Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10408
Views
32
Helpful
9
Replies

LDAP User Inactive never delete in UCM, is possible?

Go to solution
Peterson Cristovam
Level 4
Level 4

‎05-28-2012 02:03 PM - edited ‎03-16-2019 11:22 AM

Hi guys

I'm with a big problem in my customer

The customer associate users (from LDAP) in owner ID (field) in the phones devices.

Well, sometimes (all weeks), employees are, how can I say, they take a "job-licensed" (sick, accident at work and another causes), and the employeer has your user id (on LDAP) disabled and CallManager disassociate the owner id of the phone.

When the employee come back to work, I need make associate again but I think are 40 peoples by week and  I need query the callmanager see the desassociation and associate again....

Somebody get a similar scenarios? Do you have any suggestions?

Best Regards

Peterson

Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni
In response to nikshah

‎05-28-2012 02:28 PM

Hi

The default LDAP filter on CUCM is this:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

The (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) clause basically checks if the account is disabled, and does not import it if it is disabled.

So - if you want disabled accounts to not be removed from CUCM, you can set a custom ldap filter like so:

(&(objectclass=user)(!(objectclass=Computer)))

User accounts would then only be removed from CUCM when the account is actually deleted from CUCM.

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni
In response to Peterson Cristovam

‎05-29-2012 07:19 AM

Hi

Some reading for you: http://www.netcraftsmen.net/component/content/article/70-unified-communications/742-axl-sql-toolkit-part-3-updating-cucm-dirsync-ldap-filter-by-example.html

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

9 Replies 9

Go to solution
nikshah
Cisco Employee
Cisco Employee

‎05-28-2012 02:09 PM

I am a little unclear what you are requesting. Can you reframe yr question

Sent from Cisco Technical Support Android App

0 Helpful

Go to solution
Peterson Cristovam
Level 4
Level 4
In response to nikshah

‎05-28-2012 02:17 PM

Hi Nik

Is very confuse.....I don't known how I can explain this case in english...is not a commom situation

UCM 7.x with LDAPsync

userA, userB, userC, userD, userN

IPPhone A ownerId = userA

IPPhone B ownerId = userB

IPPhone C ownerId = userC

Well, user A (John Smith) is very sick and need be in home for 3 months. So, the HR disable the account in Active Directory, then, CallManager disassociate the IPPhoneA and User A, so

IPPhone A =

Now...3 months later, John Smith returns to job and HR re-enable him acocunt in Active Directory, then I need manually re-associate IPPhone A and User A, so

IPPhone A = userA (again)

Now imagine, 40 users by week, checking user active/inactive, associating/disassociating....don't is a good process...So my question... what I can do for improve this tasks

Best Regards

Peterson

0 Helpful

Go to solution
nikshah
Cisco Employee
Cisco Employee

‎05-28-2012 02:12 PM

If the user is disabled in ldap and then the sync from cucm with ldap runs then that user is marked for deletion and the garbage service kicks in at 3 am every morning and it shall delete the inactive user.

Hope this helps else let me know if you had something else in your mind

Sent from Cisco Technical Support Android App

0 Helpful

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni
In response to nikshah

‎05-28-2012 02:28 PM

Hi

The default LDAP filter on CUCM is this:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

The (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) clause basically checks if the account is disabled, and does not import it if it is disabled.

So - if you want disabled accounts to not be removed from CUCM, you can set a custom ldap filter like so:

(&(objectclass=user)(!(objectclass=Computer)))

User accounts would then only be removed from CUCM when the account is actually deleted from CUCM.

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Go to solution
Peterson Cristovam
Level 4
Level 4
In response to Aaron Harrison

‎05-29-2012 06:57 AM

Hi Aaron, my friend.

Well.... I thought in manipulate the ldap filter, change the default. But in UCM 7.1 don't have Ldap Filter or I have another way to change default ldap filters

Best Regards

Peterson

0 Helpful

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni
In response to Peterson Cristovam

‎05-29-2012 07:19 AM

Hi

Some reading for you: http://www.netcraftsmen.net/component/content/article/70-unified-communications/742-axl-sql-toolkit-part-3-updating-cucm-dirsync-ldap-filter-by-example.html

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Go to solution
Peterson Cristovam
Level 4
Level 4
In response to Aaron Harrison

‎05-29-2012 07:55 AM

Thank you Aaron.

0 Helpful

Go to solution
Peterson Cristovam
Level 4
Level 4
In response to Peterson Cristovam

‎05-29-2012 10:40 AM

Hi Aaron

I did your suggestion.

I have read the blog, good material.

So I ran the xml file:

And ran the axltoolkit with sucessfull and now:

admin:run  sql select ldap.name, ldf.tkldapserver as type, ldf.filter from  ldapfilter as ldf inner join typeldapserver as ldap on ldf.tkldapserver =  ldap.enum

name                                        type  filter                                                                          

=========================================== ====  ================================================================================

Microsoft Active Directory                  1     (&(objectclass=user)(!(objectclass=Computer))                                   

Netscape or Sun ONE LDAP Server             2     (objectclass=inetOrgPerson)                                                     

Microsoft Active Directory Application Mode 4     (&(objectclass=user)(!(objectclass=Computer))(!(msDS-UserAccountDisabled=TRUE)))

OpenLDAP                                    3     (objectclass=inetOrgPerson)                                                     

admin:

I restarte Cisco TomCat and DirSync but the account disable not showed yet

Regards

Peterson

0 Helpful

Go to solution
Ayodeji Okanlawon
VIP Alumni
VIP Alumni
In response to Peterson Cristovam

‎05-29-2012 11:08 AM

Petersom,

I think what Aaron suggested is this..

1. Create an LDAp filter with your LDAP system in CUCM.

2. Use that filter to import users from AD

3. Once the users have been imported and active, and are then deleted in AD because they are away for a few months, CUCM will not delete them.

4. Once they are back from their long holiday and you perform an LDAP sync, the users will be active again and their associations will be intact.

So this will work when you do a new LDAP sync with this filter. The existing users have already been marked to be deleted when disabled because they were imported using the default cucm filter.

NB: This will not import disabled users in AD. This is to help you in the future to prevent cucm from deleting users that have been marked inactive because their accounts were disabled in AD.

SO you will need to delete your existing LDAP configuration and create a new one using this filter.

Hope this is clearer..pls rate all usefu lposts

Please rate all useful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents