AXL toolkit helpful.

Have a great weekend!

Regards,

Bill

Actions

This Discussion