The implications of shutting down the LDAP sync in Cisco CallManager 5.x with Microsoft Active Directory

Document

Wed, 07/22/2009 - 19:57
Jun 22nd, 2009
User Badges:
  • Gold, 750 points or more

Resolution

In order to use the accounts that are synced from the Active Directory (AD) after sync and authentication are disabled, deactivate the directory sync service, from the serviceability pages, and then delete the sync agreement and authentication configuration.

If the directory sync service is deactivated, accounts are not marked inactive and never deleted. If the directory sync service is reactivated, the accounts are marked inactive and deleted in 24 - 48 hours if a re-sync is not performed in order to make them active.

When an account is deleted or disabled from AD and a resynchronization process is done, any account that is deleted from AD is tagged in the Cisco Unified CallManager database as inactive. Garbage collection of accounts occurs every 24 hours. This process permanently deletes user information from the Cisco Unified CallManager database for any record that is marked inactive for over 24 hours.

When a user is moved from one organization unity (OU) to another and a sync operation is performed on the OU from which the user is moved, that user becomes inactive and is marked for deletion. If a sync is performed on the new OU where the user is present, the user becomes active again. Again when that user is moved back to the original OU and a sync operation is performed on this, it becomes active.

Loading.

Actions

This Document

Related Content