Change LDAP User Sync from Top-Down to Bottom-Up#

Top-down user LDAP user management means that LDAP users are first added to VOSS Automate and then synced to Unified CM. The steps below provide details on how to change LDAP user sync from top-down to bottom-up, in other words, LDAP users on Unified CM are synced to VOSS Automate.

Important

The precautions below should be taken before carrying out the change.

Preliminaries#

  • Take a VM snapshot before making any significant changes.

  • Ensure that the LDAP server is in sync with VOSS Automate and that VOSS Automate is in sync with Unified CM.

  • Make sure that you have the correct LDAP server information, or that someone is available who has the correct information.

  • Make sure that Cisco and VOSS are aware of this change before commencing. L3 support staff need to be aware of the work being done beforehand.

  • Always test the procedure for one user only first, using a Model Instance Filter. You need the assistance of VOSS Automate support

    • If the Model Instance Filter is to apply to the top down LDAP to VOSS Automate synced user, it should be on the device/ldap/user and the attribute cn - you can get the cn from the LDAP Synced users list.

    • If the Model Instance Filter is to apply to the bottom up, Unified CM to VOSS Automate synced user, it should be on the device/cucm/user and the attribute userid.

Checks#

  1. The Users list in VOSS Automate shows the user is “VOSS-LDAP Synced” and on the Provisioning Status tab for the user, the user is synced with both LDAP and CUCM.

    LDAP-top-down-bottom-up-1

  2. The User Status column for the user in Unified CM is “Active LDAP synchronized User”.

    LDAP-top-down-bottom-up-2

  3. The LDAP server is configured on CUCM and that the LDAP Attribute for User ID is the same as the Login Attribute Name on VOSS Automate. (On Unified CM: System > LDAP > Server and System > LDAP > LDAP Directory and search to find it or add it.)

    LDAP-top-down-bottom-up-3

    LDAP-top-down-bottom-up-4

  4. Confirm in the VOSS Automate schedules and transactions that recent LDAP - VOSS Automate syncs have taken place and that Unified CM has the same user count as VOSS Automate.

  5. Make sure in VOSS Automate that on LDAP Management > LDAP User Sync the user modes for Move, Delete and Purge are set to Manual. Note that when this configuration is saved, it will run a full LDAP sync.

Before you carry out the change#

In VOSS Automate, make backups of LDAP server and configurations. The easiest way to do this is to export to JSON data from the following menu paths:

  • LDAP Management > LDAP Sever

  • LDAP Management > LDAP User Sync

  • Administration Tools > Scheduling, LDAP Sync schedule

  • LDAP Management > LDAP Authentication Users

    This step is in case there are any issues. However, exporting is limited to 200 at a time, so for a customer with e.g. a 5K user count this is impractical. In that case a VM snapshot is recommended.

Make the change#

  1. In VOSS Automate, remove the instance under LDAP Management > LDAP User Sync for this customer.

  2. Check that the users in question show as local users on both VOSS Automate (“CUCM Local”) and Unified CM (“Enabled Local User”).

    LDAP-top-down-bottom-up-5

    LDAP-top-down-bottom-up-6

  3. Enable the Cisco DirSync Service on Unified CM. Go to Cisco Unified Serviceability Tools > Service Activation. At the bottom of the page you will find Cisco DirSync Service. It will take some time to complete.

    LDAP-top-down-bottom-up-7

  1. Run an LDAP sync from Unified CM. Go to System > LDAP > LDAP Directory and select Perform Full Sync Now.

LDAP-top-down-bottom-up-8

  1. Check the user status of the user in Unified CM. The User Status will now show as “Active LDAP synchronized user”

  2. In VOSS Automate, add the LDAP User Sync again and enable the LDAP Authentication Only option.

LDAP-top-down-bottom-up-9

  1. Run a DataSync from VOSS Automate with Unified CM. (I.e. the data sync with name that starts with “HcsPull”)

To change LDAP User Data Sync back to Top Down#

  1. Stop the DirSync service on Unified CM.

    Log into the CUCM Cisco Unified Serviceability page and go to Tools > Control Center - Feature Services. Select the Cisco DirSync service option and click Stop.

    LDAP-top-down-bottom-up-10

    If this move is permanent, stop and deactivate the Cisco DirSync service on Unified CM.

  2. In VOSS Automate, remove the Authenticate Only LDAP User sync.

  3. In VOSS Automate, add an LDAP User Sync to do full LDAP syncs. (Or you can just import the JSON file exported earlier.)

  4. Go to User Management > Sync & Purge > LDAP Users and run the sync users from LDAP (Unselect the Remove Log Messages).

    LDAP-top-down-bottom-up-12

  5. Check user in Unified CM and in VOSS Automate. The user status should be:

    • Unified CM: “LDAP Active Synced”

    • VOSS Automate: “VOSS-LDAP Synced”