08-17-2020 09:09 AM
My current LDAP is set to pull every new user into CUCM. When the system was setup (prior to me) this wasn't an issue because the company was smaller and used less service accounts. Now, however, we are larger and use many service accounts that are setup as users. In order to reduce the number of users that are pulled into CUCM I would like to create a custom LDAP filter. I have not done this before but know the process just not the syntax.
The only users that should be pulled into the CUCM are user with text in the IP Phone field in AD. I think the correct filter is
(IP phone=*)
Can anyone confirm this or suggest the correct way of getting just the information that I want without getting the Server Engineers to change their AD structure!
Cheers!
Solved! Go to Solution.
08-17-2020 09:46 AM
The default filter for LDAP includes user accounts, but not computers, and only those user accounts that are not disabled in Active Directory. It looks like this:
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
It is the "(!(UserAccountControl:1.2.840.113556.1.4.803:=2)" part that excludes disabled accounts, so if you want to include them delete that statement.
So for a custom filter that will import only active user accounts where the ipPhone field is populated you would use the following:
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(ipPhone=*))
Let us know if you have questions.
Maren
08-17-2020 09:46 AM
The default filter for LDAP includes user accounts, but not computers, and only those user accounts that are not disabled in Active Directory. It looks like this:
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
It is the "(!(UserAccountControl:1.2.840.113556.1.4.803:=2)" part that excludes disabled accounts, so if you want to include them delete that statement.
So for a custom filter that will import only active user accounts where the ipPhone field is populated you would use the following:
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(ipPhone=*))
Let us know if you have questions.
Maren
08-17-2020 12:48 PM
Thank you this seemed to created the desired outcome. I appreciate your time.
08-19-2020 02:32 AM - edited 08-19-2020 02:36 AM
Although technically not providing a different result, other than possibly a cleaner looking filter I would format it like this.
(&(objectclass=user)(ipPhone=*)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
It's a matter of preference on how you'd want the AND statement to be formed. Below picture is how it would look in an LDAP filter builder, like Softerra LDAP Browser that I use for this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide