User Community Feedback

Submitted ideas will be evaluated by our product teams for upcoming releases and will be responded to so you know where things stand. For product support, please use the community forums or contact TAC.

NOTE: All Cisco employees & Channel Partners must enter Ideas through this Ideas Portal.

CUCM: LDAP synchronized users - Scheduled scavanging

At present LDAP synced users can be added via schedule, but there is no cleanup tasks to remove outdated/irrelevant users from CUCM.

Here are a couple of examples:

1) Users which have been deleted or disabled in AD still appear in CUCM. Maybe if they are disabled over X days they should be removed. If they are deleted from AD they should definitely be removed.

2) Users which are no longer part of a certain LDAP filter (for example an AD group) are not removed from CUCM nor are their privileges culled.

I would like to see an LDAP synced users security policy implemented to address this.

  • Guest
  • Feb 8 2023
  • Guest commented
    13 Apr, 2023 09:44pm

    If you build your LDAP Custom Filters including the value hiddesn when no Custom Filter is built -- see documentation for what the default Custom Filter is for your Directory System type when not not specified on the LDAP Custom Filter page -- this example is MSAD:

    (&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(sn=*)(userPrincipalName=*) (your additional "musts" go here)(here)(here) ) <- closing paren for the Ampersand AND

    Ampersand indicates logical "AND" and the checks within each set of parens () must be all true to import user. When one or more is false, user will be set Inactive for at least 24 hours and then cleared in the 3:00 AM garbage routine.

    More complex constructions can be built in the Custom Filter string and then associated with a particular LDAP Directory rule.