Active Directory Connector in Cisco UC

One of the greatest programming elements created by Cisco is adding the capability to replicate user information from a Corporate directory (Active Directory, Sun One or IPlanet directory) without having to extend the schema but just add a connector to replicate the accounts into the IP Phone switch called Unified Communications Manager.

This frees up the phone administrator from having to worry about adding users to the system and place user management where it truly belongs, with the directory administrators.  The phone administrator will still have to assign a PIN (phone password), phone devices and line appearances once the user is replicated into the phone directory.  Now the Directory administrator will have to fill in additional items of a user account in the directory like the telephone number field.

How the connector is created is first you must assign the type of directory you are going to replicate with (Microsoft AD,Sun One or IPlanet) and determine what unique id in the directory will represent that user in the phone system.  For instance, if you pick Microsoft Active Directory, by default the SamAccountName is chosen as that unique field.  If there are more users with the same SamAccountName or in other words, the same value matches multiple users in the directory, then the last user to replicate in that field wins.  Now there is only one possible reason why that field could be duplicated and that is from having more than one “Tree” in the Forest root.  (cisco.com and ciscotools.com attached to the same forest root).  In this situation, Cisco recommends you use the UserPrincipalName in order to ensure the each user id is still unique.  If you only have one domain in your forest root than the default should work fine.

Next you must make sure on the Publisher that you activated the “Cisco Dirsync” service by logging onto the CCMService web portal then navigate to Tools → Service Activation. To setup the Directory type logon to CCMAdmin web page and navigate to System → LDAP → LDAP System as depicted below:
scr1

Then you will need to configure what I call “connection agreements” by navigating to System → LDAP → LDAP Directory. In this location you will need to give an account that has read access to the areas of Active Directory in which you want to perform replication with.

Now, you may need multiple LDAP Directory assignments due to the fact that Cisco will only search from the Base location requested in the confuration to other accounts below that structure but cannot search beyond the physical domain. Therefore, if you have, let say six domains in your forest and you want to synchronize all the user accounts in each domain, you would need to configure at least six LDAP Directory assignments.

Depicted below demonstrates those settings.  Also, when you create the first LDAP Directory assignment, you will receive the following message:

This means if you have any existing users configured on CUCM, they will be removed unless their same ID is replicated from Active Directory.

This message will normally follow as a informational note which is a friendly reminder to keep User ID uniqueness.

Finally you get to actually configure and setup either manual or automatic synchronization of End Users found in the Corporate Directory. You are required to enter:

  • the name of the LDAP Directory
  • the full distinguished name of the account with read-only rights of the objects you wish to replicate
  • the password
  • the location in the directory that includes the full distinguished name parameters

So in the example below, you entered the UPN value for the account you setup in the EIRE domain which looks very similar to an email account with the password. Note: As mentioned before, the LDAP Manager Distinguished Name can be entered into two forms:

  1. use the Complete canonical name which would be cn=Administrator, cn=Users,dc=eire,dc=com
  2. use the user principal name (UPN) as depicted below

I personally find using the UPN is easier and less likely to make mistakes.

Then the search base or where do I begin my search from this position of the directory to the bottom of the domain.

You will also need to map fields between Active Directory and CUCM by moving towards the bottom of the page and fill out the DC who will be doing the synchronization. It is highly recommended to have at least two DC’s for redundancy purposes. Alternatively, you can use two DC’s that have the global catalog role and then change the port value from 389.

Notice you can perform a full synchronization then check to see if “End Users” appear in the User Management section of the CCMAdmin web page.

Since you are replicating accounts into CUCM, why not also let Active Directory logon your users when using Administration or User web pages? This can be done by setting up authentication at System → LDAP → LDAP Authentication Unlike LDAP Directory, you can only have one LDAP Authentication entry as depicted below:

scr6

Alternatively, you can use two DC’s that have the global catalog role and then change the port value from 389 to 3268.

You will need to add again the full distinguished name or UPN value of an account that has rights to the directory.

Now when you look at an end user, the password field will no longer be visible since the users will be authenticated by a DC and not by CUCM.

scr7

Author: Joe Parlas

Editor’s Note: To perform this configuration yourself within a lab environment, check out this class:

ACUCW1 – Administering Cisco Unified Communications Workspace Part 1: Basic

In this article

Join the Conversation

4 comments

  1. erick diaz Reply

    great documentation. I have a question. I initially did a sync from the root of my domain and later realize is listing all accounts (conference rooms, service accounts, test accounts, etc), and realize I need to be more specific with my root search.

    After I correct that, how do I clear out all accounts that were listed by the first ldap sync so I will only have the correct ones.

    thanks.

  2. Joseph Parlas Reply

    When you delete an LDAP directory, Cisco Unified Communications Manager removes information about that directory from the database by default. Additionally when performing syncs (either manually or automatically) it should mark accounts no longer seen in the LDAP Directory based upon the new search requirements and will mark those account entries as inactive. I will take another 24 to 48 hours for those entries to be further purged.

    Hope this helps….

  3. Hitesh Reply

    Hello Joe,

    Thanks for your blog its really help full for new guy in CUCM.
    I have one question,

    I have configure as you mention in your blog and all looks fine, I can see all my AD users in End Users.

    Now I am trying those users register via eyeBeam with CUCM. its got register with using User ID as Primary DN number.

    Now what is my issue is, When I truing to register user with any password like “1234” or “xyz” which is not my AD password, My user got register and I make the call via that user.

    Can you give me any idea where I have doing mistake in configuration or any CUCM issue. My CUCM is running on VMWare.

    Thanks in Advance.

    Regards,
    Hitehs

  4. Joseph Parlas Reply

    I am not familiar with eyebeam or how that fits into the puzzle, but you mentioned you are getting end users being populated in CUCM from Active Directory.

    The issue is are you using Authentication as well as synchronization. Authentication setup will allow users to use their AD password versus a password on CUCM which you would have to administer. So if you are able to set passwords in CUCM, then you are not using authentication.

    I am assuming you are using CUCM in a lab environment since it is setting on VM. Not sure when Cisco will authorized CUCM on VM deployments in production environment.