Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3744
Views
10
Helpful
2
Replies

CUCM 8.0 - LDAP Custom Filter help request

Go to solution
Andrew M12
Level 1
Level 1

‎06-20-2012 12:16 AM - edited ‎03-19-2019 05:07 AM

Looking at an existing deployment which is using LDAP Directories to synch with AD, the structure of this is not scalable with CUCMs limit of only 5 LDAP directories. Structure is below, not the best thought out design I reckon

domain.JPG

The CUCM currently has 5 directories setup to search the Users OU in each city OU like this

ou=Users,ou=London,dc=Europe,dc=Domainroot,dc=net

ou=Users,ou=Paris,dc=Europe,dc=Domainroot,dc=net

ou=Users,ou=Berlin,dc=Europe,dc=Domainroot,dc=net

ou=Users,ou=Moscow,dc=Globe,dc=Domainroot,dc=net

ou=Users,ou=New York,dc=Globe,dc=Domainroot,dc=net

When the customer adds in new OUs such as Rome or Beijing then the CUCM is not getting info on the users in these, and cannot add new directory for them on CUCM as it is maxed at its limit of 5 already.

Looking at doing some sort of custom filter on this which will enable Rome and Beijing users to be included and provide for future growth. Can I delete the LDAP directory entries above, then add in ones just for the child domain like this...

dc=Europe,dc=Domainroot,dc=net

dc=Globe,dc=Domainroot,dc=net

....and then create some LDAP Custom Filter that will search each of the OUs such as London/Users, Paris/Users etc

Hope this makes sense and if anyone more familiar with AD and LDAP Custom filter capability on CUCM 8 can tell me if it is or isn't possible I'd be grateful

p.s. heard that the max LDAP directory count of 5 is being increased in CUCM 8.6 but can't find a value on what it is being increased to, if anyone knows the answer then please let me know

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎06-20-2012 04:06 AM

Based on the hierarchy you list above you can just create a new agreement based at DC=Globe,DC=Domainroot,DC=net. Custom filters are easier than they appear at first glance; just identify what attributes you want the account to have for it to be included. Here is the system default that gets used when you don't specify one:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
This default filter selects entries for which the object class is a user but not a computer, and for which the account is not flagged as disabled.

If we use that as our starting point we just have to decide what additional criteria are appropriate. The most likely is to check that the object has a value in telephoneNumber (or ipPhone). You could use this if telephoneNumber was the extra criteria:

(&(telephoneNumber=*)(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Additional details are available here:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx

Also the AD Explorer tool has a search function which shows you the LDAP filter for the search you just ran. You can use it to explore other options.

Please rate helpful responses.

View solution in original post

2 Replies 2

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎06-20-2012 04:06 AM

Based on the hierarchy you list above you can just create a new agreement based at DC=Globe,DC=Domainroot,DC=net. Custom filters are easier than they appear at first glance; just identify what attributes you want the account to have for it to be included. Here is the system default that gets used when you don't specify one:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
This default filter selects entries for which the object class is a user but not a computer, and for which the account is not flagged as disabled.

If we use that as our starting point we just have to decide what additional criteria are appropriate. The most likely is to check that the object has a value in telephoneNumber (or ipPhone). You could use this if telephoneNumber was the extra criteria:

(&(telephoneNumber=*)(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Additional details are available here:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx

Also the AD Explorer tool has a search function which shows you the LDAP filter for the search you just ran. You can use it to explore other options.

Please rate helpful responses.

Go to solution
Andrew M12
Level 1
Level 1
In response to Jonathan Schulenberg

‎06-20-2012 04:56 AM

Thanks for the response Jonathan

We've already decided to try a directory of  DC=Globe,DC=Domainroot,DC=net and then put in a filter of

(&(ipPhone=*)(!UserAccountControl:1.2.840.113556.1.4.803:=2))  which will be tested later out of hours, nice to know we're on the right track.

Appreciate the extra links to Microsoft info and that tool, will prove useful for the future.

Cheers

EDIT - the filter I wrote above is wrong, missing brackets, also added in a negate computer accounts query to it as per Jonathans advice. End result of filter should be

(&(ipPhone=*)(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents