思科协作系统:CUCM用户与域内指定的组用户同步
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了思科协作系统:CUCM用户与域内指定的组用户同步相关的知识,希望对你有一定的参考价值。
思科CUCM支持LDAP用户的集成,最近计划把CUCM的用户全部转换成了AD域用户,虽然支持了LDAP用户的导入和认证,但是用户只能针对OU,后来研究了一下,可以通过LDAP的FILTER功能来实现,LDAP有自已的表达式方式,下面与大家一起分享一下我的测试过程:
一.CUCM安装好了,需要简单配置一下,这里就不再表述了。
二. “server---LDAP---ldap system".先启用LDAP,选择对应的LDAP类型,以及对应的字段,按下图的设置进行设置并保存。
三、server---LDAP---ldap directory".设置LDAP服务器的连接信息,以及对应的同步字段,ldap地址,最后保存一下
四、server----ldap---ldap authencitation, 设置后续同步过来用户的认证,也是从LDAP服务器进行认证。
五、usermanagement--end user, 查看用户同步情况,从AD的UC的OU中同步两个用户,
图一: AD中UC的OU中有两个用户
图二:同步了两个用户
下面我们验证一下,使用微软AD同步过来的用户和密码登录,jabber登录OK
六.从上面可以看出来,不能同步OU中的组,这项功能可以通过ldap的filter功能, 微软有一套自已的表达式,下面与大家共享一下。
图一:在"system-ldap-ldap custom filter--add new“新建一个filter configuration,从AD的指定组同步用户:
表达式-(memberOf=cn=ciscouc,ou=test,dc=S,dc=com,dc=cn) 表示从s.com.cn这个域内的test OU中同步ciscouc这个组的成员。
图二:在"system-ldap-ldapdirectory”中调用这个filter;并手动执行一下同步
图三:查看用户是否从AD的组中同步到CUCM中,
六、附上ldap Filter的表达式大全供大家参考。
Examples
The following table shows many example LDAP filters that can be useful when you query Active Directory:
Query LDAP Filter
All user objects (&(objectCategory=person)(objectClass=user))
All user objects (Note 1) (sAMAccountType=805306368)
All computer objects (objectCategory=computer)
All contact objects (objectClass=contact)
All group objects (objectCategory=group)
All organizational unit objects (objectCategory=organizationalUnit)
All container objects (objectCategory=container)
All builtin container objects (objectCategory=builtinDomain)
All domain objects (objectCategory=domain)
Computer objects with no description (&(objectCategory=computer)(!(description=)))
Group objects with a description (&(objectCategory=group)(description=))
Users with cn starting with "Joe" (&(objectCategory=person)(objectClass=user)
(cn=Joe))
Object with description "EastWest Sales"
(Note 2) (description=East5CWest Sales)
Phone numbers in form (xxx) xxx-xxx (telephoneNumber=()-)
Groups with cn starting with
"Test" or "Admin" (&(objectCategory=group)
(|(cn=Test)(cn=Admin)))
All users with both a first and last name. (&(objectCategory=person)(objectClass=user)
(givenName=)(sn=))
All users with direct reports but no
manager (&(objectCategory=person)(objectClass=user)
(directReports=)(!(manager=)))
All users with specified email address (&(objectCategory=person)(objectClass=user)
(|(proxyAddresses=:jsmith@company.com) br/>(mail=jsmith@company.com)))
All users with Logon Script field occupied (&(objectCategory=person)(objectClass=user)(scriptPath=))
Object with Common Name "Jim Smith"
(Notes 3, 19) (cn=Jim 2A Smith)
Objects with sAMAccountName that begins
with "x", "y", or "z" (sAMAccountName>=x)
Objects with sAMAccountName that begins
with "a" or any number or symbol except "$" (&(sAMAccountName<=a)(!(sAMAccountName=$)))
All users with "Password Never Expires" set
(Note 4) (&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=65536))
All disabled user objects (Note 4) (&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=2))
All enabled user objects (Note 4) (&(objectCategory=person)(objectClass=user)
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
All users not required to have a password
(Note 4) (&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=32))
All users with "Do not require kerberos
preauthentication" enabled (&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=4194304))
Users with accounts that do not expire
(Note 5) (&(objectCategory=person)(objectClass=user)
(|(accountExpires=0)
(accountExpires=9223372036854775807)))
Users with accounts that do expire (Note 5) (&(objectCategory=person)(objectClass=user)
(accountExpires>=1)
(accountExpires<=9223372036854775806))
Accounts trusted for delegation
(unconstrained delegation) (userAccountControl:1.2.840.113556.1.4.803:=524288)
Accounts that are sensitive and not trusted
for delegation (userAccountControl:1.2.840.113556.1.4.803:=1048576)
All distribution groups (Notes 4, 15) (&(objectCategory=group)
(!(groupType:1.2.840.113556.1.4.803:=2147483648)))
All security groups (Notes 4, 19) (groupType:1.2.840.113556.1.4.803:=2147483648)
All built-in groups (Notes 4, 16, 19) (groupType:1.2.840.113556.1.4.803:=1)
All global groups (Notes 4, 19) (groupType:1.2.840.113556.1.4.803:=2)
All domain local groups (Notes 4, 19) (groupType:1.2.840.113556.1.4.803:=4)
All universal groups (Notes 4, 19) (groupType:1.2.840.113556.1.4.803:=8)
All global security groups (Notes 17, 19) (groupType=-2147483646)
All universal security groups (Notes 17, 19) (groupType=-2147483640)
All domain local security groups
(Notes 17, 19) (groupType=-2147483644)
All global distribution groups (Note 19) (groupType=2)
All objects with service principal name (servicePrincipalName=)
Users with "Allow Access" on "Dial-in"
tab of ADUC
(Note 6) (&(objectCategory=person)(objectClass=user)
(msNPAllowDialin=TRUE))
Users with "Control access though
NPS Network Policy" on "Dial-in" tab of ADUC (&(objectCategory=person)(objectClass=user)
(!(msNPAllowDialin=)))
All groups created after March 1, 2011 (&(objectCategory=group)
(whenCreated>=20110301000000.0Z))
All users where an administrator has set that they must change their password at next logon (&(objectCategory=person)(objectClass=user)
(pwdLastSet=0))
All users that changed their password since
April 15, 2011 (CST) (Note 7) (&(objectCategory=person)(objectClass=user)
(pwdLastSet>=129473172000000000))
All users with "primary" group
other than "Domain Users" (&(objectCategory=person)(objectClass=user)
(!(primaryGroupID=513)))
All computers with "primary" group
"Domain Computers" (&(objectCategory=computer)
(primaryGroupID=515))
Object with GUID
"90395F191AB51B4A9E9686C66CB18D11"
(Note 8) (objectGUID=90395F191AB51B4A9E96
86C66CB18D11)
Object beginning with GUID
"90395F191AB51B4A"
(Note 8) (objectGUID=90395F191AB51B4A)
Object with SID "S-1-5-21-73586283
-152049171-839522115-1111" (Note 9) (objectSID=S-1-5-21-73586283-152049171
-839522115-1111)
Object with SID "010500000000000515000
0006BD662041316100943170A3257040000"
(Note 9) (objectSID= 1 5 0 0 0 0 0 515