cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1710
Views
5
Helpful
8
Replies

LDAP Filter using AXL Toolkit not working

UCcomp2007
Level 2
Level 2

Per previous posts instructions I have tried to apply a filter so if IP phone field is not populated in AD, a user will not appear in UCM user directory after sync.  We trying to get this working in lab before we apply in production.  Problem is after successfully applying filter, users with no IP Phone are still showing up in UCM Users (I created new users after applying filter with ip phone field populated, then ran sync)


Running UCM 7.1(3).

AD Structure for lab                ou=UCM, dc=lab, dc=local

Our sample.xml files in AXLtookit directory is below, as is command I run and sample respone which completes succesfully.  Anyone have any idea why users with iphone field blank are showing up in UCM after filter applied?

sample.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--DTD generated by XMLSPY v5 rel. 4 U (http://www.xmlspy.com)-->
<!DOCTYPE data [
    <!ELEMENT data (sql+)>
    <!ELEMENT sql EMPTY>
    <!ATTLIST sql
    query CDATA #IMPLIED
        update CDATA #IMPLIED
>
]>

<data>
<sql update="update ldapfilter set filter ='(&amp;(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(ipPhone=*)))' where tkldapserver=1"/>
<sql query="select * from ldapfilter where tkldapserver=1"/>
</data>

java -cp .\classes;.\lib\saaj-api.jar;.\lib\saaj-impl.jar;.\lib\mail.jar;.\lib\activation.jar;.\lib\jaxm-api.jar;.\lib\jaxm-runtime.jar;.\lib\xercesImpl.jar;.\lib\xml-apis.jar AxlSqlToolkit -username=Administrator -password=cisco1234 -host=172.16.3.5

---------------------------- update ldapfilter set filter ='(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(ipPhone=*)))' where tkldapserver=1 ----------------------------
<?xml version="1.0" encoding="UTF-8" standalone="no"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Header/><SOAP-ENV:Body><axl:executeSQLUpdateResponse xmlns:axl="http://www.cisco.com/AXL/API/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" sequence="1270299834064"><return><rowsUpdated>1</rowsUpdated></return></axl:executeSQLUpdateResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
---------------------------- select * from ldapfilter where tkldapserver=1 ----------------------------
<?xml version="1.0" encoding="UTF-8" standalone="no"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Header/><SOAP-ENV:Body><axl:executeSQLQueryResponse xmlns:axl="http://www.cisco.com/AXL/API/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" sequence="1270299834907"><return><row><pkid>c8b4c680-ead1-43c0-a264-27da8142c539</pkid><tkldapserver>1</tkldapserver><filter>(&amp;(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(ipPhone=*)))</filter></row></return></axl:executeSQLQueryResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>

Your help is appreciated.

3 Accepted Solutions

Accepted Solutions

Aaron is correct (+5 for accuracy and quickness), after you modify the LDAP filter in the database you will need to restart the DirSync service.

Also, I think you may want to adjust your LDAP search query a bit from:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(ipPhone=*)))

to:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(ipPhone=*))

You don't need the logical "OR" for the ipPhone attribute.  Another way to read the statement:

    objectclass=user  AND

    NOT objectclass=Computer  AND

    NOT UserAccountControl:1.2.840.113556.1.4.803:=2 AND

    ipPhone=*

HTH.

Regards,

Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

View solution in original post

Hi

There is only one filter at a time in the DB; you update the one row with that query you ran.

To reset it run the same thing you did before, but set the filter back to the original one as listed in Bill's article (http://www.netcraftsmen.net/component/content/article/70-unified-communications/742-axl-sql-toolkit-part-3-updating-cucm-dirsync-ldap-filter-by-example.html).

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

Hi

Not that I'm aware of..

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

8 Replies 8

Aaron Harrison
VIP Alumni
VIP Alumni

Hi

When I did this I found that the change didn't take effect until I restarted the DirSync service; allowing/forcing a resync wasn't enough.

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Aaron is correct (+5 for accuracy and quickness), after you modify the LDAP filter in the database you will need to restart the DirSync service.

Also, I think you may want to adjust your LDAP search query a bit from:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(ipPhone=*)))

to:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(ipPhone=*))

You don't need the logical "OR" for the ipPhone attribute.  Another way to read the statement:

    objectclass=user  AND

    NOT objectclass=Computer  AND

    NOT UserAccountControl:1.2.840.113556.1.4.803:=2 AND

    ipPhone=*

HTH.

Regards,

Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Appreciate the quick response from both.

I have followed instructions (modified sample.xml per Williams syntax, then restarted dirsync service).  Still not working.  I then tried to use telephonNumber, and that didn't work either.  Now even new users I create in AD with telephon and ip phones field popluated show up in UCM (not do any other new users with field blank).

Can you provide me the syntax I need in sample.xml to remove filters?  Once filters are removed, I'll re-run with only syntax William suggested, then restart dirsync service).

Thanks,

Also while your were on the subject for ldap, is their a way to purge users immediatly from UCM (once you've removed in AD)?  I believe the garbage collector (or whatever it's called) only runs every 24 hours, so purged accounts in AD will still show up in UCM for at least 24 hours.

Regards,

Hi

Not that I'm aware of..

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Hi

There is only one filter at a time in the DB; you update the one row with that query you ran.

To reset it run the same thing you did before, but set the filter back to the original one as listed in Bill's article (http://www.netcraftsmen.net/component/content/article/70-unified-communications/742-axl-sql-toolkit-part-3-updating-cucm-dirsync-ldap-filter-by-example.html).

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

It's working.  Thanks to both.

Great article on AXL Toolkit bill.

Regards,

Glad to hear it's working for you. I am also glad you found the article on the AXL toolkit helpful.

Have a great weekend!

Regards,

Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: