Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AD Integatration CM7 User Search Base

Hi,

I'm trying to integrate CM 7 with AD. The problem i'm facing is that when I try to write the user search base string I run out of characters, 254 is the limit.

I need help to correctly write the string to match the (organizational units) OU's I want to synchronize.

Attached is a screen shot of the Active Directory structure and also a list of the OU's I want to synch.

5 REPLIES
VIP Super Bronze

Re: AD Integatration CM7 User Search Base

LDAP doesn't work that way. You cannot specify multiple sibling elements in a single LDAP string. Also, UCM has a limit of five LDAP synchronizations so you will likely need to reorganize your AD structure to become more hierarchical. I doubt you want to synchronize EVERY user account into the corporate directory.

Example (entire domain):

DC=corkcoco,DC=localgov

Example:

OU=AreaOperationsSouth,DC=corkcoco,DC=localgov

Example:

OU=CentralOperationsSouth,DC=corkcoco,DC=localgov

Remember that UCM will synch every user object account with these OUs, including any child OUs as long as the minimum fields are populated.

You will have to develop a custom LDAP filter If you want to exclude accounts. In 7.x this is a little involved because it requires a direct SQL update (search the forum). You would need to identify a common field that you can filter by for every account.

New Member

Re: AD Integatration CM7 User Search Base

Yup just ran into the Max 5 limit as I got your reply. I'll look into the direct SQL update.

New Member

Re: AD Integatration CM7 User Search Base

Ok so I restructured AD to work around the issue but now I have run into a separate issue, all users are coming up as inactive. I have the UserID attribute on CM set to employeeNumber but its called EmployeeID on AD I think that might be the issue. Here's the error I get in the trace:

2009-11-04 15:52:56,819 ERROR [DirSync-DBInterface] common.DSDBInterface (DSDBInterface.java:276) - DSDBInterface.updateUserInfo LDAP data discarded: Missing LDAP attribute: Attribute Count=8 AgreementId=8426585a-7a9b-95c8-cfdd-41b4debad1de

middlename=exampled telephonenumber=8315 lastname=Lucey

firstname=example mailid=example@example.com title=  uniqueidentifier=c2317194f399a94180fde1ff663e080a department=Finance

2009-11-04 15:52:56,824 INFO  [Thread-8] common.DSNcsClient (DSNcsClient.java:50) - DSNcsClient.process Process CN on directorypluginconfig with action=u

2009-11-04 15:52:56,831 INFO  [Thread-8] common.DSNcsClient (DSNcsClient.java:50) - DSNcsClient.process Process CN on directorypluginconfig with action=u

Message was edited by: eoinwhite

VIP Super Bronze

Re: AD Integatration CM7 User Search Base

First, you are exposing personally identifiable information in your postings and this forum is public. You may want replace the real-life user information with something else.

Second, I'm going to assume that you mean you have created the custom LDAP filter based on the employeeNumber. You cannot set the username in the LDAP System page to this attribute. If you are filtering by an attribute, it must actually exist within LDAP.

Third, LDAP Bind Account you are using needs to be granted "Read All Attributes" rights on the LDAP objects.

New Member

Re: AD Integatration CM7 User Search Base

Thanks for the replies.

The cisco account in AD has read access to all ou's. The user id in call manager already is the same as employee id in ad. I'll look further and see what i can find.

Thanks

Message was edited by: eoinwhite

1285
Views
0
Helpful
5
Replies
CreatePlease to create content