02-14-2014 11:27 AM - edited 03-16-2019 09:45 PM
Hi all,
I've got a production implementation of CUCM 9.1.2. We don't currently do any SIP URI dialing, but I'm starting to investigate this.
Our email addresses in LDAP (MS AD) are in the Mail field. By default, CUCM points the Directory URI field in UCM to the AD field "msRTCSIP-primaryuseraddres". When adding a new LDAP Directory, you can change this field, but once the LDAP is created and synchronised, it doesn't look like this is an option any longer.
It looks like I could create a new LDAP instance pointing to the same servers but with this entry changed, but then I have 2 going to the same place. When you delete an LDAP instance, it warns you that all users sync'd from that instance will be deleted, which is obviously not desirable.
Has anyone been able to change this field without affecting functionality and user accounts in the system? Any recommendations on doing this?
Thanks,
Ryan
Solved! Go to Solution.
02-15-2014 03:52 AM
Hi Ryan,
I had exactly the same situation this week.
When CUCM is synchronizing the AD records, it takes the configured UserID attribute for mapping LDAP to CUCM Enduser entries. So there shouldn't be any deletion or deactivation of your endusers as long as the UserID doesn't change.
Regards
Christian
02-14-2014 06:19 PM
No way other than deleting and recreating it, users will be there until the garbage disposal runs and you wont need more than 5 minutes to delete and create the new one
Sent from Cisco Technical Support iPad App
02-21-2014 11:19 AM
Unless he deletes the old one at 3:11 AM, then he's screwed.
Anthony Holloway
Please use the star ratings to help drive great content to the top of searches.
02-21-2014 11:30 AM
Nope, that's wrong, you can do it at 3:14 AM and your users will still be there.
User's wont be deleted until they have been marked as inactive for 24 hours.
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/9x/uc9x/directry.html#wp1045242
After the initial synchronization, the creation, deletion, or disablement of an account will propagate to Unified CM according to the timeline shown in Figure 16-7and as described in the following steps:
1. At 8:00 AM on January 1, an account is disabled or deleted in AD. From this time and during the whole period A, password authentication (for example, Unified CM User Options page) will fail for this user because Unified CM redirects authentication to AD. However, PIN authentication (for example, Extension Mobility login) will still succeed because the PIN is stored in the Unified CM database.
2. The periodic re-synchronization is scheduled for 11:00 PM on January 1. During that process, Unified CM will verify all accounts. Any accounts that have been disabled or deleted from AD will at that time be tagged in the Unified CM database as inactive. After 11:00 PM on January 1, when the account is marked inactive, both the PIN and password authentication by Unified CM will fail.
3. Garbage collection of accounts occurs daily at the fixed time of 3:15 AM. This process permanently deletes user information from the Unified CM database for any record that has been marked inactive for over 24 hours. In this example, the garbage collection that runs at 3:15 AM on January 2 does not delete the account because it has not been inactive for 24 hours yet, so the account is deleted at 3:15 AM on January 3. At that point, the user data is permanently deleted from Unified CM.
If an account has been created in AD at the beginning of period A, it will be imported to Unified CM at the periodic re-synchronization that occurs at the beginning of period B and will immediately be active on Unified CM.
HTH
java
if this helps, please rate
www.cisco.com/go/pdihelpdesk
02-21-2014 01:50 PM
The more you know. Thanks for the correction and clarification Jamie.
Anthony Holloway
Please use the star ratings to help drive great content to the top of searches.
02-15-2014 03:52 AM
Hi Ryan,
I had exactly the same situation this week.
When CUCM is synchronizing the AD records, it takes the configured UserID attribute for mapping LDAP to CUCM Enduser entries. So there shouldn't be any deletion or deactivation of your endusers as long as the UserID doesn't change.
Regards
Christian
02-18-2014 08:27 AM
Hi Christian,
That's really helpful. I'm going to try it out in my staging environment today and see how it goes. Glad to hear I'm not the only one with this problem.
Thanks a lot,
Ryan
02-18-2014 08:46 AM
Hi Ryan,
we did the same thing just today again with a productive environment. No issues there either.
Cheers
Christian
Sent from Cisco Technical Support Android App
02-21-2014 08:00 AM
Hi Christian,
Thanks again. I just did this in our staging servers and it went perfectly. It's actually a low risk operation when you use your method. The prompts that get generated when you delete the old LDAP are kind of scary. I think my operations guys would have had a heart attack if I'd told them to delete the old directory first :^)
Cheers!
Ryan
02-21-2014 11:18 AM
I'd like to touch on Jamie's suggestion. Deleting the current LDAP Directory, while scary, actually does not delete anything immediately. It will delete the users after "garbage collection", which is 3:15AM everyday*. It will however, prevent LDAP authentication for your users. Once you recreate the new LDAP Directory, and complete a sync, then users can authenticate again. For that reason alone, I would not do this in production hours, however, the warning is enough to cause a scare in anyone from attempting this during the day anyway.
For what its worth, in CUCM 10x you can change these mappings on existing LDAP Directory integrations; thus avoiding this whole topic all together.
*Source:
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/8x/uc8x/directry.html#wp1045229
Anthony Holloway
Please use the star ratings to help drive great content to the top of searches.
02-21-2014 05:40 PM
What happens to user's device associations such as udp, end user groups etc, while they are inactive..does cucm retain this and carry on as usual after users are marked active again
Please rate all useful posts
"The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
02-22-2014 01:58 AM
Yes, they are all retained since actually nothing changes in the database table for endusers. User only get flagged inactive or active, that's it. Information get only lost when you keep users inactive for too long so that their information are purged from the database.
02-22-2014 02:10 AM
Thanks Christian
Please rate all useful posts
"The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
03-04-2014 12:02 PM
Hi Christian,
We did this in our production environment on the weekend and no issues at all. I tested with Jabber for Windows and I can place calls by URI now (just needed to add the Directory URI partition to my CSS).
Really appreciate all the great feedback in this thread!
Cheers,
Ryan
Sent from Cisco Technical Support Android App on a Blackberry 10 smartphone
03-07-2014 06:13 AM
Ryan,
What version of jabber are you using that supports URI dialling..Can you share with me your config on cucm to enable uri dialling? Just the pointers will do (too lazy to look at documentation now)
Please rate all useful posts
"The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide