[cisco-voip] CUCM 8.5 AD integration question or two

Beck, Christopher CBeck at usg.com
Thu Feb 23 10:19:03 EST 2012 

Having researched this, the root of that question comes down to the tree structure.    While CUCM can have multiple sources for user synchronization (whether it is one LDAP source or multiple LDAP sources), it can currently authenticate against only one.  Thus, you need a single source for authentication that will handle all users.

Also, to Lelio’s second point, whatever you choose to replicate as the user id (samUsername, UPN, etc.) has to be unique among all directories.

If you don’t have a single namespace in the AD environment (and at least have everyone in a single forest), you should probably look at some sort of virtual ldap directory that can consolidate everything.



-Chris

From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Lelio Fulgenzi
Sent: Thursday, February 23, 2012 8:44 AM
To: Chris Axelsson
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] CUCM 8.5 AD integration question or two

In theory, it should work. But you should probably read the documentation and test afterwards. Some questions come to mind:

 *   what requirements are there? same forest? same tree? do they even use that terminology anymore? ;)
 *   how does it handle updates to duplicate userIDs? it's inevitable there will be a jsmith at AD1 and jsmith at AD2. can the system handle this?
 *   how does auth handle multiple systems?

these may be question only answered in testing to be sure.

---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
                              - LFJ (with apologies to Mr. Popeil)

________________________________
From: "Chris Axelsson" <invectus at gmail.com>
To: "Lelio Fulgenzi" <lelio at uoguelph.ca>
Cc: "Gr" <grccie at gmail.com>, cisco-voip at puck.nether.net
Sent: Thursday, February 23, 2012 8:49:55 AM
Subject: Re: [cisco-voip] CUCM 8.5 AD integration question or two

hi

While you are at the subject, I must interject the question, what if you have to synch/auth from several different AD enviroments?

Thanks

regards
Chris
On Thu, Feb 23, 2012 at 2:28 PM, Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>> wrote:
No problem.

Also, take a read of the admin section re: LDAP sync. It mentions which services you need to have enabled. DirSync I believe.

Sent from my iPhone...

"There's no place like 127.0.0.1"

On Feb 23, 2012, at 8:26 AM, Gr <grccie at gmail.com<mailto:grccie at gmail.com>> wrote:
Thanks Lelio - made life easier. Good on you buddy!

Sent from my iPhone

On 24/02/2012, at 12:10 AM, Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>> wrote:

As far as I know, you do not need special licenses. However, there are license requirements on the AD side for authentication, etc. Make sure to speak to your AD team to ensure you are in compliance.

Correct in saying the CUCM configuration is simple, the hardest thing I found was doing things with SSL. You need to download the certificate from your root certificate server and install on your publisher. If you're using plaintext synch/auth, you're good to go.

I think the initial load took significantly longer than subsequent syncs. We had about 40,000 users and it took around an hour I think. Once you press perform full sync button, it will change to cancel until it's completed. You can refresh the page, or go back to the list of servers and select one and check to see that it's changed back. You can also get a pseudo-status by going to the end users list and seeing how many are imported.

Somethings to consider:

 *   all current local end users will be deleted, make sure you don't need them
 *   AD users will need a last name. users without a last name will not be imported
 *   take note of what is updated with syncs and what is not, you'll be surprised

that's about it.

---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
                              - LFJ (with apologies to Mr. Popeil)

________________________________
From: "gr11" <grccie at gmail.com<mailto:grccie at gmail.com>>
To: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Sent: Thursday, February 23, 2012 7:55:25 AM
Subject: [cisco-voip] CUCM 8.5 AD integration question or two

Hi List,

Just a quick one regards to AD integration with CUCM 8.5, i believe it should be fairly simple?

1) I am sure we do not need any special license to do that, but just wanted to confirm as i am pushed into some urgent integration at the last moment.
2) CUCM conifguration is fairly simple, do we need to do configure anything in AD, assuming users are already there???
3) How long normally will take to sync around 4000 users?
4) Anything to be careful of?

Sorry last email just got sent by mistake, before i could finish.

Thanks,
GR

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip


Confidentiality Notice: This email is intended for the sole use of the intended
 recipient(s) and may contain confidential, proprietary or privileged information.
 If you are not the intended recipient, you are notified that any use, review,
 dissemination, copying or action taken based on this message or its attachments,
 if any, is prohibited. If you are not the intended recipient, please contact the
 sender by reply email and destroy or delete all copies of the original message
 and any attachments. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120223/36d90bcf/attachment.html>

More information about the cisco-voip mailing list