<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>You need some sort of LDAP proxy of sorts, that companies multiple LDAP directories together and presents that unified directory as a single directory to CallManager. I know that ANDtek make a metadirectory application that does exactly this.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Dennis Heim<br>Network Voice Engineer<br>CDW Advanced Technology Services<br>11711 N. Meridian Street, Suite 225<br>Carmel, IN 46032<br><br>317.569.4255 Single Number Reach<br></span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>317.569.4201 Fax</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><a href="mailto:dennis.heim@cdw.com" title="mailto:dennis.heim@berbee.com">dennis.heim@cdw.com</a><br></span><span style='color:#1F497D'><a href="http://www.cdw.com/content/solutions/unified-communications/">cdw.com/content/solutions/unified-communications/</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] <b>On Behalf Of </b>Mike Lydick<br><b>Sent:</b> Saturday, January 29, 2011 12:45 AM<br><b>To:</b> Paul<br><b>Cc:</b> cisco-voip@puck.nether.net<br><b>Subject:</b> Re: [cisco-voip] UCM 8x. LDAP Filters with group members<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>TAC is saying that filtering on Group membership in multiple Domains is not possible. There is also a referance in the UCM 8x SRND that states that indicates its not supported. So the real problem how you import CM users with Active Directory forest that contain more than 5 domains? This seems to be a serious limitation for enterprise environments.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>From the SRND:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt'>A synchronization agreement for a domain will not synchronize users outside of that domain nor within a child domain because Unified CM does not follow AD referrals during the synchronization process. The example in Figure 16-9 requires three synchronization agreements to import all of the users. Although Search Base 1 specifies the root of the tree, it will not import users that exist in either of the child domains. Its scope is only VSE.LAB, and separate agreements are configured for the other two domains to import those users.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'>Best Regards,<br><br>Mike Lydick<br><br><br><br><o:p></o:p></p><div><p class=MsoNormal>On Tue, Jan 18, 2011 at 10:27 AM, Paul <<a href="mailto:asobihoudai@yahoo.com">asobihoudai@yahoo.com</a>> wrote:<o:p></o:p></p><p class=MsoNormal>according to this URL<br><a href="http://www.petri.co.il/ldap_search_samples_for_windows_2003_and_exchange.htm" target="_blank">http://www.petri.co.il/ldap_search_samples_for_windows_2003_and_exchange.htm</a><br><br>It certainly appears you can filter out users according to group membership in<br>an LDAP filter.<br><br><br><br><br>________________________________<br>From:Mike Lydick <<a href="mailto:mike.lydick@gmail.com">mike.lydick@gmail.com</a>><br><a href="mailto:To%3Acisco-voip@puck.nether.net">To:cisco-voip@puck.nether.net</a><br>Sent: Mon, January 17, 2011 7:46:51 PM<br>Subject: [cisco-voip] UCM 8x. LDAP Filters with group members<o:p></o:p></p><div><div><p class=MsoNormal style='margin-bottom:12.0pt'><br><br>Is it possible to use group membership as element in a LDAP filter?<br><br>We are working with an AD LDAP forest that has 6 domains. We need to selectively<br><br>import user from LDAP as we migrate to the cluster.<br><br>The thought is to set the root path to the top level Domain OU, the use the ldap<br><br>to filter on iphone=* and member of group. We will add members to this group<br>with a script as we migrate.<br><br>mike<br><br><br><o:p></o:p></p></div></div></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>