05-19-2010 01:14 PM - edited 03-15-2019 10:50 PM
Hello,
I have CUCM V7.1.3 with local users. We are now considering integrate user management with LDAP, which is Windows2003 in our network. We have more than 20 different business units span across more than 20 offices. However only six of these offices are part of the centralized IPT. The problem is our AD users are grouped base on business units. For example, the users in Atlanta office may be in six different OUs and CUCm has a limit of five LDAP directories. Is there a way in LDAP to search users base of AD Security group?
Any suggestions will be appreciated.
Mark
Solved! Go to Solution.
05-19-2010 01:33 PM
You could leverage LDAP filters and an AD attribute (or several attributes)
to filter the user objects that will be synchronized. With 7.1(3) you would
need to use the AXL API to modify the LDAP filter. With 8.x the CCMAdmin
portal includes an interface to modify this parameter. I did a write up on
the pre-8.x approach here:
http://www.netcraftsmen.net/resources/blogs/axl-sql-toolkit-part-3-updating-
cucm-dirsync-ldap-filter-by-example.html
HTH.
Regards,
Bill
Please remember to rate helpful posts.
Please remember to rate helpful responses and identify
05-20-2010 09:37 AM
Mark,
The link I provided should give you a working example on how you would go about updating the LDAP filter used by a CUCM system running 7.1. The example focuses on the Cisco provides AXL SQL Query toolkit (download plugin). But, the Cisco AXL/SOAP API can be accessed in multiple ways. You may also be able to execute a SQL update from a command line. I believe I have done that in my lab but I don't recall which version and I am unable to test now. The query syntax would be identical to what I provided in the URL referenced in my last post.
HTH.
Regards,
Bill
Please remember to rate helpful responses and identify
05-19-2010 01:33 PM
You could leverage LDAP filters and an AD attribute (or several attributes)
to filter the user objects that will be synchronized. With 7.1(3) you would
need to use the AXL API to modify the LDAP filter. With 8.x the CCMAdmin
portal includes an interface to modify this parameter. I did a write up on
the pre-8.x approach here:
http://www.netcraftsmen.net/resources/blogs/axl-sql-toolkit-part-3-updating-
cucm-dirsync-ldap-filter-by-example.html
HTH.
Regards,
Bill
Please remember to rate helpful posts.
Please remember to rate helpful responses and identify
05-20-2010 08:32 AM
Hi William,
Thank you for your information. How could I modify the LDAP filter in CUCM 7.x?
Appreciate your help.
Mark
05-20-2010 09:37 AM
Mark,
The link I provided should give you a working example on how you would go about updating the LDAP filter used by a CUCM system running 7.1. The example focuses on the Cisco provides AXL SQL Query toolkit (download plugin). But, the Cisco AXL/SOAP API can be accessed in multiple ways. You may also be able to execute a SQL update from a command line. I believe I have done that in my lab but I don't recall which version and I am unable to test now. The query syntax would be identical to what I provided in the URL referenced in my last post.
HTH.
Regards,
Bill
Please remember to rate helpful responses and identify
05-25-2010 07:50 AM
Thanks William, I will try that in my lab.
Regards
Mark
06-22-2010 05:52 AM
William,
when trying to run the command below I'm receiving the following error:
C:\axlsqltoolkit>java AxlSqlToolkit -input=test.xml -username=ccmadministrator -
password=C1$coC1$co -host=10.3.3.20
Exception in thread "main" java.lang.NoClassDefFoundError: AxlSqlToolkit
Caused by: java.lang.ClassNotFoundException: AxlSqlToolkit
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
Could not find the main class: AxlSqlToolkit. Program will exit.
It seems that is something related to the Java Classes path. If you have any idea on how solving this would be great.
06-22-2010 06:03 AM
Hi Rafael
A good place to start here is the readme.txt file that is in the AxlSqlToolkit directory - launch it like so to set the required classpath entries etc, substituting your own parameters for user/host/password etc.
From a windows system, run the following (assuming Java is in the path):
java -cp .\classes;.\lib\saaj-api.jar;.\lib\saaj-impl.jar;.\lib\mail.jar;.\lib\activation.jar;.\lib\jaxm-api.jar;.\lib\jaxm-runtime.jar;.\lib\xercesImpl.jar;.\lib\xml-apis.jar AxlSqlToolkit -username=CCMAdministrator -password=ciscocisco -host=64.101.156.207
From a linux system, run the following:
java -cp ./classes:./lib/saaj-api.jar:./lib/saaj-impl.jar:./lib/mail.jar:./lib/activation.jar:./lib/jaxm-api.jar:./lib/jaxm-runtime.jar:./lib/xercesImpl.jar:./lib/xml-apis.jar AxlSqlToolkit -username=CCMAdministrator -password=ciscocisco -host=64.101.156.207
Regards
Aaron
Please rate helpful posts...
06-22-2010 06:12 AM
Rafael,
You need to add the appropriate values to your class path environment variable OR you can specify the class path when running the java executable. There is a README.txt file that is included in the AXL SQL Toolkit download. I recommend taking a look at that. The java path as provided in this read me file is as follows:
From a windows system, run the following (assuming Java is in the path):
java -cp .\classes;.\lib\saaj-api.jar;.\lib\saaj-impl.jar;.\lib\mail.jar;.\lib\activation.jar;.\lib\jaxm-api.jar;.\lib\jaxm-runtime.jar;.\lib\xercesImpl.jar;.\lib\xml-apis.jar AxlSqlToolkit -username=userid -password=password -host=x.x.x.x -input=test.xml
HTH.
Regards,
Bill
Please remember to rate helpful responses and identify
05-19-2010 01:39 PM
--
Please remember to rate helpful responses and identify
06-18-2010 11:13 AM
Hi William
I need to perform the search only a specific group.
When I set my research base for the whole root.
DC = mydomain, DC = com, DC = br
Show me all users in Active Directory.
But I have to look at the following group
Telefonia_Cisco cn =, ou = Global!, ou = Groups, ou = EscritorioCentral, ou = mydomain, dc = mydomain, dc = com, dc = br
Is it possible?
06-22-2010 06:01 AM
It would be best not to hijack somebody else's thread, but to answer your question, yes you can set the search root to something other than the domain root. I am not sure if there are limitations on search root depth (how far into the tree you can go, yours looks pretty long compared to what we are using, which I know works). It is possible however.
06-22-2010 06:17 AM
So I create a group to research this:
Ou = Group, ou = Global!, Ou = Groups, ou = EscritorioCentral, ou = mydomain, dc = mydomain, dc = com, dc = br
In this document says to create a separate OU.
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/4x/42drctry.html
"This attribute is the distinguished name pointer to another object in the directory, Which contains the user's application-specific profile. This approach Minimize the impact on the core User object, and all the application-specific information Can Be Stored in a Separate organizational unit (OU) Within the directory, usually called the Cisco subtree, CISCOBASE, or Cisco Directory Information Tree "
06-22-2010 06:25 AM
Hi Bruno
Firstly, you need to read the documenation for the version of software you are deploying - either you're reading the wrong document (in which case take a look at the SRND Directory Integration chapter for CM 7.0 : https://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/7x/directry.html), or you are actually planning on doing directory integration on CM4.2 (which is a BAD IDEA).
Secondly, you can't filter the results of the Directory Sync by pointing it at a group.
Your options are:
1) Point at any single OU in your domain, and can allow it to sync anything below that in the directory tree
2) Point at multiple seperate OUs in your domain, and call include subtree again
3) Point at the root of the domain and include everything
Seperate to the OU that you use as your base, you can then apply permissions within your LDAP directory to prevent the user account used to perform the synchronisation from being able to see portions of the directory.
Regards
Aaron
Please rate helpful posts...
06-22-2010 06:26 AM
Bruno,
Didn't we cover this in the following thread?
https://supportforums.cisco.com/message/3123536#3123536
Regards,
Bill
Please remember to rate helpful responses and identify
06-22-2010 06:55 AM
Sorry William
This disscussion had been opened before.
Thanks guys.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide