Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LDAP User Inactive never delete in UCM, is possible?

Hi guys

I'm with a big problem in my customer

The customer associate users (from LDAP) in owner ID (field) in the phones devices.

Well, sometimes (all weeks), employees are, how can I say, they take a "job-licensed" (sick, accident at work and another causes), and the employeer has your user id (on LDAP) disabled and CallManager disassociate the owner id of the phone.

When the employee come back to work, I need make associate again but I think are 40 peoples by week and  I need query the callmanager see the desassociation and associate again....

Somebody get a similar scenarios? Do you have any suggestions?

Best Regards

Peterson

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

LDAP User Inactive never delete in UCM, is possible?

Hi

The default LDAP filter on CUCM is this:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

The (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) clause basically checks if the account is disabled, and does not import it if it is disabled.

So - if you want disabled accounts to not be removed from CUCM, you can set a custom ldap filter like so:

(&(objectclass=user)(!(objectclass=Computer)))

User accounts would then only be removed from CUCM when the account is actually deleted from CUCM.

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
Super Bronze

LDAP User Inactive never delete in UCM, is possible?

Hi

Some reading for you: http://www.netcraftsmen.net/component/content/article/70-unified-communications/742-axl-sql-toolkit-part-3-updating-cucm-dirsync-ldap-filter-by-example.html

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
9 REPLIES
Cisco Employee

Re:LDAP User Inactive never delete in UCM, is possible?

I am a little unclear what you are requesting. Can you reframe yr question

Sent from Cisco Technical Support Android App

New Member

LDAP User Inactive never delete in UCM, is possible?

Hi Nik

Is very confuse.....I don't known how I can explain this case in english...is not a commom situation

UCM 7.x with LDAPsync

userA, userB, userC, userD, userN

IPPhone A ownerId = userA

IPPhone B ownerId = userB

IPPhone C ownerId = userC

Well, user A (John Smith) is very sick and need be in home for 3 months. So, the HR disable the account in Active Directory, then, CallManager disassociate the IPPhoneA and User A, so

IPPhone A =

Now...3 months later, John Smith returns to job and HR re-enable him acocunt in Active Directory, then I need manually re-associate IPPhone A and User A, so

IPPhone A = userA (again)

Now imagine, 40 users by week, checking user active/inactive, associating/disassociating....don't is a good process...So my question... what I can do for improve this tasks

Best Regards

Peterson

Cisco Employee

Re:LDAP User Inactive never delete in UCM, is possible?

If the user is disabled in ldap and then the sync from cucm with ldap runs then that user is marked for deletion and the garbage service kicks in at 3 am every morning and it shall delete the inactive user.

Hope this helps else let me know if you had something else in your mind

Sent from Cisco Technical Support Android App

Super Bronze

LDAP User Inactive never delete in UCM, is possible?

Hi

The default LDAP filter on CUCM is this:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

The (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) clause basically checks if the account is disabled, and does not import it if it is disabled.

So - if you want disabled accounts to not be removed from CUCM, you can set a custom ldap filter like so:

(&(objectclass=user)(!(objectclass=Computer)))

User accounts would then only be removed from CUCM when the account is actually deleted from CUCM.

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
New Member

LDAP User Inactive never delete in UCM, is possible?

Hi Aaron, my friend.

Well.... I thought in manipulate the ldap filter, change the default. But in UCM 7.1 don't have Ldap Filter or I have another way to change default ldap filters

Best Regards

Peterson

Super Bronze

LDAP User Inactive never delete in UCM, is possible?

Hi

Some reading for you: http://www.netcraftsmen.net/component/content/article/70-unified-communications/742-axl-sql-toolkit-part-3-updating-cucm-dirsync-ldap-filter-by-example.html

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
New Member

LDAP User Inactive never delete in UCM, is possible?

Thank you Aaron.

New Member

LDAP User Inactive never delete in UCM, is possible?

Hi Aaron

I did your suggestion.

I have read the blog, good material.

So I ran the xml file:

And ran the axltoolkit with sucessfull and now:

admin:run  sql select ldap.name, ldf.tkldapserver as type, ldf.filter from  ldapfilter as ldf inner join typeldapserver as ldap on ldf.tkldapserver =  ldap.enum

name                                        type  filter                                                                          

=========================================== ====  ================================================================================

Microsoft Active Directory                  1     (&(objectclass=user)(!(objectclass=Computer))                                   

Netscape or Sun ONE LDAP Server             2     (objectclass=inetOrgPerson)                                                     

Microsoft Active Directory Application Mode 4     (&(objectclass=user)(!(objectclass=Computer))(!(msDS-UserAccountDisabled=TRUE)))

OpenLDAP                                    3     (objectclass=inetOrgPerson)                                                     

admin:

I restarte Cisco TomCat and DirSync but the account disable not showed yet

Regards

Peterson

VIP Super Bronze

Re: LDAP User Inactive never delete in UCM, is possible?

Petersom,

I think what Aaron suggested is this..

1. Create an LDAp filter with your LDAP system in CUCM.

2. Use that filter to import users from AD

3. Once the users have been imported and active, and are then deleted in AD because they are away for a few months, CUCM will not delete them.

4. Once they are back from their long holiday and you perform an LDAP sync, the users will be active again and their associations will be intact.

So this will work when you do a new LDAP sync with this filter. The existing users have already been marked to be deleted when disabled because they were imported using the default cucm filter.

NB: This will not import disabled users in AD. This is to help you in the future to prevent cucm from deleting users that have been marked inactive because their accounts were disabled in AD.

SO you will need to delete your existing LDAP configuration and create a new one using this filter.

Hope this is clearer..pls rate all usefu lposts

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
1623
Views
0
Helpful
9
Replies