CUCM Directory Synchronization FAQ

From DocWiki

(Difference between revisions)
Jump to: navigation, search
(What LDAP directories are supported??)
(What LDAP directories are supported??)
Line 64: Line 64:
Notice MS AD 2016 is '''ONLY''' supported with CUCM 12.x
Notice MS AD 2016 is '''ONLY''' supported with CUCM 12.x
-
Related: [[CUCM Directory Synchronization FAQ#Does_CUCM_11.5_supports_MS_AD_2016.3F.3F]]
+
Related: [[CUCM Directory Synchronization FAQ#Does_CUCM_11.5_supports_MS_AD_2016.3F.3F|Does CUCM 11.5 supports MS AD 2016??]]
Go to [[CUCM Directory Synchronization FAQ#top|CUCM Directory Synchronization FAQ Content Table]]
Go to [[CUCM Directory Synchronization FAQ#top|CUCM Directory Synchronization FAQ Content Table]]

Revision as of 16:19, 11 September 2018

Back to Unified Communications FAQ
Back to CUCM FAQ

Contents

How many users can I have in my CUCM??

The maximum number of users that a Unified CM cluster can handle is limited by the maximum size of the internal configuration database that gets replicated between the cluster members. The maximum number of users that can be configured or synchronized is 160,000.

Directory Integration and Identity Management

UPDATED 6/8/2018
This is from the 12.x SRND:
The maximum number of users that a Unified CM cluster can handle is limited by the maximum size of the internal configuration database that gets replicated between the cluster members. The maximum number of users that can be configured or synchronized is 160,000. With more than 80,000 users the maximum number of LDAP synchronization agreements is limited to 10, while with less than 80,000 users the total number of LDAP synchronization agreements is limited to 20. To optimize directory synchronization performance,

Go to CUCM Directory Synchronization FAQ Content Table

How many LDAP search bases can I configure??

The maximum number of users that a Unified CM cluster can handle is limited by the maximum size of the internal configuration database that gets replicated between the cluster members. The maximum number of users that can be configured or synchronized is 160,000. With more than 80,000 users the maximum number of LDAP synchronization agreements is limited to 10, while with less than 80,000 users the total number of LDAP synchronization agreements is limited to 20.

Directory Integration and Identity Management

Go to CUCM Directory Synchronization FAQ Content Table

What LDAP directories are supported??

This one I'm not sure why they changed some options from the list, originally the 10.x system guide showed:

Configure LDAP Directory
If you want to do so, you can add users from your corporate directory to the Cisco Unified Communications Manager database by synchronizing the user data to the database. Cisco Unified Communications Manager allows synchronization from the following directories to the database:

  • Microsoft Active Directory 2003 R1/R2 (32-bit)
  • Microsoft Active Directory 2008 R1(32-bit)/R2(64-bit)
  • Microsoft Active Directory Application Mode 2003 R1/R2 (32-bit)
  • Microsoft Active Directory 2012
  • Microsoft Lightweight Directory Services 2008 R1(32-bit)/R2(64-bit)
  • Microsoft Lightweight Directory Services 2012
  • Sun ONE Directory Server 7.0
  • OpenLDAP 2.3.39
  • OpenLDAP 2.4
  • Oracle Directory Server Enterprise Edition 11gR1

And the current page shows:

Configure LDAP Directory
If you want to do so, you can add users from your corporate directory to the Cisco Unified Communications Manager database by synchronizing the user data to the database. Cisco Unified Communications Manager allows synchronization from the following directories to the database:

  • Microsoft Active Directory 2003 R1/R2 (32-bit)
  • Microsoft Active Directory 2008 R1(32-bit)/R2(64-bit)
  • Microsoft Active Directory Application Mode 2003 R1/R2 (32-bit)
  • Microsoft Lightweight Directory Services 2008 R1(32-bit)/R2(64-bit)
  • Sun ONE Directory Server 7.0
  • OpenLDAP 2.3.39
  • OpenLDAP 2.4
  • Oracle Directory Server Enterprise Edition 11gR1

AFAIK, the first one is correct, and CUCM 10.x DOES support AD 2012

UPDATED 6/8/2018
As this changes between releases, make sure to review the latest documentation available for your specific release, these are the valid options for CUCM 12.0: Supported LDAP Directories

  • Microsoft Active Directory 2008 R1/R2
  • Microsoft Active Directory 2012 R1/R2
  • Microsoft Lightweight Directory Services 2008 R1/R2
  • Microsoft Lightweight Directory Services 2012 R1/R2
  • Microsoft Active Directory 2016
  • Oracle Directory Server Enterprise Edition 11gR1
  • Oracle Unified Directory 11gR2
  • Open LDAP 2.4.44 or later

Notice MS AD 2016 is ONLY supported with CUCM 12.x

Related: Does CUCM 11.5 supports MS AD 2016??

Go to CUCM Directory Synchronization FAQ Content Table

Can I do a multi-forest LDAP integration??

Yes, carefully review:

Go to CUCM Directory Synchronization FAQ Content Table

Can I sync my PIN to LDAP??

No, the PIN is something that has only local significance to CUCM and you cannot configure it to be synced against anything

Go to CUCM Directory Synchronization FAQ Content Table

I need to change my LDAP integration to another domain, how should I do it??

The procedure is really straight-forward, basically you delete your current LDAP sync and authorization agreements, and re-create them, pointing to the new domain and search bases. Notice that CUCM will follow the regular procedure for the garbage collector once you change the LDAP sync agreements if the userID that CUCM has, does not match the ones in LDAP.

Go to CUCM Directory Synchronization FAQ Content Table

How can I turn my LDAP synced users into local users??

This method was mainly used for pre 9.x CUCM when you could only have, all LDAP, or all local users, and you wanted to disable the LDAP sync for whatever reason, which would turn all users into inactive users. Not so useful for 9.x+ since you can have both, LDAP and local, users at the same time.

You'll need some queries for this:

run sql update enduser set status=1

If any user became inactive, the above query will change the status to active.

You would want to do this in small batches to avoid issues, You can use any condition you want from the enduser table to do that, this example updates users with DN starting with 2

run sql update enduser set status=1 where telephonenumber like ‘2%’

Once you're done updating the users, you can make sure all of them are now local users

run sql select * from enduser where status=0

You should get 0 results if all of your users are now local users. If you do get a result from the query, you can run the query again, against those users.

UPDATE 7/1/16
Someone recently posted another method to do this and I wanted to test it, I had one test user which was LDAP integrated, and another one, very similar but was local and ran a query to compare them (I'm only showing a few fields from enduser table):

pkid                                 firstname middlename lastname userid telephonenumber tkuserlocale status fkdirectorypluginconfig              
==================================== ========= ========== ======== ====== =============== ============ ====== ==================================== 
654602f8-ba93-30c8-b525-dc286f2d26f8 Jane                 Doe      jadoe  16173685021     1            1      494352d5-5701-3ea9-6535-7eec7d1303eb 

pkid                                 firstname middlename lastname userid telephonenumber tkuserlocale status fkdirectorypluginconfig              
==================================== ========= ========== ======== ====== =============== ============ ====== =======================              
ec2f2388-e2fe-55cb-a4ce-575b1ce266ef Jane                 Doe1     jadoe1                 NULL         1      NULL

The query that was mentioned, was this:

run sql update enduser set fkdirectorypluginconfig=NULL where userid = 'jadoe'

After I ran que query, I refreshed the GUI, and user jadoe was now a local user, this seems to be the preferred method now if you need to turn LDAP users into local users in bulk.

According to the 10.5 data dictionary, that is the field that determines if the user is LDAP integrated, or not, and thus prevents changes to the users.

The above method will work on 10.x and 11.x as I confirmed the fields are the same.

Go to CUCM Directory Synchronization FAQ Content Table

What can I use the custom LDAP fields for??

CUCM has absolutely no use for any of them, no process will look into them, these are mainly used for other applications like the Attendant Consoles which look at CUCM as the directory sources, and then you can map those within the app.

Go to CUCM Directory Synchronization FAQ Content Table

Can I sync a Security Group into CUCM??

For a long time, I always saw the answer was no, however, someone did that, and showed me I was wrong, it seems all it takes is to adjust the LDAP filter that is used to something like:
(&(objectCategory=user)(memberOf=CN=SecurityGroupName,OU=abc,DC=def,DC=com))

It seems to work, but I have not tested it nor know if this is officially supported, use with caution.

Go to CUCM Directory Synchronization FAQ Content Table

I'm going to change from LDAP to LDS / ADAM and need to change the userID, how can I do that??

This is a question that I've received plenty of times, and want to try to address it as clearly as possible.
This might also be applicable if you're moving to a new domain, and that means the value for the userID will be changed.

The fields that you can use for userID will change depending on the directory option you use, and some of them will not be available if you need to change that option.

on 9.x+ you can have local and LDAP users at the same time, on previous releases it was either all local, or all LDAP.

Now, if you're syncing against LDAP 2012, and you're currently using sAMAccountName for userID and you are required to change and use mail, you need to use LDS and use UPN, you're going to use a new domain in which the sAMAccountName is still going to be used but the values do not match between old and new domain, etc. All of those are examples of when you might face this.

The users will only remain as Active LDAP Synchronized Users as long as they have an EXACT match in LDAP for the current value you have as userID. This means that changing it on LDAP, even if you don't change anything in the LDAP config in CUCM, would have the same effect.

We'll use John Doe as an example. sAMAccountName = jodoe mail = john.doe@company.com UPN = john.doe@company.com

If you're currently using sAMAccountName and your directory admin choose to change from jodoe to john.doe, after the change is done, and the LDAP sync is performed, the user will show as an inactive LDAP user, and will be deleted by the garbage disposal mechanism after the required time has passed. At the same time, a NEW user will be created, with userID john.doe (if you have a Feature Group Template some info will be retained). But for all matter of purposes, this will be a new user, and you will need to add again any roles, user / device / line association, remote destinations, etc.

In order the avoid user duplication that happens on the above scenario, you need to fix this BEFORE the change.
This is applicable to any of the previous scenarios I've mentioned.

  1. You need to be aware of what the change will be
  2. Once you have that information, you need to get the value for the new userID for all the users
  3. Turn all your LDAP users into local users (see How can I turn my LDAP synced users into local users??)
  4. As applicable (this will depend on the exact change, ultimately the goal is to disable the LDAP sync):
    1. Delete the old LDAP sync agreement
    2. Disable LDAP
  5. Now all of the users should show as Enabled Local User
  6. You will need to manually, or using BAT, change the current userID value, to that of the new userID value
  7. Once this has been done for all the users, you will proceed to configure the new LDAP integration, or just enable LDAP again, depending on the scenario
  8. As you perform the full sync, the existing userID in CUCM should be an exact match against the LDAP field, and the users will now show as Active LDAP Synchronized User
  9. Confirm all the user settings, such as PIN remain the same.

It's very important to consider that while you do this, you'll have to disable not only the LDAP sync, but also the LDAP authentication. This can cause trouble for the users if the try to login into Self-Care Portal, CUCMadmin, etc. I'd strongly recommend to do this off-hours so users do not get affected.

Go to CUCM Directory Synchronization FAQ Content Table

What happens if an application userID matches an LDAP userID during sync??

If the userID already exists in CUCM as an application user, the user will remain as an application user, and no end user will be synced.

Go to CUCM Directory Synchronization FAQ Content Table

Can I change the userID field and retain my users??

If you're using AD, the answer is yes.

The answer used to be that it was not possible, however this was fixed some time ago:

Change in samAccountName in AD breaks LDAP sync for that user
CSCus42665

This has also been clarified in the SRND:

  • For AD deployments, the ObjectGUID is used internally in Unified CM as the key attribute of a user. The attribute in AD that corresponds to the Unified CM User ID may be changed in AD. For example, if sAMAccountname is being used, a user may change their sAMAccountname in AD, and the corresponding user record in Unified CM would be updated.
  • With all other LDAP platforms, the attribute that is mapped to User ID is the key for that account in Unified CM. Changing that attribute in LDAP will result in a new user being created in Unified CM, and the original user will be marked inactive.

Design Considerations for LDAP Synchronization

The old behavior used to be as explained in the last bullet for all directory options.

Go to CUCM Directory Synchronization FAQ Content Table

Does CUCM 11.5 supports MS AD 2016??

Initially it did not, however it seems that in the system guide updated on July 17th, 2018 it has been added. The closest SU to that date is SU5, which seems to be the requirement for support. I'll try to doublecheck that at a later date.

LDAP Synchronization Prerequisites

Support for MS AD 2016 was initially only on CUCM 12.0

EDIT 8/7/2018
It * should * work with previous SUs, however, if any problem is seen with the sync to MS AD 2016 it's recommended to upgrade to SU5 and test.

Go to CUCM Directory Synchronization FAQ Content Table

Back to Unified Communications FAQ
Back to CUCM FAQ

Contact:
Any comments, questions, suggestions, contributions, etc. please send them to javalenc@cisco.com. Please make sure the subject is formatted "UC FAQ <anything else>" as I'll have rules in my mail to match them, otherwise, they'll end up in my spam folder.

Rating: 4.0/5 (5 votes cast)

Personal tools