Part 1: LDAP Sychronization.
Part 2: LDAP Authentication.
You may enable part 1 without part 2. But you cannot enable part 2 without part 1.
In either scenario, CUCM never, ever synchronizes passwords from LDAP.
Part 1: LDAP Sychronization
When LDAP synchronization was configured, CUCM will import user accounts from LDAP and create users in CUCM database. As mentioned before, CUCM won't import passwords. CUCM will import user ID, first name, last name, etc.
Any user that pre-exists in CUCM user database but not exists in LDAP will be deleted. CUCM will mark them as "delete pending" and give them 72 hours grace period. After 72 hours, those "delete pending" accounts will be deleted permanently and no way to recover.
Part 2: LDAP authentication
Whenever a CUCM user need to authenticate, CUCM will authenticate the password against LDAP.
Commonly seen problems:
1) Some user accounts in LDAP didn't synchronize over to CUCM
Usually, it's because some 'critical' attributes were missing. For CUCM, "last name" is a critical attribute. If the LDAP account does not have last name configured, it won't synchronize over to CUCM.
2) Slow synchronization
If you have a large active directory, use Global Catalog port (default is 3268) is recommended.
3) LDAP over SSL
After uploading the certificate to CUCM for LDAP over SSL, you need to restart Cisco Tomcat service to take effect.
Roughly how long should the synchronization take? Thanks!
ReplyDeleteHi Micheal
ReplyDeleteExcellent Post.. I want to query on the same. If i have already synchronized with LDAP. However, lot of users have left the organization after that. I have cleared the same from my AD. However, the users still are in CUCM database. How can i automatically users from CUCM.
Do i need to synchronize again with LDAP manaully and it will also delete the users from my CUCM.
This works as designed. Search for "garbage collection" in any SRND (e.g. https://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/9x/directry.html)
ReplyDelete