Unity Connection 7 and LDAP integration

Unanswered Question
Sep 10th, 2010
User Badges:

Hello--i've got a client with a Unity Connection VM server.  Initially, they wanted LDAP integration, however, as of now, they do not and want it removed.  I'm new to the client--the engineers that setup the CM and Unity CX servers are no longer available to question.  I believe the users were brought through CM (if that makes sense...still new to this).  I'm hesitant to uncheck the LDAP box and lose everything.  Does importing users from CM make sense even if LDAP integration is turned on or is it still two seperate entities?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
sopayne Fri, 09/10/2010 - 14:01
User Badges:
  • Cisco Employee,

Check out this Cisco Unity Connection design guide:  http://www.cisco.com/en/US/docs/voice_ip_comm/connection/7x/design/guide/7xcucdg040.html#wp1069877

"If you have multiple LDAP directory configurations accessing multiple LDAP user search bases, and if only one configuration was deleted, only the users in the associated user search base are affected. Users in other user search bases are still able to log on to Connection web applications.

2. At the first scheduled synchronization, users are marked as "LDAP inactive" in Connection.

Attempts to log on to Connection web applications continue to fail.

3. At the next scheduled synchronization that occurs at least 24 hours after users are marked as "LDAP inactive," all Connection users whose accounts were associated with LDAP accounts are converted to Connection standalone users. "

David Hailey Fri, 09/10/2010 - 14:36
User Badges:
  • Purple, 4500 points or more

CUC is flexible in regards to user provisioning.  Using one method does not preclude using another.  This is different from CUCM where you either are LDAP integrated or you are not.  So, to answer your question:

Does importing users from CM make sense even if LDAP integration is turned on or is it still two seperate entities?

It depends.  If CUCM is LDAP-integrated and you import from CUCM, you are essentially importing from LDAP via CUCM without an extra sync agreement to your LDAP environment.  You could also still manually add users and etc.  In addition, as the previous poster pointed out from the CUC design guide - if you remove LDAP from CUC then any users who may have been configured based on LDAP import are converted to standard users (e.g., essentially the same as a manually added user).


Please rate helpful posts!

anmcbrid Mon, 09/13/2010 - 07:14
User Badges:
  • Cisco Employee,

The most useful reason for having UC ldap synched to AD rather then just AXL connected to CCM is single sign on.

If it were my choice as an administrator I would always use AD sync on UC just to avoid creating yet another password for people to have to remember and change.  The ldap requirements are pretty easily met, it's not hard to setup and the user benefits are big.

If you have some reason to not want ldap anymore though just deleting the ldap configuration on UC will force all the users in UC to be converted to stand alone as others have mentioned.

Scott Jones Mon, 09/13/2010 - 10:21
User Badges:

Thanks for the responses. The issue my client is having though is when I get ready to disintegrate the LDAP integration, the concern is people losing mailboxes, etc. I'm at the point with them though, that I've got a solid backup running, if it doesn't work as expected, I can always do a restore...

Scott A. Jones

anmcbrid Mon, 09/13/2010 - 11:14
User Badges:
  • Cisco Employee,

People will not lose mailboxes, UC is specifically designed to handle this.  They may lose access to them if they used to use ldap authentication and you delete ldap as the mailbox will now revert to local authentication.  That password won't match so you may need to help them reset passwords.

The mailboxes though in UC won't go away unless you delete them.

Scott Jones Mon, 09/13/2010 - 11:16
User Badges:

Ah--ok. I see what you mean now! That was my biggest concern was losing mailboxes. The people don't do anything advanced with them. They just hit the messages button and use the TUI to listen to their messages. If I can remove the LDAP integration without risk of losing the mailboxes, I'm set then.

Scott J.


This Discussion

Related Content