When completing a fresh installation of CUCM it will use its own embedded LDAP directory to store End User information. In most cases it is preferred to integrate CUCM with a corporate LDAP directory such as Micrsoft Active Directory rather than managing two separate user databases. This becomes even more apparent when there are multiple CUCM clusters as they can share the same corporate directory.
Step 1 – In CUCM Serviceability > Tools > Service Activation the Cisco DirSync box must be checked and the service Activated.
Step 2 – Go to Cisco Unified CM Administration > System > LDAP > LDAP System to identify what type of LDAP system to synchronize with and how to reference the users. Enable Synchronizing from LDAP Server must be checked. The attribute sAMAccountName refers to the logon name for the domain.
Step 3 – Click on System > LDAP > LDAP Directory and click Add New. In this example the Active Directory domain in my lab is ccie.local and the IP address of the Domain controller is 142.100.64.18. The LDAP Manager Distinguished Name in this case is the default Windows system administrator account for my domain (administrator) but best-practice in a production deployment would be to use an isolated user account different than the default administrator account so it’s setup specifically for CUCM and Active Directory integration. The LDAP User Search Base uses two attributes to make up a dn (distinguished name). This includes the cn (common name) and the dc (domain component). The rules of LDAP define the most significant part of the distinguished name is furthest to the right. In this case it is dc=local. The last thing to note for this step is that synchronization occurs once per day at 6:00 AM. The smallest window of time to synchronize is six hours.
Step 4 – Click on System > LDAP > LDAP Authentication. This will authenticate CUCM End Users using Active Directory instead of the embedded CUCM directory.
At this point CUCM should be ready to synchronize with Active Directory. Before doing this, note that any End Users on the CUCM cluster that do not exist in Active Directory will be set to Inactive. For example, I had user HQ4 created prior to configuring LDAP. After configuring LDAP the user appears as Inactive under the End User listing. I went to my Windows 2008 Server and added user HQ4 to the domain ccie.local and the user is now active.
Click on System > LDAP > LDAP Directory then click Perform Full Sync Now
I have a total of six users in my Active Directory. Prior to performing the synchronization step in CUCM I had one End User called HQ4 that was managed locally using CUCM’s embedded LDAP directory. I proceeded to create users HQ1, HQ2, HQ3, HQ4, SITEB1, and SITEB2 in Active Directory without having them present in CUCM (except for HQ4).
After performing the synchronization the users which were created in Active Directory are now appearing in the CUCM End User list and LDAP Sync status is showing Active.
Take note that when clicking on an End User the display of information is different compared to using the embedded database.
The following is a screenshot of the Active Directory Server Users.
A similar procedure as the one just discussed may be used to integrate Unity Connection with Microsoft Active Directory using the LDAP menu options under System Settings.
Configure LDAP Setup, LDAP Directory, and LDAP Authentication and enter the same the information used for the CUCM LDAP configuration. You will want to set LDAP to sync with Active Directory at least once per day.
Next in Unity Connection click Import to import users. Note that in versions earlier than Unity Connection 8 the Import option is at the bottom of the page under Tools.
In the drop down list select LDAP Directory. The phone number associated in the “Telephone Number” field in Active Directory will be the extension that is populated in Unity Connection for the user. This is the same field from Active Directory that CUCM uses to populate the number for the End User.
One very important step after selecting LDAP Directory and clicking Find is to change the default selection administratortemplate to the voicemailusertemplate (or whatever custom template my be preferred). If the default admin template is used then users will be imported as Administrators and they will not have a mailbox assigned.
The users listed above were retrieved from Active Directory and have been imported into Unity Connection.
If the users that were imported do not reside in the default timezone of the Unity Connection system you will want to go into each user and change the timezone. Otherwise voice mail timestamps will be incorrect.
This concludes CUCM and Unity Connection integration with Active Directory.
Great post as always!
sorry about my ignorance, but Do I need to do this on publisher or subscriber?
All of this takes place on the Publisher which then automatically replicates the information the Subscriber nodes.
Hi Mark, thanks!
My company has more than 4 User Search Base and OU. Is it possible to integrate?
Regards
Hi Mark just a quick question -
If AD user has a telphone number in format (xxx) xxx-xxxx is there a filter in CUCM to extract only the final 4 numbers to populate the CUCM Phone Number field properly, or will the AD user’s telephone number field need to be changed to xxxx format prior to synchronization?
Thanks a lot for the article, very informative.
Best,
Nat
Hi Mark,
We’ve been doing this here since we started with CUCM 7, and we noticed something: After the initial import of users, new users (that are added to Active Directory and picked up by the regular sync) do not automatically have the same attributes set as the users initially imported. For example, we have to manually add new users into the “Standard CTI Enabled” and “Standard CCM End Users” groups.
We just upgraded to CUCM 8.0(2), so this might be different now, but I just wanted to give a heads-up, and see if you’ve observed the same.
Later!
Hello… i have the problem with the integration CUCM 8.0 —openLDAP.
The CUCM and open LDAP are synchronized, but end users do not appear in the CUCM.
Any idea what might be happening?
What tests I can do?
If I can help is the grateful
regards
Hi,
Is there a possibility to import contacts from LDAP not only the users, i have the case i need to import also created contacts from LDAP into the CUCM.
regards
Hello Mark,
I currently have a customer who has all his end users on his CUCM. Now he wants to synchronize with AD. He is concerned about his current Unity users and their voice mail. If we create the exact same users, will the mailboxes contents’ be deleted? Is there a workaround? This customer has 340 users… Should I instruct them to delete all the unwanted messages prior to the synchronization? What’s the best course of action?
Thank you!!
Mark, Gran aporte!!!
Desde Santiago de Chile te envío muchas gracias por este aporte !!!
Muchas gracias.
My AD have more then 5 OU. I can create only 5 LDAP Directories.
How can I create just one LDAP Directory whith more then one OU?
Ex.: LDAP User Search Base : OU=(How do I aplly more then one OU ??),DC=domain,DC=net
Thanks.
i have already install and synchronize AD and LDAP.Corporate directory working fine.i want to add another LDAP but i want in the ip phone to see only in the corporate directory of the new AD.
Can you advise me how i will do this.
is there a way to update LDAP Directory with CUCM IP Phone information (e.g. name and extension number)
Hi Mark,
in a case of password changes policies in the AD, with LDAP integration enabled in CUCM, CUC,CUPS, and perhaps using also Jabber as phone client, is there a way to have the sync made less than every 6 hours (one or two hours…) to prevent a login gap ?
The admins cannot make a manual sync every time a users password is expiring, or The user cannot wayt 6 hours to be able to login again.
Any idea for this situation ?
Regards,
Jacky
Hello good day.
Very good post. Just one question, now I have a running LDAP with the following name dominio.com
I have the admin user
CN=Administrador,DC=dominio,DC=com
and users en ou=People,dc=dominio,dc=com
I have enabled sync from a LDAP in En LDAP System configuration.
LDAP Server Type OpenLdap
LDAP Attribute for User ID uid
I did the config directory as follows.
LDAP Manager Distinguished NameRequired Field CN=Administrador,DC=dominio,DC=com
LDAP PasswordRequired Field xxxxxxx
Confirm PasswordRequired Field xxxxxxx
LDAP User Search BaseRequired Field ou=People,dc=dominio,dc=com
LDAP Custom Filter
I have activated dirsync, in ldap Authentication i have.
LDAP Manager Distinguished Name CN=Administrador,DC=dominio,DC=com
LDAP Password xxxxx
Confirm Password xxxxx
LDAP User Search Base ou=People,dc=dominio,dc=com
The problem is I can not see users OPENLDAP end users.
Have you ever thought of something similar?
I have integrated all LDAP Users with CUCM 8.5.
In Corporate Directory, i m getting all Users of Active Directory.
Issue is this: I can not login to Cisco IP Phone 9971 and 7975 in EM/Enterprise Mobility if i use LDAP.
There are some good questions – are there any answers ?
Have simliar question on Unity Connection 8.6 – moving from a AXL integration to LDAP in order to use AD for Visual VM in Jabber. Question is – do the VM accounts merge when LDAP is switched on and for those mail boxes such as a generic teams one (not in AD) are they still active?
Can you reference multiple OUs for user accounts in AD?
cheers!
Hi,
in CUCM, if i want to configure the sync with LDAP, the field managed into LDAP will be populated on CUCM, but if i don’t want to configure the Authentication too, when i’ll run the first sync, the password on CUCM will be the same on LDAP, or will be blank?
Regards
Hi,
I integrated AD with CUCM 8.6 and forgot to start the services, now the Dirsync status under users configuration shows inactive and under user configuration it show pending delete, is there a way to reverse that
Imformative site indeed thanks
Thanks