CUCM LDAP Change from SAM to UPN

Unanswered Question
Apr 28th, 2010

Hello,

I currently have domain1.com integrated with CUCM using LDAP and am authenticating against it for ccmuser and UCCX.

Another tree in the AD forest is being added and I need to provide CUCM authentication against it.  For example, domain1.com exists now, and domain2.com is being added.  A trust relationship exists between the two.

I have imported users from domain2.com.  That part is fine.  I simply cannot authenticate the domain2.com users.

I am currently importing based upon samAccountName, and believe I should use UPN, and authenticate against a GC.

The question is, since I am currently using samAccountName, if I convert everything to UPN, will all of the end-user account settings carry over to the UPN when the accounts are re-imported?  Likewise, will the settings that are currently listed for the agents in UCCX change or carry over after the change from samAccountName to UPN?

I'm hopeful that CUCM sees these accounts as the same even though the userID will have changed.

I'm on CUCM 7.02-20000-5, and UCCX 7.01SR1.

Thanks,
Jeff

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
William Bell Wed, 04/28/2010 - 09:14

All good questions. Unfortunately, I don't think that the CUCM will make the association you are hoping it does. If you change the mapping for the CUCM user id to the UPN in AD, the next run of DirSync will see the users as "new" users and existing users will be flagged for deletion.

At least that is what I expect would happen. I haven't tested with UPN myself, but when I have changed the user id mapping to another value (like telephoneNumber) my users were disassociated and flagged for deletion. What I did was export existing CUCM end user data (via BAT) and import the data in excel. Then I exported data from AD, did a mapping and changed the user id value in my excel sheet. Save it to a CSV and re-import it (with device associations, primary extensions, etc.). At this point I have increased by end user table by 2 times. Then I changed the AD attribute and the "old" user IDs were flagged to be deleted. 24 hours later, I was back to the same user count and using the new attribute value.

So, that is my take/understanding on the topic.

HTH.

Regards,

Bill

jeff.heckart Wed, 04/28/2010 - 09:20

Bill,

Thanks for the response.  I was afraid that this might be the case.

I can deal with the export/import of the CUCM user data, but I'm more worried about a large contact center with complex skills.  I'm not yet sure how I can deal with those.

jeff.heckart Thu, 04/29/2010 - 04:03

I did lab this out last night.  I actually found that moving from SAM to UPN and back would retain account settings.  Here's the process I used:

- Turn off LDAP Sync - All Users go Inactive

- Change to UPN

- Turn on LDAP Sync

- Re-add LDAP directory

All users will go active and are not duplicated.  In other words, if I have user1 before the process begins, user1 simply becomes [email protected].  Furthermore, if user1 changes to domain2, the account simply becomes [email protected].  The settings were retained through the entire process.

Thanks.

econstantinou Wed, 06/08/2011 - 02:08

Hi Jeff,

  

I am trying to change the LDAP Authentication from SAM to UPN in order to support sub-domains in our organization (using CUCM 8, UCCX, Presence and UCNX)

LDAP Directory changed successfully exactly as you did and the user1 becomes [email protected]

For LDAP authentication I used CN=user1,ou=users1,dc=domain1,dc=com to work and CM accept the settings.

But I can only authenticate users on domain1. What type of user do I need in order to read all AD forest?

Regards,

  Elias

Ok i found the solution to my answer - Use port 3268 Global Catalog for LDAP authentication

mjerickson Fri, 02/03/2012 - 10:42

After changing from SAM to UPN, were the UCCX users required to login with SAM or UPN.  Our UCCX uses CUCM as its AXL provider.

Thanks.

Chris Deren Fri, 02/03/2012 - 10:56

Mike,

UCCX agents will need to login with wahetever is mapped to userID in CUCM LDAP integration, so if you changed it from SAM to UPN then UPN will need to be entered as agent ID.

HTH,

Chris

Actions

This Discussion