Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

Changing LDAP Directory URI field mapping after installation

Hi all,

I've got a production implementation of CUCM 9.1.2.  We don't currently do any SIP URI dialing, but I'm starting to investigate this.

Our email addresses in LDAP (MS AD) are in the Mail field.  By default, CUCM points the Directory URI field in UCM to the AD field "msRTCSIP-primaryuseraddres".  When adding a new LDAP Directory, you can change this field, but once the LDAP is created and synchronised, it doesn't look like this is an option any longer.

It looks like I could create a new LDAP instance pointing to the same servers but with this entry changed, but then I have 2 going to the same place.  When you delete an LDAP instance, it warns you that all users sync'd from that instance will be deleted, which is obviously not desirable.

Has anyone been able to change this field without affecting functionality and user accounts in the system?  Any recommendations on doing this?

Thanks,

Ryan

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Changing LDAP Directory URI field mapping after installation

Hi Ryan,

I had exactly the same situation this week.

  • Copy the current LDAP Directory configuration, change the SIP URI mapping to 'mail' and save.
  • Then run a force sync on the newly created Directory configuration. Check if your enduser directory is updated with the new SIP URI and users are still AD synchronized and active. (Worked perfectly in my case)
  • If everything is ok, delete the old directory configuration.

When CUCM is synchronizing the AD records, it takes the configured UserID attribute for mapping LDAP to CUCM Enduser entries. So there shouldn't be any deletion or deactivation of your endusers as long as the UserID doesn't change.

Regards

Christian

15 REPLIES
Cisco Employee

Re: Changing LDAP Directory URI field mapping after installation

No way other than deleting and recreating it, users will be there until the garbage disposal runs and you wont need more than 5 minutes to delete and create the new one

Sent from Cisco Technical Support iPad App

HTH

java

if this helps, please rate

www.cisco.com/go/pdi

Changing LDAP Directory URI field mapping after installation

Unless he deletes the old one at 3:11 AM, then he's screwed. 

Anthony Holloway

Please use the star ratings to help drive great content to the top of searches.

Anthony Holloway

Please use the star ratings to help drive great content to the top of searches.
Cisco Employee

Changing LDAP Directory URI field mapping after installation

Nope, that's wrong, you can do it at 3:14 AM and your users will still be there.

User's wont be deleted until they have been marked as inactive for 24 hours.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/9x/uc9x/directry.html#wp1045242

After the initial synchronization, the creation, deletion, or disablement of an account will propagate to Unified CM according to the timeline shown in Figure 16-7and as described in the following steps:

1. At 8:00 AM on January 1, an account is disabled or deleted in AD. From this time and during the whole period A, password authentication (for example, Unified CM User Options page) will fail for this user because Unified CM redirects authentication to AD. However, PIN authentication (for example, Extension Mobility login) will still succeed because the PIN is stored in the Unified CM database.

2. The periodic re-synchronization is scheduled for 11:00 PM on January 1. During that process, Unified CM will verify all accounts. Any accounts that have been disabled or deleted from AD will at that time be tagged in the Unified CM database as inactive. After 11:00 PM on January 1, when the account is marked inactive, both the PIN and password authentication by Unified CM will fail.

3. Garbage collection of accounts occurs daily at the fixed time of 3:15 AM. This process permanently deletes user information from the Unified CM database for any record that has been marked inactive for over 24 hours. In this example, the garbage collection that runs at 3:15 AM on January 2 does not delete the account because it has not been inactive for 24 hours yet, so the account is deleted at 3:15 AM on January 3. At that point, the user data is permanently deleted from Unified CM.

If an account has been created in AD at the beginning of period A, it will be imported to Unified CM at the periodic re-synchronization that occurs at the beginning of period B and will immediately be active on Unified CM.

HTH

java

if this helps, please rate

www.cisco.com/go/pdihelpdesk

HTH

java

if this helps, please rate

www.cisco.com/go/pdi

Changing LDAP Directory URI field mapping after installation

The more you know.  Thanks for the correction and clarification Jamie.

Anthony Holloway

Please use the star ratings to help drive great content to the top of searches.

Anthony Holloway

Please use the star ratings to help drive great content to the top of searches.
New Member

Changing LDAP Directory URI field mapping after installation

Hi Ryan,

I had exactly the same situation this week.

  • Copy the current LDAP Directory configuration, change the SIP URI mapping to 'mail' and save.
  • Then run a force sync on the newly created Directory configuration. Check if your enduser directory is updated with the new SIP URI and users are still AD synchronized and active. (Worked perfectly in my case)
  • If everything is ok, delete the old directory configuration.

When CUCM is synchronizing the AD records, it takes the configured UserID attribute for mapping LDAP to CUCM Enduser entries. So there shouldn't be any deletion or deactivation of your endusers as long as the UserID doesn't change.

Regards

Christian

Bronze

Changing LDAP Directory URI field mapping after installation

Hi Christian,

That's really helpful.  I'm going to try it out in my staging environment today and see how it goes. Glad to hear I'm not the only one with this problem.

Thanks a lot,

Ryan

New Member

Re:Changing LDAP Directory URI field mapping after installation

Hi Ryan,

we did the same thing just today again with a productive environment. No issues there either.


Cheers

Christian


Sent from Cisco Technical Support Android App

Bronze

Changing LDAP Directory URI field mapping after installation

Hi Christian,

Thanks again.  I just did this in our staging servers and it went perfectly.  It's actually a low risk operation when you use your method.  The prompts that get generated when you delete the old LDAP are kind of scary.  I think my operations guys would have had a heart attack if I'd told them to delete the old directory first :^)

Cheers!

Ryan

Changing LDAP Directory URI field mapping after installation

I'd like to touch on Jamie's suggestion.  Deleting the current LDAP Directory, while scary, actually does not delete anything immediately.  It will delete the users after "garbage collection", which is 3:15AM everyday*.  It will however, prevent LDAP authentication for your users.  Once you recreate the new LDAP Directory, and complete a sync, then users can authenticate again.  For that reason alone, I would not do this in production hours, however, the warning is enough to cause a scare in anyone from attempting this during the day anyway.

For what its worth, in CUCM 10x you can change these mappings on existing LDAP Directory integrations; thus avoiding this whole topic all together.

*Source:

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/8x/uc8x/directry.html#wp1045229

Anthony Holloway

Please use the star ratings to help drive great content to the top of searches.

Anthony Holloway

Please use the star ratings to help drive great content to the top of searches.
VIP Super Bronze

Changing LDAP Directory URI field mapping after installation

What happens to user's device associations such as udp, end user groups etc, while they are inactive..does cucm retain this and carry on as usual after users are marked active again

Please rate all useful posts

"The essence of christianity is not the enthronement but the obliteration of self --William Barclay"

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
New Member

Changing LDAP Directory URI field mapping after installation

Yes, they are all retained since actually nothing changes in the database table for endusers. User only get flagged inactive or active, that's it. Information get only lost when you keep users inactive for too long so that their information are purged from the database.

VIP Super Bronze

Changing LDAP Directory URI field mapping after installation

Thanks Christian

Please rate all useful posts

"The essence of christianity is not the enthronement but the obliteration of self --William Barclay"

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
Bronze

Re:Changing LDAP Directory URI field mapping after installation

Hi Christian,
We did this in our production environment on the weekend and no issues at all. I tested with Jabber for Windows and I can place calls by URI now (just needed to add the Directory URI partition to my CSS).

Really appreciate all the great feedback in this thread!

Cheers,

Ryan


Sent from Cisco Technical Support Android App on a Blackberry 10 smartphone

VIP Super Bronze

Re:Changing LDAP Directory URI field mapping after installation

Ryan,

What version of jabber are you using that supports URI dialling..Can you share with me your config on cucm to enable uri dialling? Just the pointers will do (too lazy to look at documentation now)

Please rate all useful posts

"The essence of christianity is not the enthronement but the obliteration of self --William Barclay"

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
Bronze

Re:Changing LDAP Directory URI field mapping after installation

I'm using Jabber for Windows version 9.6. I'm set up in phone only mode, but it should work in UC mode too, if you have a presence server (I don't).

The Directory URIs end up in their own partition called (maybe obviously) Directory URI :) I just added this to the bottom of my CSS for the DN on Jabber.

The DN also needs to be the user's primary line in the End User config. My system seemed to have this for everyone, but I don't recall if we did that on purpose or not.

I referenced this link to get going quickly:
http://pandaeatsbamboo.blogspot.ca/2012/07/uri-dialing-on-uc-90-directory-uri.html?m=1

One weird thing... if you're typing a directory URI into Jabber, it doesn't really search on the info. so you have to type the entire address and then press return for the lookup to happen and work. This is fine for testing, but I doubt people would do this in real life. They would just type someone's name and dial based on the lookup on AD or UDS.

Hope that helps!

Ryan

Sent from Cisco Technical Support Android App running on Blackberry 10.2.1

3143
Views
14
Helpful
15
Replies
CreatePlease to create content