Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2849
Views
5
Helpful
4
Replies

CUCM LDAP Setup change

Go to solution
Scott Holden
Level 1
Level 1

‎03-26-2014 12:30 PM - edited ‎03-13-2019 08:31 PM

Hi all,

I have a CUCM 9.x cluster that is in production. It was originally configured years ago (as a 6.x cluster) for LDAP synchronization with AD, with the CUCM User ID mapped to the telephoneNumber AD attribute. If memory serves me, this was done to limit which users were added/synched to CUCM from AD (no phone number in AD, not synched to CUCM). There are currently 226 Active LDAP synched users with their respective 4-digit DN as a User ID.

For various reasons, I would now like to change the LDAP System Configuration so that the CUCM User ID maps to sAMAccountName. In order to do so, I have to disable LDAP Authentication and delete the existing LDAP Directory. I understand that this will change the current LDAP users to inactive, which would in-turn be deleted during the next garbage collection cycle.

My question is, when I change the User ID to map to sAMAccountName then recreate an LDAP directory and re-sync, will the users become active again or will AD users be imported to CUCM as new?

I found a note in the 9.0 SRND that may answer my own question:

"The configuration of the synchronization agreement specifies a mapping of an LDAP database attribute to the Unified CM UserID. During the synchronization, accounts from the LDAP database that match an existing Unified CM account cause that Unified CM account to be marked active again."

If I'm interpreting that correctly, then since I am changing the User ID values, the accounts wouldn't match and would remain inactive and new users would be created. If so, I'm afraid this would create quite a bit of cleaning up to do. We also use UCCX, which agents log into using their 4-digit DN. Would these users/resources be removed from UCCX as well?

I fear this would/will be a painful change. Any input is appreciated!

Scott

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
George Thomas
Level 10
Level 10

‎03-26-2014 04:17 PM

Hi Scott,

You are correct, if the alias that is in CUCM today doesnt match what gets synced, this will create new additional accounts. Since you have telephoneNumber today and you want to map to sAMAccountName, this will create new accounts.

One way you could do this would be to do an export of all the users using BAT before starting the process. Once that is done, create another sync agreement with the sAMAccountName as the userID attribute. This will create new accounts in CUCM. With the BAT export you have, you could massage the CSV a bit and replace the alias with the sAMAccountName and re-import it back in as an "Update users" which should help you out quite a bit. I would complete this first before you delete the sync agreement for telephoneNumber so that you have a rollback plan.

As far as UCCX is concerned, all the users will be deleted once the sync agreement with telephoneNumber is removed. Due to this, agent's skill will be removed, you will have to recreate user accounts and assign appropriate skills. Also, reports will not be carried forward, ie. you will have to run two reports to get the same data for some time.

HTH

Please rate useful posts.

View solution in original post

4 Replies 4

Go to solution
George Thomas
Level 10
Level 10

‎03-26-2014 04:17 PM

Hi Scott,

You are correct, if the alias that is in CUCM today doesnt match what gets synced, this will create new additional accounts. Since you have telephoneNumber today and you want to map to sAMAccountName, this will create new accounts.

One way you could do this would be to do an export of all the users using BAT before starting the process. Once that is done, create another sync agreement with the sAMAccountName as the userID attribute. This will create new accounts in CUCM. With the BAT export you have, you could massage the CSV a bit and replace the alias with the sAMAccountName and re-import it back in as an "Update users" which should help you out quite a bit. I would complete this first before you delete the sync agreement for telephoneNumber so that you have a rollback plan.

As far as UCCX is concerned, all the users will be deleted once the sync agreement with telephoneNumber is removed. Due to this, agent's skill will be removed, you will have to recreate user accounts and assign appropriate skills. Also, reports will not be carried forward, ie. you will have to run two reports to get the same data for some time.

HTH

Please rate useful posts.

Go to solution
Scott Holden
Level 1
Level 1
In response to George Thomas

‎03-27-2014 07:16 AM

George,

Thanks for the reply, I really appreciate it.  Great tip on the BAT export.

What's causing me to even consider going through with this change is the deployment of IM & Presence and Jabber.  IM&P is in service, but the deployment of Jabber is currently limited to a few folks in our IT division for testing.  The way things are now, our logins for Jabber and IM Addresses are XXXX@tld.org, where XXXX is a 4-digit extension.  It's working, though it just doesn't seem as clean as telling people to sign in with their email address.  We don't (currently) have plans to federate either.

I added the voicemail UC services to Jabber and ran across a 2nd reason to change it, although it isn't huge. Unity Connection is synched with AD using sAMAccountName, so the user credentials don't match those of CUCM which means I can't pass the Jabber login creds to sign in to voicemail.  So users will have to A) enter it manually in the Jabber options and B) update it each time their password expires.  Seems small, but a pain for the endusers none the less.

Thanks again!

-Scott

0 Helpful

Go to solution
George Thomas
Level 10
Level 10
In response to Scott Holden

‎03-27-2014 08:32 AM

I hear ya, when CallManager first came out, who knew UC would evolve to a user model with a phone running on a PC with IM chat capabilities. There are many other customers in the same boat as you and I guess everyone has to bite the bullet and do what is necessary. smiley

You should be alright except for the UCCX users which might suck a bit.

Good luck!

Please rate useful posts.
0 Helpful

Go to solution
Scott Holden
Level 1
Level 1
In response to George Thomas

‎04-30-2014 12:21 PM

Hi George,

Sort of reviving an old thread here.  I've been preparing to perform the LDAP sync update this weekend, and ran into issue concerning the rollback plan you mentioned.  I've exported all of the users using BAT, but I can't create another sync agreement with the sAMAccountName as the userID without updating the LDAP System Configuration; the LDAP System Configuration can't be updated without first deleting any existing sync agreements....and therein lies the issue.  Or at least that is what is noted in the GUI on the LDAP System Configuration page:

Please Delete All LDAP Directories Before Making Changes on This Page

Please Disable LDAP Authentication Before Making Changes on This Page

Not a show stopper, but wanted to mention it.  I'm also preparing a BAT update of the phones as well, since the existing Owner UserID will be wiped out when the users are deleted.

Scott

0 Helpful
Customers Also Viewed These Support Documents