04-03-2010 06:21 AM - edited 03-15-2019 10:05 PM
Per previous posts instructions I have tried to apply a filter so if IP phone field is not populated in AD, a user will not appear in UCM user directory after sync. We trying to get this working in lab before we apply in production. Problem is after successfully applying filter, users with no IP Phone are still showing up in UCM Users (I created new users after applying filter with ip phone field populated, then ran sync)
Running UCM 7.1(3).
AD Structure for lab ou=UCM, dc=lab, dc=local
Our sample.xml files in AXLtookit directory is below, as is command I run and sample respone which completes succesfully. Anyone have any idea why users with iphone field blank are showing up in UCM after filter applied?
sample.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--DTD generated by XMLSPY v5 rel. 4 U (http://www.xmlspy.com)-->
<!DOCTYPE data [
<!ELEMENT data (sql+)>
<!ELEMENT sql EMPTY>
<!ATTLIST sql
query CDATA #IMPLIED
update CDATA #IMPLIED
>
]>
<data>
<sql update="update ldapfilter set filter ='(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(ipPhone=*)))' where tkldapserver=1"/>
<sql query="select * from ldapfilter where tkldapserver=1"/>
</data>
java -cp .\classes;.\lib\saaj-api.jar;.\lib\saaj-impl.jar;.\lib\mail.jar;.\lib\activation.jar;.\lib\jaxm-api.jar;.\lib\jaxm-runtime.jar;.\lib\xercesImpl.jar;.\lib\xml-apis.jar AxlSqlToolkit -username=Administrator -password=cisco1234 -host=172.16.3.5
---------------------------- update ldapfilter set filter ='(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(ipPhone=*)))' where tkldapserver=1 ----------------------------
<?xml version="1.0" encoding="UTF-8" standalone="no"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Header/><SOAP-ENV:Body><axl:executeSQLUpdateResponse xmlns:axl="http://www.cisco.com/AXL/API/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" sequence="1270299834064"><return><rowsUpdated>1</rowsUpdated></return></axl:executeSQLUpdateResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
---------------------------- select * from ldapfilter where tkldapserver=1 ----------------------------
<?xml version="1.0" encoding="UTF-8" standalone="no"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Header/><SOAP-ENV:Body><axl:executeSQLQueryResponse xmlns:axl="http://www.cisco.com/AXL/API/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" sequence="1270299834907"><return><row><pkid>c8b4c680-ead1-43c0-a264-27da8142c539</pkid><tkldapserver>1</tkldapserver><filter>(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(ipPhone=*)))</filter></row></return></axl:executeSQLQueryResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
Your help is appreciated.
Solved! Go to Solution.
04-03-2010 07:02 AM
Aaron is correct (+5 for accuracy and quickness), after you modify the LDAP filter in the database you will need to restart the DirSync service.
Also, I think you may want to adjust your LDAP search query a bit from:
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(ipPhone=*)))
to:
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(ipPhone=*))
You don't need the logical "OR" for the ipPhone attribute. Another way to read the statement:
objectclass=user AND
NOT objectclass=Computer AND
NOT UserAccountControl:1.2.840.113556.1.4.803:=2 AND
ipPhone=*
HTH.
Regards,
Bill
Please remember to rate helpful responses and identify
04-03-2010 09:52 AM
Hi
There is only one filter at a time in the DB; you update the one row with that query you ran.
To reset it run the same thing you did before, but set the filter back to the original one as listed in Bill's article (http://www.netcraftsmen.net/component/content/article/70-unified-communications/742-axl-sql-toolkit-part-3-updating-cucm-dirsync-ldap-filter-by-example.html).
Aaron
04-03-2010 09:52 AM
Hi
Not that I'm aware of..
04-03-2010 06:36 AM
Hi
When I did this I found that the change didn't take effect until I restarted the DirSync service; allowing/forcing a resync wasn't enough.
Regards
Aaron
04-03-2010 07:02 AM
Aaron is correct (+5 for accuracy and quickness), after you modify the LDAP filter in the database you will need to restart the DirSync service.
Also, I think you may want to adjust your LDAP search query a bit from:
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(ipPhone=*)))
to:
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(ipPhone=*))
You don't need the logical "OR" for the ipPhone attribute. Another way to read the statement:
objectclass=user AND
NOT objectclass=Computer AND
NOT UserAccountControl:1.2.840.113556.1.4.803:=2 AND
ipPhone=*
HTH.
Regards,
Bill
Please remember to rate helpful responses and identify
04-03-2010 09:29 AM
Appreciate the quick response from both.
I have followed instructions (modified sample.xml per Williams syntax, then restarted dirsync service). Still not working. I then tried to use telephonNumber, and that didn't work either. Now even new users I create in AD with telephon and ip phones field popluated show up in UCM (not do any other new users with field blank).
Can you provide me the syntax I need in sample.xml to remove filters? Once filters are removed, I'll re-run with only syntax William suggested, then restart dirsync service).
Thanks,
04-03-2010 09:34 AM
Also while your were on the subject for ldap, is their a way to purge users immediatly from UCM (once you've removed in AD)? I believe the garbage collector (or whatever it's called) only runs every 24 hours, so purged accounts in AD will still show up in UCM for at least 24 hours.
Regards,
04-03-2010 09:52 AM
Hi
Not that I'm aware of..
04-03-2010 09:52 AM
Hi
There is only one filter at a time in the DB; you update the one row with that query you ran.
To reset it run the same thing you did before, but set the filter back to the original one as listed in Bill's article (http://www.netcraftsmen.net/component/content/article/70-unified-communications/742-axl-sql-toolkit-part-3-updating-cucm-dirsync-ldap-filter-by-example.html).
Aaron
04-03-2010 10:28 AM
It's working. Thanks to both.
Great article on AXL Toolkit bill.
Regards,
04-03-2010 11:15 AM
Glad to hear it's working for you. I am also glad you found the article on the AXL toolkit helpful.
Have a great weekend!
Regards,
Bill
Please remember to rate helpful responses and identify
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide