Solved: CUCM LDAP Authentication to Multiple Forests via ADLS

btmulgrew · ‎11-05-2015

Hi - We have an existing customer AD Integrated using sAMAccountName as the primary attrib for the CUCM 10.5 userid.

The customer is also using Jabber with JID set to default userid@emaildomain.

There is now a requirement for a merger with another organisation, where we would introduce ADLS for LDAP Synch and authentication across both forests with a separate piece of work to migrate CUCM databases. I have went through the excellent ADLS integration document:

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-version-80/111979-ucm-multi-forest-00.html

My understanding is that duplicate sAMAccountNames which may appear across different forests is handled across multiple ADLS partitions and sAMAccountName is no longer available as a synched userid attrib in CUCM for ADLS integration; we would need to use a different attribute, e.g. "mail". This would result in these "new userids" user@mail domain being synched as additional new users into CUCM and relevant device association, primary ext, user groups etc would need to be reconfigured. Associated CUCM apps, Extension Mobility, UCCX, CCMUser etc. would also require different logon values based on the mail value.

We could potentially retain Jabber credentials by reconfiguring IMP to use the Directory URI, which in turn synchs with the mail value, however, not to sure if existing Jabber client configurations would retain their settings with this backend change.

Any thoughts or comments welcome!

Thanks

Brian

Jaime Valencia · ‎11-06-2015

That's correct, your only option to retain everything would be to stop the sync, turn all the users into local users, change their userID to match the field you'll use for LDS, and then re-configure the sync.

About flexible JID, yes, assuming they're configured and valid LDAP users, the change will re-create all the contact lists and they will retain all functionality in Jabber.

HTH

java

if this helps, please rate

View solution in original post

Jaime Valencia · ‎11-06-2015

That's correct, your only option to retain everything would be to stop the sync, turn all the users into local users, change their userID to match the field you'll use for LDS, and then re-configure the sync.

About flexible JID, yes, assuming they're configured and valid LDAP users, the change will re-create all the contact lists and they will retain all functionality in Jabber.

HTH

java

if this helps, please rate

btmulgrew · ‎11-06-2015

Thanks Jamie - looks like there is a lot of work to be done!

etamminga · ‎10-25-2017

Hi Brian,

I'm working on a new AD-LDS configuration for a customer right now. I also followed the 'the excellent AD-LDS integration document' but have troubles adding the second and third domain.

As I understand from the documentation we need to create additional DC=2nddomain,DC=... elements in the partition, but adamsync.exe keeps on complaining about "The target partition given was not the head of a partition. AdamSync cannot continue."

This has not been so well documented in the documentation ;)

How did you manage to get this working? Would you mind sharing the configuration xml files for 1st- and 2nd forest with me, as well as a quick explanation on how to prepare LDS for the 2nd and 3rd forest?

In previous installations we did of AD-LDS (Windows 2003) this was not a problem as adamsync supported hierarchical configurations, but Windows 2008 and later do complain about this.

Regards,

Erik