Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

CUCM 8.0 - LDAP Custom Filter help request

Looking at an existing deployment which is using LDAP Directories to synch with AD, the structure of this is not scalable with CUCMs limit of only 5 LDAP directories. Structure is below, not the best thought out design I reckon

domain.JPG

The CUCM currently has 5 directories setup to search the Users OU in each city OU like this

ou=Users,ou=London,dc=Europe,dc=Domainroot,dc=net

ou=Users,ou=Paris,dc=Europe,dc=Domainroot,dc=net

ou=Users,ou=Berlin,dc=Europe,dc=Domainroot,dc=net

ou=Users,ou=Moscow,dc=Globe,dc=Domainroot,dc=net

ou=Users,ou=New York,dc=Globe,dc=Domainroot,dc=net

When the customer adds in new OUs such as Rome or Beijing then the CUCM is not getting info on the users in these, and cannot add new directory for them on CUCM as it is maxed at its limit of 5 already.

Looking at doing some sort of custom filter on this which will enable Rome and Beijing users to be included and provide for future growth. Can I delete the LDAP directory entries above, then add in ones just for the child domain like this...

dc=Europe,dc=Domainroot,dc=net

dc=Globe,dc=Domainroot,dc=net

....and then create some LDAP Custom Filter that will search each of the OUs such as London/Users, Paris/Users etc

Hope this makes sense and if anyone more familiar with AD and LDAP Custom filter capability on CUCM 8 can tell me if it is or isn't possible I'd be grateful

p.s. heard that the max LDAP directory count of 5 is being increased in CUCM 8.6 but can't find a value on what it is being increased to, if anyone knows the answer then please let me know

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Super Bronze

Re: CUCM 8.0 - LDAP Custom Filter help request

Based on the hierarchy you list above you can just create a new agreement based at DC=Globe,DC=Domainroot,DC=net. Custom filters are easier than they appear at first glance; just identify what attributes you want the account to have for it to be included. Here is the system default that gets used when you don't specify one:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

This default filter selects entries for which the object class is a user but not a computer, and for which the account is not flagged as disabled.

If we use that as our starting point we just have to decide what additional criteria are appropriate. The most likely is to check that the object has a value in telephoneNumber (or ipPhone). You could use this if telephoneNumber was the extra criteria:

(&(telephoneNumber=*)(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Additional details are available here:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx

Also the AD Explorer tool has a search function which shows you the LDAP filter for the search you just ran. You can use it to explore other options.

Please rate helpful responses.

Please remember to rate helpful responses and identify helpful or
2 REPLIES
VIP Super Bronze

Re: CUCM 8.0 - LDAP Custom Filter help request

Based on the hierarchy you list above you can just create a new agreement based at DC=Globe,DC=Domainroot,DC=net. Custom filters are easier than they appear at first glance; just identify what attributes you want the account to have for it to be included. Here is the system default that gets used when you don't specify one:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

This default filter selects entries for which the object class is a user but not a computer, and for which the account is not flagged as disabled.

If we use that as our starting point we just have to decide what additional criteria are appropriate. The most likely is to check that the object has a value in telephoneNumber (or ipPhone). You could use this if telephoneNumber was the extra criteria:

(&(telephoneNumber=*)(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Additional details are available here:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx

Also the AD Explorer tool has a search function which shows you the LDAP filter for the search you just ran. You can use it to explore other options.

Please rate helpful responses.

Please remember to rate helpful responses and identify helpful or

Re: CUCM 8.0 - LDAP Custom Filter help request

Thanks for the response Jonathan

We've already decided to try a directory of  DC=Globe,DC=Domainroot,DC=net and then put in a filter of

(&(ipPhone=*)(!UserAccountControl:1.2.840.113556.1.4.803:=2))  which will be tested later out of hours, nice to know we're on the right track.

Appreciate the extra links to Microsoft info and that tool, will prove useful for the future.

Cheers

EDIT - the filter I wrote above is wrong, missing brackets, also added in a negate computer accounts query to it as per Jonathans advice. End result of filter should be

(&(ipPhone=*)(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

2731
Views
5
Helpful
2
Replies