Cisco Support Community
Community Member

CUCM LDAP Change from SAM to UPN


I currently have integrated with CUCM using LDAP and am authenticating against it for ccmuser and UCCX.

Another tree in the AD forest is being added and I need to provide CUCM authentication against it.  For example, exists now, and is being added.  A trust relationship exists between the two.

I have imported users from  That part is fine.  I simply cannot authenticate the users.

I am currently importing based upon samAccountName, and believe I should use UPN, and authenticate against a GC.

The question is, since I am currently using samAccountName, if I convert everything to UPN, will all of the end-user account settings carry over to the UPN when the accounts are re-imported?  Likewise, will the settings that are currently listed for the agents in UCCX change or carry over after the change from samAccountName to UPN?

I'm hopeful that CUCM sees these accounts as the same even though the userID will have changed.

I'm on CUCM 7.02-20000-5, and UCCX 7.01SR1.



Re: CUCM LDAP Change from SAM to UPN

All good questions. Unfortunately, I don't think that the CUCM will make the association you are hoping it does. If you change the mapping for the CUCM user id to the UPN in AD, the next run of DirSync will see the users as "new" users and existing users will be flagged for deletion.

At least that is what I expect would happen. I haven't tested with UPN myself, but when I have changed the user id mapping to another value (like telephoneNumber) my users were disassociated and flagged for deletion. What I did was export existing CUCM end user data (via BAT) and import the data in excel. Then I exported data from AD, did a mapping and changed the user id value in my excel sheet. Save it to a CSV and re-import it (with device associations, primary extensions, etc.). At this point I have increased by end user table by 2 times. Then I changed the AD attribute and the "old" user IDs were flagged to be deleted. 24 hours later, I was back to the same user count and using the new attribute value.

So, that is my take/understanding on the topic.




HTH -Bill (b) (t) @ucguerrilla

Please remember to rate helpful responses and identify

Community Member

Re: CUCM LDAP Change from SAM to UPN


Thanks for the response.  I was afraid that this might be the case.

I can deal with the export/import of the CUCM user data, but I'm more worried about a large contact center with complex skills.  I'm not yet sure how I can deal with those.

Community Member

Re: CUCM LDAP Change from SAM to UPN

I did lab this out last night.  I actually found that moving from SAM to UPN and back would retain account settings.  Here's the process I used:

- Turn off LDAP Sync - All Users go Inactive

- Change to UPN

- Turn on LDAP Sync

- Re-add LDAP directory

All users will go active and are not duplicated.  In other words, if I have user1 before the process begins, user1 simply becomes  Furthermore, if user1 changes to domain2, the account simply becomes  The settings were retained through the entire process.


Community Member

Re: CUCM LDAP Change from SAM to UPN

Hi Jeff,


I am trying to change the LDAP Authentication from SAM to UPN in order to support sub-domains in our organization (using CUCM 8, UCCX, Presence and UCNX)

LDAP Directory changed successfully exactly as you did and the user1 becomes

For LDAP authentication I used CN=user1,ou=users1,dc=domain1,dc=com to work and CM accept the settings.

But I can only authenticate users on domain1. What type of user do I need in order to read all AD forest?



Ok i found the solution to my answer - Use port 3268 Global Catalog for LDAP authentication

Community Member

CUCM LDAP Change from SAM to UPN

After changing from SAM to UPN, were the UCCX users required to login with SAM or UPN.  Our UCCX uses CUCM as its AXL provider.


Hall of Fame Super Silver

CUCM LDAP Change from SAM to UPN


UCCX agents will need to login with wahetever is mapped to userID in CUCM LDAP integration, so if you changed it from SAM to UPN then UPN will need to be entered as agent ID.



CreatePlease to create content