cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4514
Views
10
Helpful
6
Replies

CUCM LDAP Change from SAM to UPN

jeff.heckart
Level 1
Level 1

Hello,

I currently have domain1.com integrated with CUCM using LDAP and am authenticating against it for ccmuser and UCCX.

Another tree in the AD forest is being added and I need to provide CUCM authentication against it.  For example, domain1.com exists now, and domain2.com is being added.  A trust relationship exists between the two.

I have imported users from domain2.com.  That part is fine.  I simply cannot authenticate the domain2.com users.

I am currently importing based upon samAccountName, and believe I should use UPN, and authenticate against a GC.

The question is, since I am currently using samAccountName, if I convert everything to UPN, will all of the end-user account settings carry over to the UPN when the accounts are re-imported?  Likewise, will the settings that are currently listed for the agents in UCCX change or carry over after the change from samAccountName to UPN?

I'm hopeful that CUCM sees these accounts as the same even though the userID will have changed.

I'm on CUCM 7.02-20000-5, and UCCX 7.01SR1.

Thanks,
Jeff

6 Replies 6

William Bell
VIP Alumni
VIP Alumni

All good questions. Unfortunately, I don't think that the CUCM will make the association you are hoping it does. If you change the mapping for the CUCM user id to the UPN in AD, the next run of DirSync will see the users as "new" users and existing users will be flagged for deletion.

At least that is what I expect would happen. I haven't tested with UPN myself, but when I have changed the user id mapping to another value (like telephoneNumber) my users were disassociated and flagged for deletion. What I did was export existing CUCM end user data (via BAT) and import the data in excel. Then I exported data from AD, did a mapping and changed the user id value in my excel sheet. Save it to a CSV and re-import it (with device associations, primary extensions, etc.). At this point I have increased by end user table by 2 times. Then I changed the AD attribute and the "old" user IDs were flagged to be deleted. 24 hours later, I was back to the same user count and using the new attribute value.

So, that is my take/understanding on the topic.

HTH.

Regards,

Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Bill,

Thanks for the response.  I was afraid that this might be the case.

I can deal with the export/import of the CUCM user data, but I'm more worried about a large contact center with complex skills.  I'm not yet sure how I can deal with those.

I did lab this out last night.  I actually found that moving from SAM to UPN and back would retain account settings.  Here's the process I used:

- Turn off LDAP Sync - All Users go Inactive

- Change to UPN

- Turn on LDAP Sync

- Re-add LDAP directory

All users will go active and are not duplicated.  In other words, if I have user1 before the process begins, user1 simply becomes user1@domain1.com.  Furthermore, if user1 changes to domain2, the account simply becomes user1@domain2.com.  The settings were retained through the entire process.

Thanks.

Hi Jeff,

  

I am trying to change the LDAP Authentication from SAM to UPN in order to support sub-domains in our organization (using CUCM 8, UCCX, Presence and UCNX)

LDAP Directory changed successfully exactly as you did and the user1 becomes user1@domain1.com

For LDAP authentication I used CN=user1,ou=users1,dc=domain1,dc=com to work and CM accept the settings.

But I can only authenticate users on domain1. What type of user do I need in order to read all AD forest?

Regards,

  Elias

Ok i found the solution to my answer - Use port 3268 Global Catalog for LDAP authentication

mjerickson
Level 1
Level 1

After changing from SAM to UPN, were the UCCX users required to login with SAM or UPN.  Our UCCX uses CUCM as its AXL provider.

Thanks.

Mike,

UCCX agents will need to login with wahetever is mapped to userID in CUCM LDAP integration, so if you changed it from SAM to UPN then UPN will need to be entered as agent ID.

HTH,

Chris

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: