Tag Archives: LDAP

CUCM Dirsync Troubleshooting

One of my customer told me that one of its end user was not appearing in its CUCM database. I think it is worth to make a blogpost about it.

There are already plenty of resources on the subject (Example) but I will mainly focus on the troubleshooting section here.

There are 2 ways to configure your users on a Cisco CUCM, you can either configure them statically or you can synchronise your CUCM with your Active Directory Domain.

If you want to make sure that your AD – CUCM synchronization is working, you first need to check that the DirSync Service is activated on the CUCM Publisher:

CUCM_DirSync
 

Then you need to select which AD Attributes will be used as the USERID field within the CUCM. The best logical choice to me is the sAMAccountName since it will be used by the users to authenticate themselves. (Browse to System => LDAP => LDAP System)

CUCM_LDAP _System
 

Now you need the following:

    • a Service Account to browse through the Active Directory Domain
    • Search base : Where the CUCM will sync all the OU that are located at under the Search Base OU.
    • LDAP Server Information.

CUCM_LDAP_Directory_01
 

I would advise you to use the AD “mail” field as the Directory URI CUCM field. This will be used by as a SIP URI that will be linked to the user extension. You can change this on the go if you are running 10.5.2. Otherwise you have to create a duplicate LDAP sync and then remove the old and obsolete one.

Now I can check if my users are created but I noticed that indeed, one of them was missing and I would like to understand (and fix) why !

CUCM_User
 

If I want to troubleshoot this, I need to activate the debugs into the CUCM serviceability menu.

CUCM_DirSync_Trace
 

From here you have 2 options : RTMT or CLI.

I’m not an RTMT fan so I will show you the CLI way to find DirSync logs into CUCM.

The logs are located into /cm/trace/dirsync/log4j

Now you have  to search for “roy” into your debugs to find why the user is being rejected:

You can see that there is another EndUser that has the same MailID field so the CUCM does reject the synchronisation for the real user named “Roy”.

There are many other reason why the CUCM can reject a user from the synchronisation process. The most common one is when you do not enter one of the mandatory field: FirstName of LastName.

Also I recommend to read some really important LDAP Design considerations from the Cisco 10.x SRND Design Document

  • Ensure that the LDAP directory attribute chosen to map into the Unified CM UserID field is unique within all synchronization agreements for that cluster.
  • The LDAP attribute sn(lastname) is a mandatory attribute for LDAP Synchronization of users.
  • The LDAP attribute sn(lastname) is a mandatory attribute for LDAP Synchronization of users.
  • The attribute chosen as UserID must not be the same as that for any of the Application Users defined in Unified CM.

 

If you have any comments or questions, do not hesitate to post a comment.

Nicolas