CUCM LDAP Integration with Active Directory and LDAP Authentication

By | May 5, 2017

How to integrate Windows Active Directory (AD) with Cisco Unified Communications Manager? LDAP integration centralizes the user management and the end user attributes will be synced from the LDAP (Lightweight Directory Access Protocol) Server.

The widely used LDAP database is Microsoft Active Directory (AD). In this article I would like to implement LDAP integration with CUCM (Cisco Unified Communications Manager) from the scratch. ‘dirsync’ is the service responsible for LDAP synchronization in the Call Manager.
The procedure would be pretty straight forward. Usually as a UC Engineer do not want to setup Microsoft Active Directory that would be handled by the Windows / Microsoft team. You will be playing the role, when it comes to integrate with Call Manager. LDAP synchronization with active directory provides Cisco phone directory feature where you can have a centralized contact/ address book.

If you are setting up a UC Lab, I recommend you to go through my article How to setup Windows DNS and Active Directory for Cisco UC Lab.

[Note: Only the End Users can be integrated with LDAP server, Applications users are not supported via LDAP. That you have to create manually.]
cucm ldap integration
Well, let’s begin with the CUCM LDAP integration steps. Below is the connection diagram.

ldap connection diagram

Step 0: Setup and AD Service Admin Account for LDAP Sync

This is actually done by the Microsoft/ Windows Server Team. I will just quickly show you how to set it up.
Open Active Directory >> Users and copy the Administrator.
active directory administrator copy

Give new name and password. I prefer ldap.admin@YOURDOMAIN.com
ldap admin user for dirsync

[Note: You can use the AD Administrator for this but I strongly advise to create a separate admin account for LDAP integration.]

Step 1: Activate Cisco DirSync Service

Go to Cisco Unified Service Ability >> Tools >> Service Activation >> then check Cisco DirSync and Save. (If it is already activated, you may skip this step.)
cisco dirsync service in cucm

Step 2: Enable Synchronization from LDAP Server

Go over to System >> LDAP >> LDAP System
ldap system in cisco unified communications manager

  • Check the [✔] Enable Synchronization from LDAP Server
  • LDAP Server Type: Microsoft Active Directory
  • LDAP Attribute of User ID: sAMAccountName

enable synchronization from ldap server cucm

Step 3: Configure LDAP Directory

Go to System >> LDAP >> LDAP Directory >> Add New

  • LDAP Configuration Name: [CCIECOLLAB_AD]
  • LDAP Manager Distinguished Name: ldap.admin@cciecollab.com (Created in Step 0)
  • LDAP Password: Password for ldap.admin@cciecollab.com
  • Confirm password: [Enter the password again]
  • LDAP User Search Space : DC=CCIECOLLAB, DC=COM [From where do you want to import]

[Note: LDAP user search base is the place where call manager will reach and queries for the users.]

Standard search space would be of the following format,
ou= [AD Organizational Unit]
dc= [Domain Name]
dc= [com]
I haven’t used the OU hence all the users from the root domain will be synced.

  • LDAP Synchronization Schedule: [Set according to your requirement]

cucm ldap directory configuration

  • Choose Phone number as ipPhone (Not mandatory)
  • Add Access Control Groups (Not mandatory)

cucm ldap directory configuration for user group and roles

[Note: Once we add Access Control Groups in the LDAP Directory configuration, whoever is imported via LDAP will be getting those Access Control Group roles.]

  • LDAP Server Information: [Provide the IP of Windows Active Directory Server]

ldap server information in cucm
>> Save

[Note: If you have Redundant LDAP Server, you may add it here itself.]

Walah! You have done with CUCM LDAP Directory configuration.

Step 4: Enable LDAP Authentication

It is highly recommended to enable LDAP Authentication also in the UC Cluster. The LDAP authentication feature enables Unified CM to authenticate LDAP synchronized users against the corporate LDAP directory.
Without LDAP Authentication, all the user password authentication managed by call manager itself (We can set password for the user from the CUCM admin GUI). Once we enable LDAP Authentication, every user password authentication will be managed by the LDAP Server, hence you will get a centralized password management.

[Note: PINs of all end users are always checked against the local database only.]
cucm ldap authentication
Go over to System >> LDAP >> LDAP Authentication >> Add new
Configure it as follows,
ldap authentication in cucm
Now we are good to go!

Step 5: Perform Full Sync Now

Go to System >> LDAP >> LDAP Directory >> and click Perform Full Sync Now.
Now all the users from the LDAP Server will be synced with Call Manager.
perform full sync now ldap

To verify that, go to User Management >> End User >> Find
user management in cucm

ldap end user synced

This is all about CUCM LDAP integration and configuration. I hope it’s informative for you, Please let me know your feedback via the following comment box. Like our facebook page to get latest updates. In my next article I will be coming up with LDAP Custom Filter configuration for Cisco Unified Communications Manager.

Leave a Reply

Your email address will not be published. Required fields are marked *