cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5721
Views
70
Helpful
46
Replies

CUCM 7.1.3 and LDAP integration

markcarat
Level 1
Level 1

Hello,

I have CUCM V7.1.3 with local users.  We are now considering integrate user management with LDAP, which is Windows2003 in our network.  We have more than 20 different business units span across more than 20 offices.  However only six of these offices are part of the centralized IPT.  The problem is our AD users are grouped base on business units.  For example, the users in Atlanta office may be in six different OUs and CUCm has a limit of five LDAP directories.   Is there a way in LDAP to search users base of AD Security group?

Any suggestions will be appreciated.

Mark

2 Accepted Solutions

Accepted Solutions

William Bell
VIP Alumni
VIP Alumni

You could leverage LDAP filters and an AD attribute (or several attributes)

to filter the user objects that will be synchronized. With 7.1(3) you would

need to use the AXL API to modify the LDAP filter. With 8.x the CCMAdmin

portal includes an interface to modify this parameter. I did a write up on

the pre-8.x approach here:

http://www.netcraftsmen.net/resources/blogs/axl-sql-toolkit-part-3-updating-

cucm-dirsync-ldap-filter-by-example.html

HTH.

Regards,

Bill

Please remember to rate helpful posts.

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

View solution in original post

Mark,

The link I provided should give you a working example on how you would go about updating the LDAP filter used by a CUCM system running 7.1.  The example focuses on the Cisco provides AXL SQL Query toolkit (download plugin).  But, the Cisco AXL/SOAP API can be accessed in multiple ways.  You may also be able to execute a SQL update from a command line.  I believe I have done that in my lab but I don't recall which version and I am unable to test now.  The query syntax would be identical to what I provided in the URL referenced in my last post.

HTH.

Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

View solution in original post

46 Replies 46

William Bell
VIP Alumni
VIP Alumni

You could leverage LDAP filters and an AD attribute (or several attributes)

to filter the user objects that will be synchronized. With 7.1(3) you would

need to use the AXL API to modify the LDAP filter. With 8.x the CCMAdmin

portal includes an interface to modify this parameter. I did a write up on

the pre-8.x approach here:

http://www.netcraftsmen.net/resources/blogs/axl-sql-toolkit-part-3-updating-

cucm-dirsync-ldap-filter-by-example.html

HTH.

Regards,

Bill

Please remember to rate helpful posts.

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Hi William,

Thank you for your information.  How could I modify the LDAP filter in CUCM 7.x?

Appreciate your help.

Mark

Mark,

The link I provided should give you a working example on how you would go about updating the LDAP filter used by a CUCM system running 7.1.  The example focuses on the Cisco provides AXL SQL Query toolkit (download plugin).  But, the Cisco AXL/SOAP API can be accessed in multiple ways.  You may also be able to execute a SQL update from a command line.  I believe I have done that in my lab but I don't recall which version and I am unable to test now.  The query syntax would be identical to what I provided in the URL referenced in my last post.

HTH.

Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Thanks William,  I will try that in my lab.

Regards

Mark

William,

when trying to run the command below I'm receiving the following error:

C:\axlsqltoolkit>java AxlSqlToolkit -input=test.xml -username=ccmadministrator -
password=C1$coC1$co -host=10.3.3.20
Exception in thread "main" java.lang.NoClassDefFoundError: AxlSqlToolkit
Caused by: java.lang.ClassNotFoundException: AxlSqlToolkit
        at java.net.URLClassLoader$1.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)
        at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)
Could not find the main class: AxlSqlToolkit.  Program will exit.


It seems that is something related to the Java Classes path. If you have any idea on how solving this would be great.

Hi Rafael

A good place to start here is the readme.txt file that is in the AxlSqlToolkit directory - launch it like so to set the required classpath entries etc, substituting your own parameters for user/host/password etc.

From a windows system, run the following (assuming Java is in the path):

java -cp .\classes;.\lib\saaj-api.jar;.\lib\saaj-impl.jar;.\lib\mail.jar;.\lib\activation.jar;.\lib\jaxm-api.jar;.\lib\jaxm-runtime.jar;.\lib\xercesImpl.jar;.\lib\xml-apis.jar AxlSqlToolkit -username=CCMAdministrator -password=ciscocisco -host=64.101.156.207

From a linux system, run the following:

java -cp ./classes:./lib/saaj-api.jar:./lib/saaj-impl.jar:./lib/mail.jar:./lib/activation.jar:./lib/jaxm-api.jar:./lib/jaxm-runtime.jar:./lib/xercesImpl.jar:./lib/xml-apis.jar AxlSqlToolkit -username=CCMAdministrator -password=ciscocisco -host=64.101.156.207

Regards

Aaron

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Rafael,

You need to add the appropriate values to your class path environment variable OR you can specify the class path when running the java executable.  There is a README.txt file that is included in the AXL SQL Toolkit download.  I recommend taking a look at that.  The java path as provided in this read me file is as follows:

From a windows system, run the following (assuming Java is in the path):

java -cp .\classes;.\lib\saaj-api.jar;.\lib\saaj-impl.jar;.\lib\mail.jar;.\lib\activation.jar;.\lib\jaxm-api.jar;.\lib\jaxm-runtime.jar;.\lib\xercesImpl.jar;.\lib\xml-apis.jar AxlSqlToolkit -username=userid -password=password -host=x.x.x.x -input=test.xml

HTH.


Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

William Bell
VIP Alumni
VIP Alumni

--

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Hi William

I need to perform  the search only a specific group.

When I  set my research base for the whole root.
DC =  mydomain, DC = com, DC = br

Show me all  users in Active Directory.

But I have to  look at the following group
Telefonia_Cisco  cn =, ou = Global!, ou = Groups, ou = EscritorioCentral, ou = mydomain,  dc = mydomain, dc = com, dc = br

Is it  possible?

Cheers
Bruno Rangel
Please remember to rate helpful responses using the star bellow and identify helpful or correct answers

It would be best not to hijack somebody else's thread, but to answer your question, yes you can set the search root to something other than the domain root.  I am not sure if there are limitations on search root depth (how far into the tree you can go, yours looks pretty long compared to what we are using, which I know works).  It is possible however.

So I  create a group to research this:
Ou = Group, ou  = Global!, Ou = Groups, ou = EscritorioCentral, ou = mydomain, dc =  mydomain, dc = com, dc = br

In this  document says to create a separate OU.


http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/4x/42drctry.html


"This  attribute is the distinguished name pointer to another object in the  directory, Which contains the user's application-specific profile. This  approach Minimize the impact on the core User object, and all the  application-specific information Can Be Stored in a Separate  organizational unit (OU) Within the directory,  usually called the Cisco subtree, CISCOBASE, or Cisco Directory  Information Tree "

Cheers
Bruno Rangel
Please remember to rate helpful responses using the star bellow and identify helpful or correct answers

Hi Bruno

Firstly, you need to read the documenation for the version of software you are deploying - either you're reading the wrong document (in which case take a look at the SRND Directory Integration chapter for CM 7.0 : https://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/7x/directry.html), or you are actually planning on doing directory integration on CM4.2 (which is a BAD IDEA).

Secondly, you can't filter the results of the Directory Sync by pointing it at a group.

Your options are:

1) Point at any single OU in your domain, and can allow it to sync anything below that in the directory tree

2) Point at multiple seperate OUs in your domain, and call include subtree again

3) Point at the root of the domain and include everything

Seperate to the OU that you use as your base, you can then apply permissions within your LDAP directory to prevent the user account used to perform the synchronisation from being able to see portions of the directory.

Regards

Aaron

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Bruno,

Didn't we cover this in the following thread?

https://supportforums.cisco.com/message/3123536#3123536

Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Sorry  William
This disscussion had been  opened before.

Thanks guys.

Cheers
Bruno Rangel
Please remember to rate helpful responses using the star bellow and identify helpful or correct answers
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: