Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CUCM 7.1.3 and LDAP integration

Hello,

I have CUCM V7.1.3 with local users.  We are now considering integrate user management with LDAP, which is Windows2003 in our network.  We have more than 20 different business units span across more than 20 offices.  However only six of these offices are part of the centralized IPT.  The problem is our AD users are grouped base on business units.  For example, the users in Atlanta office may be in six different OUs and CUCm has a limit of five LDAP directories.   Is there a way in LDAP to search users base of AD Security group?

Any suggestions will be appreciated.

Mark

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: CUCM 7.1.3 and LDAP integration

You could leverage LDAP filters and an AD attribute (or several attributes)

to filter the user objects that will be synchronized. With 7.1(3) you would

need to use the AXL API to modify the LDAP filter. With 8.x the CCMAdmin

portal includes an interface to modify this parameter. I did a write up on

the pre-8.x approach here:

http://www.netcraftsmen.net/resources/blogs/axl-sql-toolkit-part-3-updating-

cucm-dirsync-ldap-filter-by-example.html

HTH.

Regards,

Bill

Please remember to rate helpful posts.

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Re: CUCM 7.1.3 and LDAP integration

Mark,

The link I provided should give you a working example on how you would go about updating the LDAP filter used by a CUCM system running 7.1.  The example focuses on the Cisco provides AXL SQL Query toolkit (download plugin).  But, the Cisco AXL/SOAP API can be accessed in multiple ways.  You may also be able to execute a SQL update from a command line.  I believe I have done that in my lab but I don't recall which version and I am unable to test now.  The query syntax would be identical to what I provided in the URL referenced in my last post.

HTH.

Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

46 REPLIES

Re: CUCM 7.1.3 and LDAP integration

You could leverage LDAP filters and an AD attribute (or several attributes)

to filter the user objects that will be synchronized. With 7.1(3) you would

need to use the AXL API to modify the LDAP filter. With 8.x the CCMAdmin

portal includes an interface to modify this parameter. I did a write up on

the pre-8.x approach here:

http://www.netcraftsmen.net/resources/blogs/axl-sql-toolkit-part-3-updating-

cucm-dirsync-ldap-filter-by-example.html

HTH.

Regards,

Bill

Please remember to rate helpful posts.

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

New Member

Re: CUCM 7.1.3 and LDAP integration

Hi William,

Thank you for your information.  How could I modify the LDAP filter in CUCM 7.x?

Appreciate your help.

Mark

Re: CUCM 7.1.3 and LDAP integration

Mark,

The link I provided should give you a working example on how you would go about updating the LDAP filter used by a CUCM system running 7.1.  The example focuses on the Cisco provides AXL SQL Query toolkit (download plugin).  But, the Cisco AXL/SOAP API can be accessed in multiple ways.  You may also be able to execute a SQL update from a command line.  I believe I have done that in my lab but I don't recall which version and I am unable to test now.  The query syntax would be identical to what I provided in the URL referenced in my last post.

HTH.

Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

New Member

Re: CUCM 7.1.3 and LDAP integration

Thanks William,  I will try that in my lab.

Regards

Mark

New Member

Re: CUCM 7.1.3 and LDAP integration

William,

when trying to run the command below I'm receiving the following error:

C:\axlsqltoolkit>java AxlSqlToolkit -input=test.xml -username=ccmadministrator -
password=C1$coC1$co -host=10.3.3.20
Exception in thread "main" java.lang.NoClassDefFoundError: AxlSqlToolkit
Caused by: java.lang.ClassNotFoundException: AxlSqlToolkit
        at java.net.URLClassLoader$1.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)
        at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)
Could not find the main class: AxlSqlToolkit.  Program will exit.


It seems that is something related to the Java Classes path. If you have any idea on how solving this would be great.
Super Bronze

Re: CUCM 7.1.3 and LDAP integration

Hi Rafael

A good place to start here is the readme.txt file that is in the AxlSqlToolkit directory - launch it like so to set the required classpath entries etc, substituting your own parameters for user/host/password etc.

From a windows system, run the following (assuming Java is in the path):

java -cp .\classes;.\lib\saaj-api.jar;.\lib\saaj-impl.jar;.\lib\mail.jar;.\lib\activation.jar;.\lib\jaxm-api.jar;.\lib\jaxm-runtime.jar;.\lib\xercesImpl.jar;.\lib\xml-apis.jar AxlSqlToolkit -username=CCMAdministrator -password=ciscocisco -host=64.101.156.207

From a linux system, run the following:

java -cp ./classes:./lib/saaj-api.jar:./lib/saaj-impl.jar:./lib/mail.jar:./lib/activation.jar:./lib/jaxm-api.jar:./lib/jaxm-runtime.jar:./lib/xercesImpl.jar:./lib/xml-apis.jar AxlSqlToolkit -username=CCMAdministrator -password=ciscocisco -host=64.101.156.207

Regards

Aaron

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Re: CUCM 7.1.3 and LDAP integration

Rafael,

You need to add the appropriate values to your class path environment variable OR you can specify the class path when running the java executable.  There is a README.txt file that is included in the AXL SQL Toolkit download.  I recommend taking a look at that.  The java path as provided in this read me file is as follows:

From a windows system, run the following (assuming Java is in the path):

java -cp .\classes;.\lib\saaj-api.jar;.\lib\saaj-impl.jar;.\lib\mail.jar;.\lib\activation.jar;.\lib\jaxm-api.jar;.\lib\jaxm-runtime.jar;.\lib\xercesImpl.jar;.\lib\xml-apis.jar AxlSqlToolkit -username=userid -password=password -host=x.x.x.x -input=test.xml

HTH.


Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Re: CUCM 7.1.3 and LDAP integration

--

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Re: CUCM 7.1.3 and LDAP integration

Hi William

I need to perform  the search only a specific group.

When I  set my research base for the whole root.
DC =  mydomain, DC = com, DC = br

Show me all  users in Active Directory.

But I have to  look at the following group
Telefonia_Cisco  cn =, ou = Global!, ou = Groups, ou = EscritorioCentral, ou = mydomain,  dc = mydomain, dc = com, dc = br

Is it  possible?

Cheers Bruno Rangel Please remember to rate helpful responses using the stars bellow and identify helpful or correct answers .
New Member

Re: CUCM 7.1.3 and LDAP integration

It would be best not to hijack somebody else's thread, but to answer your question, yes you can set the search root to something other than the domain root.  I am not sure if there are limitations on search root depth (how far into the tree you can go, yours looks pretty long compared to what we are using, which I know works).  It is possible however.

Re: CUCM 7.1.3 and LDAP integration

So I  create a group to research this:
Ou = Group, ou  = Global!, Ou = Groups, ou = EscritorioCentral, ou = mydomain, dc =  mydomain, dc = com, dc = br

In this  document says to create a separate OU.


http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/4x/42drctry.html


"This  attribute is the distinguished name pointer to another object in the  directory, Which contains the user's application-specific profile. This  approach Minimize the impact on the core User object, and all the  application-specific information Can Be Stored in a Separate  organizational unit (OU) Within the directory,  usually called the Cisco subtree, CISCOBASE, or Cisco Directory  Information Tree "

Cheers Bruno Rangel Please remember to rate helpful responses using the stars bellow and identify helpful or correct answers .
Super Bronze

Re: CUCM 7.1.3 and LDAP integration

Hi Bruno

Firstly, you need to read the documenation for the version of software you are deploying - either you're reading the wrong document (in which case take a look at the SRND Directory Integration chapter for CM 7.0 : https://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/7x/directry.html), or you are actually planning on doing directory integration on CM4.2 (which is a BAD IDEA).

Secondly, you can't filter the results of the Directory Sync by pointing it at a group.

Your options are:

1) Point at any single OU in your domain, and can allow it to sync anything below that in the directory tree

2) Point at multiple seperate OUs in your domain, and call include subtree again

3) Point at the root of the domain and include everything

Seperate to the OU that you use as your base, you can then apply permissions within your LDAP directory to prevent the user account used to perform the synchronisation from being able to see portions of the directory.

Regards

Aaron

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Re: CUCM 7.1.3 and LDAP integration

Bruno,

Didn't we cover this in the following thread?

https://supportforums.cisco.com/message/3123536#3123536

Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Re: CUCM 7.1.3 and LDAP integration

Sorry  William
This disscussion had been  opened before.

Thanks guys.

Cheers Bruno Rangel Please remember to rate helpful responses using the stars bellow and identify helpful or correct answers .
New Member

Re: CUCM 7.1.3 and LDAP integration

You keep using the word Group.  As in an Active Directory or LDAP group?  I have only seen it as described in your quote you pasted in below, where the server was looking at the dn (Distinguished Name) characteristic on the user in the specified OU.

Re: CUCM 7.1.3 and LDAP integration

Ok

Thanks

I'll  try and see if it works

Cheers Bruno Rangel Please remember to rate helpful responses using the stars bellow and identify helpful or correct answers .
New Member

Re: CUCM 7.1.3 and LDAP integration

William and Aaron,

Thanks for the quick response. I already took a look at the readme file and it seems that the previous problem is corrected but now i'm facing this after sending the command william sent me:

java.io.FileNotFoundException: -input:test.xml (The system cannot find the file
specified)
        at java.io.FileInputStream.open(Native Method)
        at java.io.FileInputStream.(Unknown Source)
        at java.io.FileInputStream.(Unknown Source)
        at AxlSqlToolkit.execute(AxlSqlToolkit.java:188)
        at AxlSqlToolkit.main(AxlSqlToolkit.java:244)

C:\axlsqltoolkit>dir
Volume in drive C has no label.
Volume Serial Number is 70AD-4869

Directory of C:\axlsqltoolkit

06/22/2010  10:16 AM   

          .
06/22/2010  10:16 AM              ..
06/21/2010  05:59 PM              classes
06/21/2010  05:59 PM              lib
01/03/2007  04:24 AM             2,526 README.txt
06/22/2010  10:21 AM                 0 sample.response
02/09/2005  03:48 PM               501 sample.xml
06/21/2010  05:59 PM              schema
06/21/2010  05:59 PM              src
06/21/2010  06:01 PM               221 test.xml

Any idea?

Sorry about this questions but i really need to do this but no knowledge at all at this java/sql world.

New Member

Re: CUCM 7.1.3 and LDAP integration

Hi Guys,

Does anyone has an idea on how to help me? I'm running the commands but it is saying that it cannot find the test.xml file.

Super Bronze

Re: CUCM 7.1.3 and LDAP integration

Hi

Try specifiying the full path to the file in the -input parameter.

Failing that post back where you are running the java command from, and where you xml file is etc.

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
New Member

Re: CUCM 7.1.3 and LDAP integration

Aaron,

No joy using the full path.

Re: CUCM 7.1.3 and LDAP integration

Actually,  I had a typo in my original reply to you.  It isn't -input: it is -input=.  Not sure how the colon slipped from my brain to my keyboard, but it was clearly a demonstration of PEBCAK ;-)   Try your command with -input= and see if that works.

Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

New Member

Re: CUCM 7.1.3 and LDAP integration

william,

Thanks for the update, it worked but now facing a new problem.

When running the command I'm receiving some errors that seem to be from java.

thanks or me time for the support from you, I could not find support for this on anywhere.

The output for the command is attached.

Re: CUCM 7.1.3 and LDAP integration

Rafael,

Can you post the command you executed, with all parameters?   Also, can you please check to see if you have the Cisco AXL Web Service activated.  This service is required for the AXL Query Toolkit to operate correctly.  To check:

1. go to https://cucmpublisherIP/ccmservice

2. go to Tools-->Service Activation

3. select the publisher node from the server list

4. scroll down and look for "Cisco AXL Web Service"

HTH.

Regards,
Bill

Please remember to rate helpful posts.

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

New Member

Re: CUCM 7.1.3 and LDAP integration

Bill,

Thanks for the support it seems to be worked:

Follows the output:

Positive response received.
---------------------
http://schemas.xmlsoap.org/soap/envelope/" SO
AP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
r/>http://www.cisco.com/A
XL/API/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" sequence="1277
314165608">Microsoft Active Directory1
lter>(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.
840.113556.1.4.803:=2)))
Netscape or Sun ONE LDAP Serve
r
2(objectclass=inetOrgPerson)

me>OpenLDAP
3(objectclass=inetOrgPerson)
w>Microsoft Active Directory Application Mode4
lter>(&(objectclass=user)(!(objectclass=Computer))(!(msDS-UserAccountDisable
d=TRUE)))
<
/SOAP-ENV:Envelope>
---------------------

This is the answer we are aspecting right?

Re: CUCM 7.1.3 and LDAP integration

Yes.  You are getting data back from the API.  Good job.

Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

New Member

Re: CUCM 7.1.3 and LDAP integration

Bill,

One last question ( I hope lol).

I need to create a filter that only returns users that have the field ipPhone not equal to null.

I've made a possible solution and would like to know is is right or not.



     

Re: CUCM 7.1.3 and LDAP integration

Rafael,

You could try this LDAP query:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(ipPhone=*))

HTH.


Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

New Member

Re: CUCM 7.1.3 and LDAP integration

Bill,

Thanks for the support is working like a charm.

Re: CUCM 7.1.3 and LDAP integration

Glad to help.

Regards,
Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

2568
Views
70
Helpful
46
Replies