When we do an LDAP integration in CUCM 6.x, it grabs everyone, which is fine. I could do separate OUs and just grab those OUs. But is there a way to exclude ldap entries from the directory sync, or is basically sync all? (System accounts, or people we do not want listed in the corp directory)
I dont think there is way. We may have to use a third party or develop our own XML directory.
You are right. There's currently no support for filtering out some users in the chosen search base. As you stated, you would have to control this by restricting access of the LDAP Manager Distinguished Name account to just certain OUs.
I've configured my CCM6.1 for LDAP and I can see all the users in particular OUs in my End user page, but these users are not able to login to CCMUSER page (or the CRS Administration page in UCCx)
What rights does the LDAP Manager Distinguished name user need to have in ADS?
First thing is to check is that your AD users are showing up in CUCM. If they are, LDAP syncing is working with the account you are using.
To login to the CCMUSER page, the user must have certain permissions *within* CUCM applied to them before they can login. I had this problem once and drove me crazy. Verify the user you are trying to login with has the correct permissions on their account in CUCM.
Also, if the password or user name they are using has odd characters or something not standard, this may throw off authentication.
I can get the users synced fine.
I added the users the "Standard CCM End User" user group, which I think is the only thing to do to get an End user to be able to login to the CCMUSER page.
I think I have a ! in my password, let me reset to a simpler password and see if it would work.
Is there a list of characters not to use.
I cant recall which characters have troubles. I think it's a bug and it's in the bug list.
If you elevate the user to everything in CUCM can they login?
You will have to check the RTMT log and see what the issue with the login is with the users. Im not sure why its not allowing you in.
Unless it is something with the LDAP and how it's binding. Double check your LDAP configuration and make sure everything is correct in CUCM. I believe there is a check box for authentication also.
I got it fixed.
The LDAP User search base under - LDAP Authentication must be greater that the User search base under - LDAP Directories.
I had this under LDAP Authentication
This under LDAP directories
ou=Network Services, ou=Users, ou=Info Tech, ou=Jacksonville, dc=mickey, dc=org
Since my directories were not under CN=USERS, I had to change my user search base under LDAP Authentication to be
hope this helps others who who are as stupid as me...lol
Thanks for posting this, you know you will not be the only one running into this, and you will save the next person a lot of grief!
okay, I painfully found that CUCM supports only "5" LDAP directories.
I have to get the ADS OUs rearranged accordingly....
I'm taking your advice Mary...posting how the issue was resolved...lol