.. _Change_LDAP_User_Sync_from_Top-Down_to_Bottom-Up:

Change LDAP User Sync from Top-Down to Bottom-Up
------------------------------------------------

.. _12.5(1)|DOC-158:
.. _18.2|DOC-158:
.. _19.2.1|VOSS-636:

Top-down user LDAP user management means that LDAP users are first added to VOSS-4-UC
and then synced to Unified CM.
The steps below provide details on how to change LDAP user sync from top-down to
bottom-up, in other words, LDAP users on Unified CM are synced to VOSS-4-UC.

.. important::
The precautions below should be taken before carrying out the change.

Preliminaries
.............

* Take a VM snapshot before making any significant changes.
* Ensure that the LDAP server is in sync with VOSS-4-UC and that
VOSS-4-UC is in sync with Unified CM.
* Make sure that you have the correct LDAP server information,
or that someone is available who has the correct information.
* Make sure that Cisco and VOSS are aware of this change before commencing.
L3 support staff need to be aware of the work being done beforehand.
* Always test the procedure for one user only first, using a
Model Instance Filter. You need the assistance of VOSS-4-UC support

* If the Model Instance Filter is to apply to the top down LDAP to VOSS-4-UC
synced user, it should be on the ``device/ldap/user`` and the attribute ``cn``
- you can get the ``cn`` from the LDAP Synced users list.

* If the Model Instance Filter is to apply to the bottom up, Unified CM to VOSS-4-UC
synced user, it should be on the ``device/cucm/user`` and the attribute
``userid``.

Checks
......

1. The Users list in VOSS-4-UC shows the user is "VOSS-LDAP Synced" and
on the Provisioning Status tab for the user, the user is synced with
both LDAP and CUCM.

|LDAP-top-down-bottom-up-1|

2. The User Status column for the user in Unified CM is "Active LDAP synchronized User".

|LDAP-top-down-bottom-up-2|

3. The LDAP server is configured on CUCM and that the LDAP Attribute for User
ID is the same as the Login Attribute Name on VOSS-4-UC.
(On Unified CM: **System > LDAP > Server** and **System > LDAP > LDAP Directory**
and search to find it or add it.)

|LDAP-top-down-bottom-up-3|

|LDAP-top-down-bottom-up-4|

4. Confirm in the VOSS-4-UC schedules and transactions that recent LDAP - VOSS-4-UC
syncs have taken place and that Unified CM has the same user count as VOSS-4-UC.
5. Make sure in VOSS-4-UC that on **LDAP Management > LDAP User Sync** the user
modes for Move, Delete and Purge are set to Manual. Note that when this configuration
is saved, it will run a full LDAP sync.

Before you carry out the change
...............................

In VOSS-4-UC, make backups of LDAP server and configurations.
The easiest way to do this is to export to JSON data from the following
menu paths:

* **LDAP Management > LDAP Sever**
* **LDAP Management > LDAP User Sync**
* **Administration Tools > Scheduling**, LDAP Sync schedule
* **LDAP Management > LDAP Authentication Users**

This step is in case there are any issues. However,
exporting is limited to 200 at a time, so for a customer with e.g. a 5K
user count this is impractical. In that case a VM snapshot is recommended.

Make the change
...............

1. In VOSS-4-UC, remove the instance under **LDAP Management > LDAP User Sync** for this customer.
2. Check that the users in question show as local users on both VOSS-4-UC ("CUCM Local")
and Unified CM ("Enabled Local User").

|LDAP-top-down-bottom-up-5|

|LDAP-top-down-bottom-up-6|

3. Enable the Cisco DirSync Service on Unified CM. Go to
**Cisco Unified Serviceability Tools > Service Activation**.
At the bottom of the page you will find Cisco DirSync Service.
It will take some time to complete.

|LDAP-top-down-bottom-up-7|

4. Run an LDAP sync from Unified CM. Go to
**System > LDAP > LDAP Directory** and select
**Perform Full Sync Now**.

|LDAP-top-down-bottom-up-8|

5. Check the user status of the user in Unified CM.
The User Status will now show as "Active LDAP synchronized user"
6. In VOSS-4-UC, add the LDAP User Sync again and enable the LDAP Authentication Only
option.

|LDAP-top-down-bottom-up-9|

7. Run a DataSync from VOSS-4-UC with Unified CM. (I.e. the data sync with name
that starts with "HcsPull")

To change LDAP User Data Sync back to Top Down
..............................................

1. Stop the DirSync service on Unified CM.

Log into the CUCM Cisco Unified Serviceability page and go to
**Tools > Control Center - Feature Services**. Select the
Cisco DirSync service option and click **Stop**.

|LDAP-top-down-bottom-up-10|

If this move is permanent, stop and deactivate the Cisco DirSync service
on Unified CM.
#. In VOSS-4-UC, remove the Authenticate Only LDAP User sync.
#. In VOSS-4-UC, add an LDAP User Sync to do full LDAP syncs. (Or you can just
import the JSON file exported earlier.)
#. Go to **User Management > Sync & Purge > LDAP Users** and run the sync users from LDAP
(Unselect the Remove Log Messages).

|LDAP-top-down-bottom-up-12|

#. Check user in Unified CM and in VOSS-4-UC. The user status should be:

* Unified CM: "LDAP Active Synced"
* VOSS-4-UC: "VOSS-LDAP Synced"

.. |VOSS-4-UC| replace:: VOSS-4-UC
.. |Unified CM| replace:: Unified CM