[cisco-voip] Directory Filtering question

Andrew Short Andrew.Short at cdw.com
Thu Apr 17 21:25:52 EDT 2008 

My experience with it is this:

If a user isn't found in an expected LDAP source when you sync (your
filter is now excluding them) they will stay in the database, but marked
"Inactive".  There is a database purge that occurs but I don't know when
that is.  If the purge occurs (midnight every night, maybe?  Anyone?)
while a user is marked inactive, they are gone.

This gives you a level of safety if you need to juggle your LDAP
agreements around (been there, done that) because the samAccountName is
all that Dirsync keys in on.  You can do stuff like:

Seemlessly move a user from one domain to another -- as long as you have
an LDAP Agreement with both domains, the samAccountName will still
appear in DirSync, just via a different domain.

Also, you have the freedom of messing with your ldap agreements without
fear (much) of deleting your user base.  

DirSync is a VERY nice addition to CUCM.  


-----Original Message-----
From: Ryan West [mailto:rwest at zyedge.com] 
Sent: Thursday, April 17, 2008 7:54 PM
To: Ryan West; Andrew Short; cisco-voip at puck.nether.net
Subject: RE: [cisco-voip] Directory Filtering question

Wow.  It sure is finiky, I just reapplied the same filter, removed my
LDAP entries, turned off auth, turned off LDAP, then turned it back on
and it started working again.  Is there some sort of a built in timer
that can't be circumvented.  I did a manual sync at least three times
with no luck.

Hopefully the weekly resync will actually detect when users are disabled
and properly remove them.  What has been your experience with this
Andrew?

Thanks,

-ryan

-----Original Message-----
From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ryan West
Sent: Thursday, April 17, 2008 7:39 PM
To: Andrew Short; cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Directory Filtering question

Andrew,

I was able to use just the filter listed below, but when I use the
following filter no users are matches, can you see what I might be
missing.

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1
.2.840.113556.1.4.803:=2))(|(ipPhone=1*)(ipPhone=2*)(ipPhone=3*)(ipPhone
=4*)(ipPhone=5*)(ipPhone=6*)(ipPhone=7*)(ipPhone=8*)(ipPhone=9*)(ipPhone
=0*)))

Thanks!

-ryan

-----Original Message-----
From: Andrew Short [mailto:Andrew.Short at cdw.com]
Sent: Thursday, April 17, 2008 3:56 PM
To: Ryan West; cisco-voip at puck.nether.net
Subject: RE: [cisco-voip] Directory Filtering question

I've done this and also found (ipPhone=*) to go wanting.  In our case
the customer was very good about massaging the AD data and I was able to
use this instead:

(|(ipPhone=1*)(ipPhone=2*)(ipPhone=3*)(ipPhone=4*)(ipPhone=5*)(ipPhone=6
*)(ipPhone=7*)(ipPhone=8*)(ipPhone=9*)(ipPhone=0*))

This plus the default filter almost fills your 255 char limit, but if
it's all you need it's fantastic.


-----Original Message-----
From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ryan West
Sent: Thursday, April 17, 2008 3:48 PM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] Directory Filtering question

Hello,

Does anyone have an example of a filter that has been tested that looks
for an attribute, such as the ipPhone field contains data, and then
returns only those records.  This is possible using some filters that
come with Active Directory Users and Computers.  I am very close, but I
can't seem to the filter right.

Here is an ugly one that come straight from AD:

(&(&(|(&(objectCategory=person)(objectSid=*)(!samAccountType
:1.2.840.113556.1.4.804:=3))(&(objectCategory=person)(!objectSid=*))
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14)))(obj
ectCategory=user)(ipPhone=*)))

A simpler version, using the information in the axltoolkit, is start
with the base configuration of:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.8
40.113556.1.4. 803:=2)))

and add (ipPhone=*) to the end to make:

(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.8
40.113556.1.4. 803:=2))(ipPhone=*))

This should work, however, in either of the two cases it returns the
same userlist that has some information I do want to sync.  Do I need to
wipe our my LDAP database before resyncing, or would the users (assuming
they were no longer syncing) just drop off after a period of time?

Any help on this would be greatly appriciated.


Thanks,

-ryan
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

More information about the cisco-voip mailing list