[cisco-voip] Reporting in inactive endusers in CM

Sat Feb 27 10:05:43 EST 2016

Ed,

Everything I'm saying here is assuming you are UCOS >= 9.x; before 9 ALL LDAP or ALL local were the choices and you couldn't have blended users .... point being, the enduser status value had different implications.

If you are looking for a way to passively monitor active accounts; run sql select count(*) from enduser where status=1 (inactive LDAP users would show a status of 2 and local users a status of 0). However I would also want take a peek at the CUCM Dirsync log (activelog cm/trace/dirsync/log4j/dirsync.log) and see if it provides additional detail on the issue. If you get pushback from the AD folks and they say everything seems fine; it may actually be an issue with CUCM.

As a stop-gap measure; you could convert the high-profile users to a local end user account temporarily, until the sync issues are addressed. Just need to consider how that may impact Jabber (EDI Vs. UDS ... etc).

** While I cannot confirm this; I have heard of folks resolving this issue from the CUCM side by restarting the DirSync service on the Publisher node and/or deleting the Directory Sync agreement and adding it back in. **

Additionally, if your user is LDAP sync'ed but currently showing inactive you can run sql update enduser set status=1 (throw in a limit clause ... WHERE and LIKE if you don't want to hit ALL users). Now, if the user is legitimately disabled/missing in AD, the enduser will go inactive again on the next CUCM Sync.

I have also had this happen where the "Cloud Team" decided to make AD more efficient and the moved every one into different OUs and didn't consider that I, the simple phone guy might need to know that.

Let me know if I can be of further help.

Thanks,

= Ryan =

Email: ryanhuff at outlook.com

Spark: ryanhuff at outlook.com

Twitter: @ryanthomashuff<http://twitter.com/ryanthomashuff>

LinkedIn: ryanthomashuff<http://linkedin.com/in/ryanthomashuff>

Web ryanthomashuff.com<http://ryanthomashuff.com>

________________________________
From: cisco-voip <cisco-voip-bounces at puck.nether.net> on behalf of Ed Leatherman <ealeatherman at gmail.com>
Sent: Saturday, February 27, 2016 7:42 AM
To: Cisco VOIP
Subject: [cisco-voip] Reporting in inactive endusers in CM

We've go something weird going on with LDAP whereby i'm randomly getting end users marked inactive in cucm (and unity) after a periodic sync.

Packet cap shows inconsistent number of search results back from the ldap server (oracle) - so i'm chalking it up to CM doing exactly what its supposed to do. Since I don't manage that ldap service i'm at the mercy of the folks that are, right now they are trying to replicate the issue but its so or miss , haven't been able to yet.

In the meantime though, i'd like to try and report on when ldap sync'd users get marked inactive. This way we can keep an eye on it, and if i all the sudden see 1000 users marked inactive, we can manually go in and kick off a new re-sync. or when certain VP's accounts get axed and they can no longer sign into jabber (><) we can proactively go fix it before they have a problem.

My first thought is to script something that will do a sql query against the end user table and send back user ids that are inactive - on a schedule so it just shows up in our inboxes in the morning. Anyone ever had to do this, is there a better way?

--
Ed Leatherman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20160227/735e22ee/attachment.html>