Group LDAP Directory after Synchronization

Answered Question
Jun 7th, 2010

I have a customer with a Microsoft AD directory and we synchronized the users to CUCM.

After the synchronization, we want to keep the 2 Groups from LDAP (A&B) in CUCM where they cannot see the directory information from the other group. For example, the user in group A can only see the users in Group A but cannot see the users in Group B.

What's the best way to achieve it? Thanks in advance.

I have this problem too.
0 votes
Correct Answer by William Bell about 6 years 6 months ago

To expand a little on Hailey's reply -- by default the CUCM directory application doesn't selectively display users to phones requesting the directory.  I think the only way to "hide" a user is to ensure that the last name field is blank or something equally useless/obscure.  In your case you want one group of phones to only see one group of lines.  CUCM can't do this natively.  This means you will need to purchase or develop a custom corporate directory application.  It sounds way more daunting then it actually is.  There is a phone SDK on the developer network (http://developer.cisco.com) that has a sample directory application called "multi-LDAP" or something similar.  You can't use it "as is" and achieve your objective, but if you are one of those that can tweak a functional script to create a custom app then you may find it handy.

The multi-LDAP app assumes you are pulling the corporate directory from LDAP.  You don't need to do that, you can also use AXL/SOAP to query the data from the CUCM cluster.  Which way you go depends on the logic you want the application to use when segregating the groups.  I recently wrote a corporate directory application for a customer that had 4 or 5 groups of phones.  Their goal wasn't to hide tenants but to change the dialing patterns based on where you were coming from (i.e. abbreviated vs. full-digit dialing).  Anyway, in this case we used the directory numbers and a custom URL to filter and control the display.  We also tested IP address filtering, which worked well but is very hard to maintain.  The only upside was a single URI could be applied to all phones and "groups" were identified by source IP address.

In your case, you could use the Department field (mapped via the department field in LDAP).  If that doesn't work, and you want to use an LDAP field, then you are better off pulling the directory from LDAP.  Otherwise, you could use the phone number of the target and a custom URL for the source, to determine who can see what.  Logic being:  Group A can only see directory numbers for phone lines assigned to Group A phones (maybe by NPANXX or partition?).

Bottom line.  This is a custom app.  Not hard to do unless scripting isn't your thing.  In that case, find a partner that can put it together for you or look at 3rd party apps.  The latter may be cost prohibitive unless you can find a tool that may be addressing other needs you have.

HTH.


Regards,
Bill

Correct Answer by htluo about 6 years 6 months ago

When you said "see", I guess you meant from the IP Phone's directory, right?

The IP phone directory is actually a XML service (like a web browser reading HTML).

If you want to limit the user's visibility from IP phone directory, here's what you can do:

1) You need your own web server to host the XML file.

2) You need two XML files (one for each group)

3) You need to customized your XML files (and backend apps/scripts) so each XML will expose one of the groups.

4) For different IP phones in different groups, configure their Directory URL (via CUCM > Device > Phone) point to different URLs (XMLs).

In short, you need to do some development job.  The feature is not built in on CUCM.

Michael

http://htluo.blogspot.com

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
Correct Answer
htluo Mon, 06/07/2010 - 07:43

When you said "see", I guess you meant from the IP Phone's directory, right?

The IP phone directory is actually a XML service (like a web browser reading HTML).

If you want to limit the user's visibility from IP phone directory, here's what you can do:

1) You need your own web server to host the XML file.

2) You need two XML files (one for each group)

3) You need to customized your XML files (and backend apps/scripts) so each XML will expose one of the groups.

4) For different IP phones in different groups, configure their Directory URL (via CUCM > Device > Phone) point to different URLs (XMLs).

In short, you need to do some development job.  The feature is not built in on CUCM.

Michael

http://htluo.blogspot.com

Correct Answer
William Bell Mon, 06/07/2010 - 07:55

To expand a little on Hailey's reply -- by default the CUCM directory application doesn't selectively display users to phones requesting the directory.  I think the only way to "hide" a user is to ensure that the last name field is blank or something equally useless/obscure.  In your case you want one group of phones to only see one group of lines.  CUCM can't do this natively.  This means you will need to purchase or develop a custom corporate directory application.  It sounds way more daunting then it actually is.  There is a phone SDK on the developer network (http://developer.cisco.com) that has a sample directory application called "multi-LDAP" or something similar.  You can't use it "as is" and achieve your objective, but if you are one of those that can tweak a functional script to create a custom app then you may find it handy.

The multi-LDAP app assumes you are pulling the corporate directory from LDAP.  You don't need to do that, you can also use AXL/SOAP to query the data from the CUCM cluster.  Which way you go depends on the logic you want the application to use when segregating the groups.  I recently wrote a corporate directory application for a customer that had 4 or 5 groups of phones.  Their goal wasn't to hide tenants but to change the dialing patterns based on where you were coming from (i.e. abbreviated vs. full-digit dialing).  Anyway, in this case we used the directory numbers and a custom URL to filter and control the display.  We also tested IP address filtering, which worked well but is very hard to maintain.  The only upside was a single URI could be applied to all phones and "groups" were identified by source IP address.

In your case, you could use the Department field (mapped via the department field in LDAP).  If that doesn't work, and you want to use an LDAP field, then you are better off pulling the directory from LDAP.  Otherwise, you could use the phone number of the target and a custom URL for the source, to determine who can see what.  Logic being:  Group A can only see directory numbers for phone lines assigned to Group A phones (maybe by NPANXX or partition?).

Bottom line.  This is a custom app.  Not hard to do unless scripting isn't your thing.  In that case, find a partner that can put it together for you or look at 3rd party apps.  The latter may be cost prohibitive unless you can find a tool that may be addressing other needs you have.

HTH.


Regards,
Bill

David Hailey Mon, 06/07/2010 - 12:39

I knew the answer but I also knew guys like Bill and Mike would provide the details quickly.  +5 to both of you!

Actions

This Discussion