Change LDAP User Sync from Top-Down to Bottom-Up

Top-down user LDAP user management means that LDAP users are first added to VOSS-4-UC and then synced to Unified CM. The steps below provide details on how to change LDAP user sync from top-down to bottom-up, in other words, LDAP users on Unified CM are synced to VOSS-4-UC.

Important

The precautions below should be taken before carrying out the change.

Preliminaries

  • Take a VM snapshot before making any significant changes.
  • Ensure that the LDAP server is in sync with VOSS-4-UC and that VOSS-4-UC is in sync with Unified CM.
  • Make sure that you have the correct LDAP server information, or that someone is available who has the correct information.
  • Make sure that Cisco and VOSS are aware of this change before commencing. L3 support staff need to be aware of the work being done beforehand.
  • Always test the procedure for one user only first, using a Model Instance Filter. You need the assistance of VOSS-4-UC support
    • If the Model Instance Filter is to apply to the top down LDAP to VOSS-4-UC synced user, it should be on the device/ldap/user and the attribute cn - you can get the cn from the LDAP Synced users list.
    • If the Model Instance Filter is to apply to the bottom up, Unified CM to VOSS-4-UC synced user, it should be on the device/cucm/user and the attribute userid.

Checks

  1. The Users list in VOSS-4-UC shows the user is “VOSS-LDAP Synced” and on the Provisioning Status tab for the user, the user is synced with both LDAP and CUCM.

    LDAP-top-down-bottom-up-1

  2. The User Status column for the user in Unified CM is “Active LDAP synchronized User”.

    LDAP-top-down-bottom-up-2

  3. The LDAP server is configured on CUCM and that the LDAP Attribute for User ID is the same as the Login Attribute Name on VOSS-4-UC. (On Unified CM: System > LDAP > Server and System > LDAP > LDAP Directory and search to find it or add it.)

    LDAP-top-down-bottom-up-3

    LDAP-top-down-bottom-up-4

  4. Confirm in the VOSS-4-UC schedules and transactions that recent LDAP - VOSS-4-UC syncs have taken place and that Unified CM has the same user count as VOSS-4-UC.

  5. Make sure in VOSS-4-UC that on LDAP Management > LDAP User Sync the user modes for Move, Delete and Purge are set to Manual. Note that when this configuration is saved, it will run a full LDAP sync.

Before you carry out the change

In VOSS-4-UC, make backups of LDAP server and configurations. The easiest way to do this is to export to JSON data from the following menu paths:

  • LDAP Management > LDAP Sever

  • LDAP Management > LDAP User Sync

  • Administration Tools > Scheduling, LDAP Sync schedule

  • LDAP Management > LDAP Authentication Users

    This step is in case there are any issues. However, exporting is limited to 200 at a time, so for a customer with e.g. a 5K user count this is impractical. In that case a VM snapshot is recommended.

Make the change

  1. In VOSS-4-UC, remove the instance under LDAP Management > LDAP User Sync for this customer.

  2. Check that the users in question show as local users on both VOSS-4-UC (“CUCM Local”) and Unified CM (“Enabled Local User”).

    LDAP-top-down-bottom-up-5

    LDAP-top-down-bottom-up-6

  3. Enable the Cisco DirSync Service on Unified CM. Go to Cisco Unified Serviceability Tools > Service Activation. At the bottom of the page you will find Cisco DirSync Service. It will take some time to complete.

    LDAP-top-down-bottom-up-7

  1. Run an LDAP sync from Unified CM. Go to System > LDAP > LDAP Directory and select Perform Full Sync Now.
LDAP-top-down-bottom-up-8
  1. Check the user status of the user in Unified CM. The User Status will now show as “Active LDAP synchronized user”
  2. In VOSS-4-UC, add the LDAP User Sync again and enable the LDAP Authentication Only option.
LDAP-top-down-bottom-up-9
  1. Run a DataSync from VOSS-4-UC with Unified CM. (I.e. the data sync with name that starts with “HcsPull”)

To change LDAP User Data Sync back to Top Down

  1. Stop the DirSync service on Unified CM.

    Log into the CUCM Cisco Unified Serviceability page and go to Tools > Control Center - Feature Services. Select the Cisco DirSync service option and click Stop.

    LDAP-top-down-bottom-up-10

    If this move is permanent, stop and deactivate the Cisco DirSync service on Unified CM.

  2. In VOSS-4-UC, remove the Authenticate Only LDAP User sync.

  3. In VOSS-4-UC, add an LDAP User Sync to do full LDAP syncs. (Or you can just import the JSON file exported earlier.)

  4. Go to User Management > Sync & Purge > LDAP Users and run the sync users from LDAP (Unselect the Remove Log Messages).

    LDAP-top-down-bottom-up-12

  5. Check user in Unified CM and in VOSS-4-UC. The user status should be:

    • Unified CM: “LDAP Active Synced”
    • VOSS-4-UC: “VOSS-LDAP Synced”