One of the greatest programming elements created by Cisco is adding the capability to replicate user information from a Corporate directory (Active Directory, Sun One or IPlanet directory) without having to extend the schema but just add a connector to replicate the accounts into the IP Phone switch called Unified Communications Manager.
This frees up the phone administrator from having to worry about adding users to the system and place user management where it truly belongs, with the directory administrators. The phone administrator will still have to assign a PIN (phone password), phone devices and line appearances once the user is replicated into the phone directory. Now the Directory administrator will have to fill in additional items of a user account in the directory like the telephone number field.
How the connector is created is first you must assign the type of directory you are going to replicate with (Microsoft AD,Sun One or IPlanet) and determine what unique id in the directory will represent that user in the phone system. For instance, if you pick Microsoft Active Directory, by default the SamAccountName is chosen as that unique field. If there are more users with the same SamAccountName or in other words, the same value matches multiple users in the directory, then the last user to replicate in that field wins. Now there is only one possible reason why that field could be duplicated and that is from having more than one “Tree” in the Forest root. (cisco.com and ciscotools.com attached to the same forest root). In this situation, Cisco recommends you use the UserPrincipalName in order to ensure the each user id is still unique. If you only have one domain in your forest root than the default should work fine.
Next you must make sure on the Publisher that you activated the “Cisco Dirsync” service by logging onto the CCMService web portal then navigate to Tools → Service Activation. To setup the Directory type logon to CCMAdmin web page and navigate to System → LDAP → LDAP System as depicted below:
Then you will need to configure what I call “connection agreements” by navigating to System → LDAP → LDAP Directory. In this location you will need to give an account that has read access to the areas of Active Directory in which you want to perform replication with.
Now, you may need multiple LDAP Directory assignments due to the fact that Cisco will only search from the Base location requested in the confuration to other accounts below that structure but cannot search beyond the physical domain. Therefore, if you have, let say six domains in your forest and you want to synchronize all the user accounts in each domain, you would need to configure at least six LDAP Directory assignments.
Depicted below demonstrates those settings. Also, when you create the first LDAP Directory assignment, you will receive the following message:
This means if you have any existing users configured on CUCM, they will be removed unless their same ID is replicated from Active Directory.
This message will normally follow as a informational note which is a friendly reminder to keep User ID uniqueness.
Finally you get to actually configure and setup either manual or automatic synchronization of End Users found in the Corporate Directory. You are required to enter:
- the name of the LDAP Directory
- the full distinguished name of the account with read-only rights of the objects you wish to replicate
- the password
- the location in the directory that includes the full distinguished name parameters
So in the example below, you entered the UPN value for the account you setup in the EIRE domain which looks very similar to an email account with the password. Note: As mentioned before, the LDAP Manager Distinguished Name can be entered into two forms:
- use the Complete canonical name which would be cn=Administrator, cn=Users,dc=eire,dc=com
- use the user principal name (UPN) as depicted below
I personally find using the UPN is easier and less likely to make mistakes.
Then the search base or where do I begin my search from this position of the directory to the bottom of the domain.
You will also need to map fields between Active Directory and CUCM by moving towards the bottom of the page and fill out the DC who will be doing the synchronization. It is highly recommended to have at least two DC’s for redundancy purposes. Alternatively, you can use two DC’s that have the global catalog role and then change the port value from 389.
Notice you can perform a full synchronization then check to see if “End Users” appear in the User Management section of the CCMAdmin web page.
Since you are replicating accounts into CUCM, why not also let Active Directory logon your users when using Administration or User web pages? This can be done by setting up authentication at System → LDAP → LDAP Authentication Unlike LDAP Directory, you can only have one LDAP Authentication entry as depicted below:
Alternatively, you can use two DC’s that have the global catalog role and then change the port value from 389 to 3268.
You will need to add again the full distinguished name or UPN value of an account that has rights to the directory.
Now when you look at an end user, the password field will no longer be visible since the users will be authenticated by a DC and not by CUCM.
Author: Joe Parlas
Editor’s Note: To perform this configuration yourself within a lab environment, check out this class: