Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Delete a CUCM AD Sync Issues

We have and 8.5.1 SU2 CUCM system and are doing some testing offline prior to moving the production system to an AD sync.

If the synced users have the same names in CUCM and AD then they will be matched and work fine, user names that exist in the CUCM (eg user names spelt wrong or without an AD account) but not in AD will be marked inactive and then deletion, after the garbage collection time these users will disappear completely, this is what I would expect.

If we then decide to turn off the CUCM AD sync (say 10 mins later to role back for what ever reason ) and deleted the sync configuration I would expect the AD synced users to be marked for deletion and the user that were marked inactive and marked for deletion to be active again as before.

This does not seam to be the case, the original users that were marked for deletion are still there and look active, and all the config to associate to EM profiles ect seems to be the in the config but the users are locked out as if they didn't exist. Even if you reset the password for the user or update the data - that user is now dead and unusable. We have also tried a total reboot of the cluster thinking some thing could be stuck but that didn't help.

So the questions are

  • Is this right that once a user is marked for deletion it is as good as dead? - so there is no role back even just a few mins after the sync ( iam sure this isn't the case from when i have doen this before)
  • Is there something else thats needs to be done other than delete the AD sync to resotre the old users marked for deletion?
  • is this a Bug?
  • Have we missed something obvious?

Any help or ideas would be appreciated

Thanks

2 REPLIES
New Member

Delete a CUCM AD Sync Issues

Did you configure both LDAP Sync and LDAP Authentication?

When you said "he users are locked out as if they didn't exist", what exactly did you mean?

If they cannot log into CCMUser page, you may take a look at Tomcat Security log.

Michael

New Member

Delete a CUCM AD Sync Issues

Hi thanks for the reply,

It was just Sync configured to start with, but it will be authentication later.

Users were configured pre sync eg "richardp" and they ould log in to CCM end user page, log into extension mobility, log in with CUCiLync. We then synced and the user "richardp" was marked for deletion as there was no "richardp" in the AD and inactive, after the sync has been taken away 10 mins later I would have expected that user "richardp" to work again as before but it didn't. Could not log in to EM, CCM user page or CUCiLync.

When you check the End user page on CUCM the user "richardp" is there, not marked as inactive looks ok to use, you go in the config for the user and you see all the EM association, CCM groups etc. but still the user can't log into anything. Even if you rest passwords and reboot the cluster that user can't be used.

This happens for every user that was in the database pre sync when you try and role back the sync.

Very strange.

370
Views
0
Helpful
2
Replies
CreatePlease login to create content