Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Custom LDAP Filter for CUCM 9.1.2

In recent months, we upgraded from CUCM 7.1.5 to 9.1.2.  During that process we added CUIM&P and turned on AD synchronization and authorization.  Unfortunately, this has imported all users from AD and half of these users don't use CUCM or Jabber.

 

I have been trying to figure out how to filter out the unwanted users by applying a custom LDAP filter to the LDAP directory profile.  The first step was creating the user group CUCM in AD and joining only the users we want to import.  I then developed the filter using Softerra LDAP Browser and the ldapsearch command in OpenLDAP.  When I execute the ldapsearch command, only the users in the CUCM group are returned.  However, when I apply the filter, all the current AD users are changed from active to inactive.  I expected that only the AD synched users not in the CUCM group to be changed to inactive and then subsequently removed by the garbage collector.

 

I'm using the following filter: 

(&(sAMAccountName=*)(memberOf='CN=CUCM,OU=HQ,DC=companyXYZ,DC=com'))

I have tried changing "sAMAccountName=*" for "objectClass=user" and received the same results.

 

The ldapsearch syntax is as follows:

ldapsearch -LLL -H ldap://activedirectory.companyXYZ.com:389 -b 'OU=HQ,DC=companyXYZ,DC=com' -D 'companyXYZ\ROuser' -w 'ROpassword' '(&(sAMAccountName=*)(memberOf='cn=CUCM,ou=HQ,dc=companyXYZ,dc=com'))' -S sAMAccountname | grep sAMAccountName: | cat -n

 

The command returned the 109 users in the CUCM group.

Everyone's tags (1)
8 REPLIES
Cisco Employee

If they're already in one

If they're already in one specific OU, why don't you just sync against that OU???

Or adjust permissions from the user you're using for the sync agreement, so it has only read rights on that OU???

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
New Member

My LDAP User Search Base is

My LDAP User Search Base is 'OU=HQ,DC=companyXYZ,DC=com'

I don't administer AD, but based on that, I would venture to guess that all of the users are in OU=HQ.

Cisco Employee

Correct, but the ones you

Correct, but the ones you want are in cn=CUCM

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
New Member

I think I understand where

I think I understand where you are going.  Lets take my account for example; teddy.bowen.  The DN for my account is 'CN=Teddy Bowen,OU=Engineering,OU=HQ,DC=companyXYZ,DC=com.'  If I'm following this correctly, my user account is actually in another OU within OU=HQ.  When I look at my CN, it shows that I'm a member of CUCM.

 

Your suggestion is to change the search base for the directory configuration to 'CN=CUCM,OU=HQ,DC=companyXYZ,DC=com' and import only those users.  Correct?  

Cisco Employee

Yes, assuming that only the

Yes, assuming that only the users you're interested in bringing over to CUCM are in that CN

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
New Member

I think we are back to the

I think we are back to the drawing board with this one.  I created a LDAP Directory profile with the search base as 'CN=CUCM,OU=HQ,DC=compaynXYZ,DC=com' and performed a full sync.

 

I removed the old LDAP directory and all the users were then marked as inactive.

 

I tried doing another sync on the new directory and users still stayed marked as inactive.

Cisco Employee

You'll need to talk to your

You'll need to talk to your LDAP guys to sort this out.

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
New Member

Okay, after trying a lot of

Okay, after trying a lot of different filter combinations, I was able to resolve the problem.  It turned out to be a simple syntax error.  It seems that ldapsearch command didn't mind the single quotes in the memberOf= portion of the filter but CUCM does.  I removed the single quotes and it worked like a charm.  I also changed sAMAccountName=* for objectClass=user.  Both yielded the same results, I just noticed that some other non-user AD objects had sAMAccountName and wanted to make sure that only users are imported.

 

Non-working filter:
(&(objectClass=user)(memberOf='CN=CUCM,OU=HQ,DC=companyXYZ,DC=com'))

 

Working filter:
(&(objectClass=user)(memberOf=CN=CUCM,OU=HQ,DC=companyXYZ,DC=com))
361
Views
0
Helpful
8
Replies