Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Disable LDAP Synchronization in CUCM 7.1(3)

Hi,

Earlier this year I deployed CUCM 7.1(3) for a customer with approximately 500 users. I enabled LDAP sync to Active Directory and everything went ok.

The CUCM user ID syncs to the AD sAMAccountName.

They now want to add a separate business group whose users are in a separate AD tree (same forest).

Looking at the SRND synching using the sAMAccountName is not supported with only userPrincipalName being allowed.

My questions are:

  • Is it possible to somehow retain the existing CUCM user accounts whilst changing the attribute from sAMAccountName to userPrincipalName?
  • If not then what migration strategies are recommended?
  • Is it possible to disable LDAP sync and keep the user accounts that have been imported (and allow new users to be created from within CUCM).

It may be ok to go to CUCM 8.0 if this makes things easier.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Disable LDAP Synchronization in CUCM 7.1(3)

CUCM when LDAP enabled will always go thu the same process, it will only keep users that have a matching UserID attribute from the one in the directory.

If users have a different value for sAMAccountName and userPrincipalName then those users will be flagged as inactive and will be removed by the garbage disposal mechanism.

If the fields have the same value, then users will remain in CUCM.

I haven't tried this myself but the only way I can think of keeping users and being able to add new ones would be to stop the LDAP services, but not removing the config because of this:

Note Once users are synchronized from  LDAP into the Unified CM database, deletion of a synchronization  configuration will cause users that were imported by that configuration  to be marked inactive in the database. Garbage collection will  subsequently remove those users.

This is the same in any version.

HTH

java

If this helps, please rate

www.cisco.com/go/pdihelpdesk

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
2 REPLIES
Cisco Employee

Re: Disable LDAP Synchronization in CUCM 7.1(3)

CUCM when LDAP enabled will always go thu the same process, it will only keep users that have a matching UserID attribute from the one in the directory.

If users have a different value for sAMAccountName and userPrincipalName then those users will be flagged as inactive and will be removed by the garbage disposal mechanism.

If the fields have the same value, then users will remain in CUCM.

I haven't tried this myself but the only way I can think of keeping users and being able to add new ones would be to stop the LDAP services, but not removing the config because of this:

Note Once users are synchronized from  LDAP into the Unified CM database, deletion of a synchronization  configuration will cause users that were imported by that configuration  to be marked inactive in the database. Garbage collection will  subsequently remove those users.

This is the same in any version.

HTH

java

If this helps, please rate

www.cisco.com/go/pdihelpdesk

HTH

java

if this helps, please rate

www.cisco.com/go/pdi

Re: Disable LDAP Synchronization in CUCM 7.1(3)

Thanks Java,

I suspected that the users would be deleted if the LDAP sync was removed but it is useful to have it confirmed.

This is going to be fun!

1575
Views
0
Helpful
2
Replies
CreatePlease login to create content