Import of Users from Cisco Unified Communications Manager

This topic shows the import process for users that are located on Cisco Unified Communications Manager.

Follow these steps to synchronize users from Cisco Unified Communications Manager to Cisco Unity Connection:

  • Enable AXL service on Cisco Unified Communications Manager.
  • Configure the AXL server in the Cisco Unity Connection phone system.
    1. Specify the IP address and port.
    2. Enter the AXL user credentials.
  • Import the users.
    1. Specify the phone system from which you want to synchronize users.
    2. Choose the voicemail template to apply to the new users.
    3. Choose the users to import and verify the extension numbers.
  • Search results might be affected:
    1. Users without a configured primary extension are not shown.
    2. If the user already exists in Cisco Unity Connection, the import process does not show the user again.

To import users from Cisco Unified Communications Manager, activate the Cisco AXL service on Cisco Unified Communications Manager. Then configure the AXL server in the phone system configuration. Add a new AXL server with the IP address of the Cisco Unified Communications Manager and the port number 8443. Then enter the username and password of the Cisco Unified Communications Manager application user.

Users that are not configured with a primary extension cannot be imported. Go to the end-user configuration in Cisco Unified Communications Manager and set the primary extension. Then go back to Cisco Unity Connection and try the import process again. Users that are already configured in Cisco Unity Connection are not shown during the import process.

The advantage of importing users from Cisco Unified Communications Manager is that all users are already synchronized and filtered from the LDAP directory. The preferred way of choosing the user source is to have the primary extension number that is configured for all users.

Imported Cisco Unified Communications Manager User

The following shows an imported Cisco Unified Communications Manager user:

  • Alias, First Name, Last Name, and Extension are read-only fields.
  • You cannot migrate the Cisco Unified Communications Manager user to be an LDAP user.

The figure shows the Cisco Unified Communications Manager imported user configuration. In contrast with an LDAP synchronized user, the Extension field is also a read-only field. If you want to change these parameters, you must make the change in Cisco Unified Communications Manager. Cisco Unified Communications Manager imported users cannot be migrated to LDAP synchronized users. The LDAP integration status cannot be modified.

LDAP Filter

This topic explains how an LDAP filter is used to optimize the user selection and synchronization results.

Define the search criteria for an LDAP filter.

Examples Description
(objectClass=*) All objects
(&(objectCategory=person) (objectClass=user)(!cn=john)) All user objects except “john”
(sn=sm*) All objects with a surname that starts with “sm”
(&(objectCategory=person) (objectClass=contact) (|(sn=Smith)(sn=Johnson))) All contacts with a surname that is equal to “Smith” or “Johnson”

Matching components of directory numbers:

  • (& (objectClass=group) (| (ou:dn:=Chicago) (ou:dn:=Miami)))
  • (& (objectClass=group) (& (ou:dn:=Chicago) (! (ou:dn:=Boston))))

You can configure only five search agreements. If you need more than five search agreements, you must point the search agreement to the root domain in combination with LDAP filters. With these filters you can, for example, only import users from certain subdomains or from certain locations. Filters give you more scalability for importing users from large LDAP directories with many subdomains and organizational units.

The figure describes the search filter syntax that can be used for the LDAP filter in the LDAP directory configuration. Search filters allow the definition of search criteria and provide more efficient and effective searches. Unicode strings represent these search filters. The figure lists some examples of LDAP search filters. The following table lists frequently used search filter operators.

Search Filter Operators
Operator Description
= Equal to
~= Approximately equal to
<= Less than or equal to
>= Greater than or equal to
& AND
| OR
! NOT

To match a part of a directory number (for example, to look for the groups in two subtrees), use a filter such as the following:

  • (&(objectClass=group)(|(ou:dn:=Chicago)(ou:dn:=Miami)))
  • This filter will find groups that have an organizational unit component in the DN, which is either Chicago or Miami.

To exclude entities that match an expression, use an exclamation point (!):

  • (&(objectClass=group)(&(ou:dn:=Chicago)(!(ou:dn:=Boston))))
  • This filter will find all Chicago groups except those that have a Boston organizational unit component. Note the extra parentheses: (!(<expression>)).

After creating the filter, apply the filter in the LDAP directory configuration. Because only one filter can be chosen in the LDAP directory configuration, more organizational units or other objects must be added to the filter. The filter can contain a maximum length of 2048 characters. Enclose the filter text within parentheses ( ).

The LDAP filter filters the results of LDAP searches. LDAP users that match the filter are imported into the Cisco Unity Connection database; LDAP users that do not match the filter are not imported. The filter text that is entered must comply with the regular LDAP search-filter standards that are specified in RFC 4515. You should verify the LDAP search filter against the LDAP directory and search base.

Note

You can test the filter with LDAP browsers, for example, with Softerra LDAP Administrator at http://www.ldapadministrator.com/.

Search Base

This topic explains the search base for the user selection and synchronization.

  • Two agreements are defined for the users in the organizational units Site 1 and Site 2.
  • A user search base determines which users are imported.
  • Service accounts are not synchronized in this example.

The Cisco DirSync service, which is enabled through the Cisco Unity Connection Serviceability web page, performs the synchronization. When the service is enabled, as many as five synchronization agreements can be configured in Cisco Unity Connection.

An agreement specifies a search base, which is a position in the LDAP tree where Cisco Unity Connection will begin its search for user accounts to import. Cisco Unity Connection can import only users that exist in the domain that is specified by the search base for a particular synchronization agreement. The figure shows two synchronization agreements:

  • One synchronization agreement specifies User Search Base 1 and imports users jsmith, jdoe, and jbloggs.
  • The other synchronization agreement specifies User Search Base 2 and imports users jjones, bfoo, and tbrown.
  • The CCMDirMgr account is not imported because it does not reside below the point in the LDAP tree that the user search base specifies.

When users are organized in a structure in the LDAP directory, use that structure to control which user groups are imported. In this example, a single synchronization agreement could have been used to specify the root of the domain. However, that search base would also have imported the Service Accts (except when the sn fields were empty). The search base does not need to specify the domain root; it may specify any point in the tree.

Phone Number Conversion

This topic describes how to automatically convert the synchronized extension of LDAP users.

  • This example imports only the last four digits of the telephone number.
  • Use a regular expression to convert the phone number.
Regular Expression Replacement Example Conversion
(.*) $1 Use the LDAP phone number as the Connection extension.
.*(\d{4}) $1 Use the last four digits of the LDAP phone number as the Connection extension.
(\d{4}).* $1 Use the first four digits of the LDAP phone number as the Connection extension.
.*(\d{4}) 9$1 Append a 9 to the left of the last four digits of the LDAP phone number.

If you want to map phone numbers in the LDAP directory to extensions in Cisco Unity Connection but the phone numbers do not match the extensions, you can add a regular expression and a replacement pattern that together convert the phone numbers into extensions:

  • The regular expression determines which phone numbers to operate on (for example, phone numbers that are 10 digits long) and the portion of the phone numbers to use as a basis for the extensions (for example, the last four digits).
  • The replacement pattern specifies to use either the values chosen by the regular expression or to perform additional operations (for example, prepend a 9).

Cisco Unity Connection uses the regular expression package of the Java library. The table in the figure lists some examples of the conversions that are possible with the expanded functionality.

Note the following:

  • Cisco Unity Connection automatically removes nonnumeric characters from the phone number, so the regular expression does not need to account for nonnumeric characters.
  • LDAP phone numbers are converted to Cisco Unity Connection extensions only once, when you first synchronize Cisco Unity Connection data with LDAP data. On subsequent, scheduled synchronizations, values in the Cisco Unity Connection Extension field are not updated with changes to the LDAP phone number. As a result, you can change the LDAP phone number as required, including specifying a completely different number, and the extension will not be overwritten the next time that Cisco Unity Connection synchronizes data with the LDAP directory.
  • You can often write more than one combination of a regular expression and a replacement pattern that produces the same result.

Import of Users from an LDAP Server

This topic explains how to import users from an LDAP server.

Follow these steps to import users from an LDAP server:

  • On Cisco Unity Connection, activate the Cisco DirSync service.
  • Configure the LDAP system.
    1. Set the LDAP server type.
    2. Choose the LDAP Attribute for User ID.
  • Configure the LDAP directory.
    1. Enter the LDAP directory information.
    2. Set the synchronization schedule.
    3. Set the user attributes for LDAP synchronization.
  • Optionally enable LDAP authentication.
  • Import the synchronized users.
    1. Specify the LDAP directory from which you want to import the users.
    2. Choose the voicemail template to apply to the new users.
    3. Choose the individual users and start the import process.

To import users from LDAP, activate the Cisco DirSync service under Tools > Service Activation in Cisco Unified Serviceability.

To set up the LDAP system, configure the following parameters under the section System Settings > LDAP, in the Cisco Unity Connection Administration:

  • Enable Synchronizing from LDAP Server: Check this check box so that Cisco Unity Connection gets basic information about Cisco Unity Connection users from the LDAP directories that are specified on the LDAP Directory configuration page.
  • LDAP Server Type: Choose the type of LDAP server from which Cisco Unity Connection will import the user data.
  • LDAP Attribute for User ID: Choose the field in the LDAP directory that should appear in the Alias field in Cisco Unity Connection for imported LDAP users. sAMAccountName specifies, for example, jdoe as the user alias. If you want to integrate with multiple domains, use the userPrincipalName, for example, jdoe@cisco.com.

The LDAP directory configuration is like the Cisco Unified Communications Manager LDAP directory configuration. The configuration requires the following LDAP directory settings:

  • LDAP Manager Distinguished Name and LDAP Password: Enter the name and password of an LDAP directory administrator account that has access to data in the LDAP user search base that is specified in the LDAP User Search Base field.
  • LDAP User Search Base: Enter the LDAP directory location that contains the user data that should be synchronized with Cisco Unity Connection user data. Cisco Unity Connection imports all users in the tree or subtree (domain or organizational unit) that the search base specifies.

The synchronization can be done once or regularly:

  • Perform Sync Just Once: Check this check box to resynchronize user data in the Cisco Unity Connection database and in the LDAP directory one time, rather than at regular intervals.
  • Perform a Re-sync Every: To resynchronize user data in the Cisco Unity Connection database with user data in the LDAP directory at regular intervals, specify the frequency with which the resynchronizations should occur. The minimum interval is 6 hours. The first resynchronization occurs on the date and time that is specified in the Next Re-sync Time field.

These user fields can be synchronized with an LDAP server:

  • User ID: The value of the LDAP field that is listed here is stored in the Alias field in the Cisco Unity Connection database. The field that is listed here was specified on the LDAP Setup page, in the LDAP Attribute for User ID list.
  • Middle Name: Choose which value from the LDAP directory to store here: middleName or initials.
  • Manager ID: The value of the manager field in the LDAP directory is always stored in the Manager ID field in the Cisco Unity Connection database.
  • Phone Number: Choose which value from the LDAP directory to store here: telephoneNumber or ipPhone.
  • Title: Synchronize the title.
  • Mobile Number: Synchronize the mobile number that is stored in the attribute mobile.
  • Directory URI: Synchronize the URI from the msRTCSIP-primaryuseraddress or mail. You may choose None to not synchronize this parameter.
  • First Name: The value of the givenName field in the LDAP directory is always stored in the First Name field.
  • Last Name: The value of the sn field (surname) in the LDAP directory is always stored in the Last Name field. If this parameter is not defined in the LDAP server, the user is not listed in the import result window.
  • Department: The value of the department field in the LDAP directory is always stored in the Department field.
  • Mail ID: Choose which value from the LDAP directory to store here: mail or sAMAccountName.
  • Home Number: A configured home number is synchronized.
  • Pager Number: A configured pager number also can be synchronized.

In addition to these parameters, you can synchronize up to five custom attributes. In the group information section, you can specify a mask to apply to synced telephone numbers to create a new line for inserted users.

Finally, set the LDAP server parameters IP address and port 389. To point to a Microsoft Global Catalog, use port 3268 instead. The connection to the LDAP server should be secured. Cisco Unity Connection uses port 636 when you choose LDAP for the protocol used to communicate with domain controllers. If you are using SSL to encrypt data that is transmitted between the LDAP server Global Catalog and the Cisco Unity Connection server, the port 3269 is used.

To start the import process, choose the LDAP server from which you want to import users. If you do not see any users, the LDAP server has not been successfully synchronized with Cisco Unity Connection. Users without a last name that is configured in the LDAP server also are not displayed in this import list.

When any issues are resolved, choose the voicemail template that you want to apply. Choose the users that you want to import and start the import process. Also, you can import all users rather than choosing individual users.

Imported User

The following shows an imported LDAP user:

  • Alias, First Name, and Last Name are read-only fields.
  • You can migrate the LDAP user to a local user, and vice versa.
  • The LDAP status works differently than in Cisco Unified Communications Manager.

Compared to a manually configured user, the Alias, First Name, and Last Name fields for an imported user are read-only fields. If you want to change these field parameters, you must make the change in the LDAP server.

You can also convert the LDAP integrated user to a local user. This process can be reversed by integrating a local user with the LDAP server. However, both of these processes must be done manually. Cisco Unified Communications Manager works differently. Local users are automatically converted to LDAP users (again) after the next LDAP synchronization.

You can modify the extension number for single users. For multiple users, you can automate this process in the advanced LDAP settings.

Cisco Unity Connection LDAP Integration

This topic describes the components of LDAP integration: LDAP synchronization and LDAP authentication.

  • The PIN is always local in Cisco Unity Connection.
  • Single-password login via LDAP authentication.

LDAP integration comprises two parts. In LDAP synchronization, users are imported from the LDAP server to Cisco Unity Connection. Cisco Unity Connection cannot copy any information to the LDAP server. In LDAP Authentication, users can use the domain password to log in to Cisco Unity Connection user pages. However, the PIN is always kept local in Cisco Unity Connection.

Cisco Unity Connection Restriction Tables

This topic describes the restriction tables that can be used to prevent calls such as calls to long distance or international phone numbers.

These restriction tables exist by default:

  • Default Fax
  • Default Outdial
  • Default System Transfer
  • Default Transfer
  • User-Defined and Automatically Added Alternate Extensions

All restriction tables disallow international and long distance numbers by default:

  • Avoid security breaches, which may lead to massive toll fraud costs.
    1. Mailbox brute-force attacks with call transfer can be misused.
    2. Call handler transfer might be misused.
  • Combine restriction tables with CSS on the voicemail ports or SIP trunk to allow or disallow certain types of calls.

Cisco Unity Connection comes with predefined restriction tables that can be modified but not deleted. By default, each restriction table prevents access to long distance phone numbers.

The following restriction tables are predefined:

  • Default Fax: This table restricts the numbers that can be used for fax delivery.
  • Default Outdial: This table restricts the numbers that can be used for message notifications. The table also restricts the user extensions that Cisco Unity Connection can dial when the phone is chosen as the recording and playback device in the Media Master.
  • Default System Transfer: This table restricts the numbers that can be used for caller system transfers, which allow unidentified callers to transfer to a number that they specify. For example, callers might want to dial a lobby or conference room phone that is not associated with a Cisco Unity Connection user. By default, the table does not allow Cisco Unity Connection to dial any numbers.
  • Default Transfer: This table restricts the numbers that can be used for Call Transfer.
  • User-Defined and Automatically Added Alternate Extensions: This table restricts the numbers that can be offered as alternate extensions. For example, you can restrict a lobby or conference room extension so that users who frequently call Cisco Unity Connection from those shared phones are not automatically prompted to add the number as an alternate extension.