CUCM 7.1.3 and LDAP integration

Answered Question
May 19th, 2010

Hello,

I have CUCM V7.1.3 with local users.  We are now considering integrate user management with LDAP, which is Windows2003 in our network.  We have more than 20 different business units span across more than 20 offices.  However only six of these offices are part of the centralized IPT.  The problem is our AD users are grouped base on business units.  For example, the users in Atlanta office may be in six different OUs and CUCm has a limit of five LDAP directories.   Is there a way in LDAP to search users base of AD Security group?

Any suggestions will be appreciated.

Mark

I have this problem too.
0 votes
Correct Answer by William Bell about 6 years 6 months ago

Mark,

The link I provided should give you a working example on how you would go about updating the LDAP filter used by a CUCM system running 7.1.  The example focuses on the Cisco provides AXL SQL Query toolkit (download plugin).  But, the Cisco AXL/SOAP API can be accessed in multiple ways.  You may also be able to execute a SQL update from a command line.  I believe I have done that in my lab but I don't recall which version and I am unable to test now.  The query syntax would be identical to what I provided in the URL referenced in my last post.

HTH.

Regards,
Bill

Correct Answer by William Bell about 6 years 6 months ago

You could leverage LDAP filters and an AD attribute (or several attributes)

to filter the user objects that will be synchronized. With 7.1(3) you would

need to use the AXL API to modify the LDAP filter. With 8.x the CCMAdmin

portal includes an interface to modify this parameter. I did a write up on

the pre-8.x approach here:

http://www.netcraftsmen.net/resources/blogs/axl-sql-toolkit-part-3-updat...

cucm-dirsync-ldap-filter-by-example.html

HTH.

Regards,

Bill

Please remember to rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (16 ratings)
Loading.
Correct Answer
William Bell Wed, 05/19/2010 - 13:33

You could leverage LDAP filters and an AD attribute (or several attributes)

to filter the user objects that will be synchronized. With 7.1(3) you would

need to use the AXL API to modify the LDAP filter. With 8.x the CCMAdmin

portal includes an interface to modify this parameter. I did a write up on

the pre-8.x approach here:

http://www.netcraftsmen.net/resources/blogs/axl-sql-toolkit-part-3-updat...

cucm-dirsync-ldap-filter-by-example.html

HTH.

Regards,

Bill

Please remember to rate helpful posts.

markcarat Thu, 05/20/2010 - 08:32

Hi William,

Thank you for your information.  How could I modify the LDAP filter in CUCM 7.x?

Appreciate your help.

Mark

Correct Answer
William Bell Thu, 05/20/2010 - 09:37

Mark,

The link I provided should give you a working example on how you would go about updating the LDAP filter used by a CUCM system running 7.1.  The example focuses on the Cisco provides AXL SQL Query toolkit (download plugin).  But, the Cisco AXL/SOAP API can be accessed in multiple ways.  You may also be able to execute a SQL update from a command line.  I believe I have done that in my lab but I don't recall which version and I am unable to test now.  The query syntax would be identical to what I provided in the URL referenced in my last post.

HTH.

Regards,
Bill

Rafael Chavantes Tue, 06/22/2010 - 05:52

William,

when trying to run the command below I'm receiving the following error:

C:\axlsqltoolkit>java AxlSqlToolkit -input=test.xml -username=ccmadministrator -
password=C1$coC1$co -host=10.3.3.20
Exception in thread "main" java.lang.NoClassDefFoundError: AxlSqlToolkit
Caused by: java.lang.ClassNotFoundException: AxlSqlToolkit
        at java.net.URLClassLoader$1.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)
        at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)
Could not find the main class: AxlSqlToolkit.  Program will exit.


It seems that is something related to the Java Classes path. If you have any idea on how solving this would be great.
Aaron Harrison Tue, 06/22/2010 - 06:03

Hi Rafael

A good place to start here is the readme.txt file that is in the AxlSqlToolkit directory - launch it like so to set the required classpath entries etc, substituting your own parameters for user/host/password etc.

From a windows system, run the following (assuming Java is in the path):

java -cp .\classes;.\lib\saaj-api.jar;.\lib\saaj-impl.jar;.\lib\mail.jar;.\lib\activation.jar;.\lib\jaxm-api.jar;.\lib\jaxm-runtime.jar;.\lib\xercesImpl.jar;.\lib\xml-apis.jar AxlSqlToolkit -username=CCMAdministrator -password=ciscocisco -host=64.101.156.207

From a linux system, run the following:

java -cp ./classes:./lib/saaj-api.jar:./lib/saaj-impl.jar:./lib/mail.jar:./lib/activation.jar:./lib/jaxm-api.jar:./lib/jaxm-runtime.jar:./lib/xercesImpl.jar:./lib/xml-apis.jar AxlSqlToolkit -username=CCMAdministrator -password=ciscocisco -host=64.101.156.207

Regards

Aaron

Please rate helpful posts...

William Bell Tue, 06/22/2010 - 06:12

Rafael,

You need to add the appropriate values to your class path environment variable OR you can specify the class path when running the java executable.  There is a README.txt file that is included in the AXL SQL Toolkit download.  I recommend taking a look at that.  The java path as provided in this read me file is as follows:

From a windows system, run the following (assuming Java is in the path):

java -cp .\classes;.\lib\saaj-api.jar;.\lib\saaj-impl.jar;.\lib\mail.jar;.\lib\activation.jar;.\lib\jaxm-api.jar;.\lib\jaxm-runtime.jar;.\lib\xercesImpl.jar;.\lib\xml-apis.jar AxlSqlToolkit -username=userid -password=password -host=x.x.x.x -input=test.xml

HTH.


Regards,
Bill

Bruno rangel Fri, 06/18/2010 - 11:13

Hi William

I need to perform  the search only a specific group.

When I  set my research base for the whole root.
DC =  mydomain, DC = com, DC = br

Show me all  users in Active Directory.

But I have to  look at the following group
Telefonia_Cisco  cn =, ou = Global!, ou = Groups, ou = EscritorioCentral, ou = mydomain,  dc = mydomain, dc = com, dc = br

Is it  possible?

Dennis Aston Tue, 06/22/2010 - 06:01

It would be best not to hijack somebody else's thread, but to answer your question, yes you can set the search root to something other than the domain root.  I am not sure if there are limitations on search root depth (how far into the tree you can go, yours looks pretty long compared to what we are using, which I know works).  It is possible however.

Bruno rangel Tue, 06/22/2010 - 06:17

So I  create a group to research this:
Ou = Group, ou  = Global!, Ou = Groups, ou = EscritorioCentral, ou = mydomain, dc =  mydomain, dc = com, dc = br

In this  document says to create a separate OU.


http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/4x/42drctry.html


"This  attribute is the distinguished name pointer to another object in the  directory, Which contains the user's application-specific profile. This  approach Minimize the impact on the core User object, and all the  application-specific information Can Be Stored in a Separate  organizational unit (OU) Within the directory,  usually called the Cisco subtree, CISCOBASE, or Cisco Directory  Information Tree "

Aaron Harrison Tue, 06/22/2010 - 06:25

Hi Bruno

Firstly, you need to read the documenation for the version of software you are deploying - either you're reading the wrong document (in which case take a look at the SRND Directory Integration chapter for CM 7.0 : https://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/7x/directry.html), or you are actually planning on doing directory integration on CM4.2 (which is a BAD IDEA).

Secondly, you can't filter the results of the Directory Sync by pointing it at a group.

Your options are:

1) Point at any single OU in your domain, and can allow it to sync anything below that in the directory tree

2) Point at multiple seperate OUs in your domain, and call include subtree again

3) Point at the root of the domain and include everything

Seperate to the OU that you use as your base, you can then apply permissions within your LDAP directory to prevent the user account used to perform the synchronisation from being able to see portions of the directory.

Regards

Aaron

Please rate helpful posts...

Dennis Aston Tue, 06/22/2010 - 06:26

You keep using the word Group.  As in an Active Directory or LDAP group?  I have only seen it as described in your quote you pasted in below, where the server was looking at the dn (Distinguished Name) characteristic on the user in the specified OU.

Rafael Chavantes Tue, 06/22/2010 - 06:32

William and Aaron,

Thanks for the quick response. I already took a look at the readme file and it seems that the previous problem is corrected but now i'm facing this after sending the command william sent me:

java.io.FileNotFoundException: -input:test.xml (The system cannot find the file
specified)
        at java.io.FileInputStream.open(Native Method)
        at java.io.FileInputStream.(Unknown Source)
        at java.io.FileInputStream.(Unknown Source)
        at AxlSqlToolkit.execute(AxlSqlToolkit.java:188)
        at AxlSqlToolkit.main(AxlSqlToolkit.java:244)

C:\axlsqltoolkit>dir
Volume in drive C has no label.
Volume Serial Number is 70AD-4869

Directory of C:\axlsqltoolkit

06/22/2010  10:16 AM              .
06/22/2010  10:16 AM              ..
06/21/2010  05:59 PM              classes
06/21/2010  05:59 PM              lib
01/03/2007  04:24 AM             2,526 README.txt
06/22/2010  10:21 AM                 0 sample.response
02/09/2005  03:48 PM               501 sample.xml
06/21/2010  05:59 PM              schema
06/21/2010  05:59 PM              src
06/21/2010  06:01 PM               221 test.xml

Any idea?

Sorry about this questions but i really need to do this but no knowledge at all at this java/sql world.

Rafael Chavantes Wed, 06/23/2010 - 06:15

Hi Guys,

Does anyone has an idea on how to help me? I'm running the commands but it is saying that it cannot find the test.xml file.

Aaron Harrison Wed, 06/23/2010 - 06:22

Hi

Try specifiying the full path to the file in the -input parameter.

Failing that post back where you are running the java command from, and where you xml file is etc.

Regards

Aaron

William Bell Wed, 06/23/2010 - 07:31

Actually,  I had a typo in my original reply to you.  It isn't -input: it is -input=.  Not sure how the colon slipped from my brain to my keyboard, but it was clearly a demonstration of PEBCAK ;-)   Try your command with -input= and see if that works.

Regards,
Bill

Rafael Chavantes Wed, 06/23/2010 - 09:50

william,

Thanks for the update, it worked but now facing a new problem.

When running the command I'm receiving some errors that seem to be from java.

thanks or me time for the support from you, I could not find support for this on anywhere.

The output for the command is attached.

Attachment: 
William Bell Wed, 06/23/2010 - 10:16

Rafael,

Can you post the command you executed, with all parameters?   Also, can you please check to see if you have the Cisco AXL Web Service activated.  This service is required for the AXL Query Toolkit to operate correctly.  To check:

1. go to https://cucmpublisherIP/ccmservice

2. go to Tools-->Service Activation

3. select the publisher node from the server list

4. scroll down and look for "Cisco AXL Web Service"

HTH.

Regards,
Bill

Please remember to rate helpful posts.

Rafael Chavantes Wed, 06/23/2010 - 10:32

Bill,

Thanks for the support it seems to be worked:

Follows the output:

Positive response received.
---------------------
http://schemas.xmlsoap.org/soap/envelope/" SO
AP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
r/>http://www.cisco.com/A
XL/API/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" sequence="1277
314165608">Microsoft Active Directory1lter>(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.
840.113556.1.4.803:=2)))Netscape or Sun ONE LDAP Serve
r2(objectclass=inetOrgPerson)me>OpenLDAP3(objectclass=inetOrgPerson)w>Microsoft Active Directory Application Mode4lter>(&(objectclass=user)(!(objectclass=Computer))(!(msDS-UserAccountDisable
d=TRUE)))<
/SOAP-ENV:Envelope>
---------------------

This is the answer we are aspecting right?

Rafael Chavantes Wed, 06/23/2010 - 11:06

Bill,

One last question ( I hope lol).

I need to create a filter that only returns users that have the field ipPhone not equal to null.

I've made a possible solution and would like to know is is right or not.
<?xml version="1.0" encoding="UTF-8"?>

       where tkldapserver=1"/>
     
William Bell Wed, 06/23/2010 - 11:54

Rafael,

You could try this LDAP query:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(ipPhone=*))

HTH.


Regards,
Bill

Rafael Chavantes Wed, 06/23/2010 - 14:19

Guys,

Just to get you excited lol!

I'm facing a new challenge, we have some conference rooms, lobby phones that do not have an AD account, how can I make them appear on the Corporate Directory?

My idea was using the contacts on AD.

So if i create a contact it will read and publish. So i made this:

Microsoft Active Directory                  1    (&(objectclass=user)(objectclass=contact)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(ipPhone=*))

but didn't work. Any idea on how to say to the filter that if is a user or a contact to apply those filters?

Aaron Harrison Wed, 06/23/2010 - 14:40

  (&(|(objectclass=user)(objectclass=contact))(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(ipPhone=*))

You have your objectclass=user and objectclass=contact ANDed, instead of ORed, if you get my drift...

Regards

Aaron

Please rate helpful posts!

William Bell Wed, 06/23/2010 - 14:48

Aaron's query is correct (+5 to the A-Team, haha).  Though, I have to wonder does a contact have values for the other attributes that you may be synchronizing from?  I haven't looked at the schema for a contact, I am wondering aloud if there is another hurdle to contend with.  For instance, if you are using samAccountName as the user ID I don't think contacts have samAccountNames (I could be way off and I can't check at the present moment).  Anyway, if I am correct then your sync could fail.   Same is true if other attributes don't line up.  Though, the attribute that is used for the unique ID is key as is the "last name" field (I am assuming your recent dilemma is to display phones in the corporate directory).

Again,  just thinking out loud.  May want to consider these things before doing this in production.

HTH.


Regards,
Bill

Aaron Harrison Wed, 06/23/2010 - 14:54

Hey Bill

Good thinking (+5); I have tampered with contacts myself in the lab and you are correct in saying if you use sAMAccountName, no dice - same for UPN, but other attributes (telephoneNumber, employeeNumber, ipPhone are present and correct, so with a last name all should be well).

You can actually use contacts as EM-users as well, which could be useful (as PIN is stored in CCM; no access to password-things like CCMUser tho).

Previous post on this topic : https://supportforums.cisco.com/message/3042759#3042759

Regards

Aaron

Rafael Chavantes Wed, 06/23/2010 - 14:59

Aaron,

Sorry but could not got your point:

" You can actually use contacts as EM-users as well, which could be useful (as PIN is stored in CCM; no access to password-things like CCMUser tho)."

Rafael Chavantes Wed, 06/23/2010 - 14:58

Bill,

You are right I had the same thought but was hoping that I could be wrong.

Didn't work.

Someone has any idea on how doing this? Putting some phones that are not linked to any user on the corporate directory?

Aaron Harrison Wed, 06/23/2010 - 15:08

Hi

Well - a contact in LDAP is basically like a user, but has a smaller set of properties.

They don't have sAMAccountName, or password to name two - so they can't be used to authenticate users like normal user accounts.

With an edited LDAP filter like you have been applying, the contacts will sync into CCM, and will appear in the directory.

However you won't be able to use them to log into anything that uses a password as there is no password in LDAP where CCM looks... so all auth attempts will fail.

Since there is no PIN in AD for users OR contacts, the PIN is always stored in the CCM user DB (i.e. is not backed off to LDAP). So if you have a contact in the DB, and associate that contact to an Extension Mobility profile, they can then log in using their chosen UserID attribute and PIN.

Make any sense?

Aaron

Aaron Harrison Wed, 06/23/2010 - 15:10

Hi

What didn't work?

If you have succesfully applied the filter query I posted, you then need to restart DirSync and Tomcat (I think) to get it to take effect, and then I would force a directory sync. Did you do that?

Aaron

William Bell Wed, 06/23/2010 - 17:16

Aaron, if I follow then you are saying that if you use contacts then you can modify the LDAP attribute used for the user ID to something that both a regular user and a contact would have.  So, in 7.1.3bsu2 that would be mail, employeeNumber, and telephoneNumber.  Is that accurate?

I presume so.  Which means that Rafael will need to go to the LDAP system information and modify the configuration (see below).

Actually, there would be some additional steps and some drawbacks that Rafael would need to  contend with.  Unless I am mistaken, I believe that if a sync is re-established using a different LDAP attribute for the user ID all existing user IDs are flagged as inactive.  Which means that when the next clean up interval expires, those users will be deleted.  This also means any device associations, profile associations, CCX extensions, PABs, fast dials, etc. go bye-bye.  I have seen this happen in my lab when switching between using LDAP sync and disabling it.  I assume the same would happen if you switch up the key attribute.  If I am mistaken then that is good to know.  If not, then Rafael may want to think twice before swapping attributes.

Just a thought.  I suppose I could test this out and answer my own questions....

HTH.

Regards,
Bill

Aaron Harrison Thu, 06/24/2010 - 00:19

Hi Bill


Yeah, sorry - I'm not suggesting that it's something that SHOULD be done; just than CAN be done. Changing the attribute is painful, and you have to delete the directory sync configs you have set up as well as disabling auth before you can do it.

Rafael just needs directory entries, so whether or not he is using one of those three attributes doesn't matter to him. I mentioned it in passing really; regretting it now as it's made my fingers sore :-)

Aaron

Rafael Chavantes Thu, 06/24/2010 - 05:14

Bill/Aaron,

Ok let me clarify what I want ( I dont think i have done this yet). What I want is to have users in AD  listed in my users page in CUCM so they are listed in corporate directory as well and have some Lobby Phones and Meeting Rooms listed as well, but those phone do not have an Ad user so I thought that using contacts in AD would solve my problem, but as contacts do not have                      sAMAccountName  they are not being listed.

As Aaron said I can change the

LDAP Attribute for User IDsAMAccountName mail employeeNumber telephoneNumber userPrincipalName

For mail, for example, and have the contacts listed, I don't know what will be the impact on this but I will try in my lab and advise.

William Bell Thu, 06/24/2010 - 05:31

The impact will be:

1. Users will need to use a different logon ID when logging into applications like the CCMUser, CUPC, click-to-call, etc.   Aside from the obvious end user issue of dealing with "change" in general, this isn't that huge of an impact.  Users typically know their own mail ID.

2. Users will need to use a different logon ID when logging into services like PAB, Fast Dials, Extension Mobility.  This is a larger impact.  Try using a mail ID for the user name when your keyboard is the DTMF keypad.  Not fun.

3. Existing users are deactivated.  Not a huge deal unless you have lots of dependencies configured.  An example of a dependency would be associating a device to an end user, PAB/fast dial settings, EM profiles, etc.   All of that will be wiped away when the deactivated accounts are removed.  You would need to use BAT or something to "copy" configs.  This won't work for all things (e.g. PAB/fast dials).

I think that summarizes it.  The key point is that if your users use their IDs today, for anything, they will know when you make this change.  So, plan/prepare/communicate.

If this is all for getting entries into the Corporate Directory then I'd advise considering using an external directory app.  You may have to build the app yourself.  Though there is an SDK (developer.cisco.com, search for phone SDK - the app is called multi-directory)  for this and I think Aaron (?) may have put one together he was posting on other, similar threads.  It may not have been Aaron.  He'll pipe up soon enough.

I have used the SDK app I am referring to and it is quite painless to setup.

HTH.


Regards,

Bill

Rafael Chavantes Fri, 06/25/2010 - 03:53

Bill,

You said under number 3 that existing users will be deactivated, but when I changed the attribute for User id, the user Id changed to the email but existing users did not got deactivated.

A question that came to my mind is I have a list of users that have profile associated and plan to integrate with LDAP, all users id are the same of the AD, when I integrate users will lose the settings?

Rafael Chavantes Thu, 06/24/2010 - 05:27

Ok Guys just tested changing for this:

LDAP Attribute for User IDmail sAMAccountName employeeNumber telephoneNumber userPrincipalName

It worked now I'm listing both users and contacts that have the field Ipphone not equal to null, but my user id is now the email and definitely this is not what I want. Now I'm stuck I need to have the lobby and meetings rooms listed in the corporate directory but creating a user in AD is not the best way.

Any other idea?

Aaron Harrison Fri, 06/25/2010 - 00:29

Hi

If you need to have contacts in the CCM directory, you need to use one of those specified attributes that a contact has.

If you need to use one of the other attributes, you can't have contacts in the directory.

This is a limitation of the way the AD integration works for this product, so if the restrictions don't suit you, then generally you don't use AD integration.

As an alternative you could implement a seperate XML based directory service on a web server in your organisation which queries AD directly. This also has the advantage of being more flexible. I put a simple one together that might suit you - https://supportforums.cisco.com/message/3026015#3026015

You could set that to just return meeting rooms (i.e. based on OU or a string match in a field) and have a seperate 'Meeting Rooms' directory on the phones as a 'Directory' service instead of replacing the corporate dir.

Regards

Aaron

Rafael Chavantes Fri, 06/25/2010 - 03:58

Aaron,

Just downloaded the application, there is any documentation on how implement this?

Rafael Chavantes Sat, 12/18/2010 - 04:25

Hello All,

I'm trying to update an ldap filter on another CUCM 7 and now facing a diferente problem.

Follows the output

Hope Someone can help me...

Sending message...

---------------------

http://schemas.xmlsoap.org/soap/envelope/">

OAP-ENV:Header/>se

lect * from callmanager

pe>

---------------------

Dec 18, 2010 10:33:51 AM com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAP

Connection post

SEVERE: SAAJ0008: Bad Response; Unauthorized

com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: java.security.PrivilegedA

ctionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Bad respo

nse: (401Unauthorized

        at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.cal

l(Unknown Source)

        at AxlSqlToolkit.sendMessage(AxlSqlToolkit.java:138)

        at AxlSqlToolkit.execute(AxlSqlToolkit.java:199)

        at AxlSqlToolkit.main(AxlSqlToolkit.java:244)

Caused by: java.security.PrivilegedActionException: com.sun.xml.internal.messagi

ng.saaj.SOAPExceptionImpl: Bad response: (401Unauthorized

        at java.security.AccessController.doPrivileged(Native Method)

==============================================================================

PROBLEM SOLVED...USER USED DID NOT HAVE ENOUGH RIGHTS

Message was edited by: Rafael Chavantes

Actions

This Discussion