[cisco-voip] UCM 8x. LDAP Filters with group members

Dennis Heim Dennis.Heim at cdw.com
Sat Jan 29 01:10:59 EST 2011 

You need some sort of LDAP proxy of sorts, that companies multiple LDAP directories together and presents that unified directory as a single directory to CallManager. I know that ANDtek make a metadirectory application that does exactly this.

Dennis Heim
Network Voice Engineer
CDW  Advanced Technology Services
11711 N. Meridian Street, Suite 225
Carmel, IN  46032

317.569.4255 Single Number Reach
317.569.4201 Fax
dennis.heim at cdw.com<mailto:dennis.heim at cdw.com>
cdw.com/content/solutions/unified-communications/<http://www.cdw.com/content/solutions/unified-communications/>

From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Mike Lydick
Sent: Saturday, January 29, 2011 12:45 AM
To: Paul
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] UCM 8x. LDAP Filters with group members

TAC is saying that filtering on Group membership in multiple Domains is not possible. There is also a referance in the UCM 8x SRND that states that indicates its not supported. So the real problem how you import CM users with Active Directory forest that contain more than 5 domains? This seems to be a serious limitation for enterprise environments.

>From the SRND:

A synchronization agreement for a domain will not synchronize users outside of that domain nor within a child domain because Unified CM does not follow AD referrals during the synchronization process. The example in Figure 16-9 requires three synchronization agreements to import all of the users. Although Search Base 1 specifies the root of the tree, it will not import users that exist in either of the child domains. Its scope is only VSE.LAB, and separate agreements are configured for the other two domains to import those users.


Best Regards,

Mike Lydick



On Tue, Jan 18, 2011 at 10:27 AM, Paul <asobihoudai at yahoo.com<mailto:asobihoudai at yahoo.com>> wrote:
according to this URL
http://www.petri.co.il/ldap_search_samples_for_windows_2003_and_exchange.htm

It certainly appears you can filter out users according to group membership in
an LDAP filter.




________________________________
From:Mike Lydick <mike.lydick at gmail.com<mailto:mike.lydick at gmail.com>>
To:cisco-voip at puck.nether.net<mailto:To%3Acisco-voip at puck.nether.net>
Sent: Mon, January 17, 2011 7:46:51 PM
Subject: [cisco-voip] UCM 8x. LDAP Filters with group members


Is it possible to use group membership as element in a LDAP filter?

We are working with an AD LDAP forest that has 6 domains. We need to selectively

import user from LDAP as we migrate to the cluster.

The thought is to set the root path to the top level Domain OU, the use the ldap

to filter on iphone=* and member of group. We will add members to this group
with a script as we migrate.

mike



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110129/73d46454/attachment.html>

More information about the cisco-voip mailing list