LDAP synchronisation has moved on from a nice optional feature to a necessity with Cisco's Unified Communications applications. Cisco Unified Personal Communicator is crippled without LDAP integration and if you want to do a Unified Messaging deployment in Unity Connection then integrating with Active Directory is required.
You can specify multiple user search bases to target the LDAP synchronisation, but what about the situations where you don't want to import all the users within an OU? Or worse still when there's users that aren't importing?
Users Not Importing From LDAP
Ever done a Communications Manager deployment and wondered why there's less users in Communications Manager than there is in AD? The LDAP sychronisation excludes users who lack a last name, typically users associated with an actual person will have these fields populated so you won't necessarily encounter this problem. However once in a while you may have service accounts or generic logins that require importing from AD yet lack these fields.
LDAP Filters
So your customer's AD structure is a mess and there's a ton of users you don't want to import intermingled with the users you do want. This is where LDAP filters come into play, an LDAP filter takes the form:
<filter>=(<attribute><operator><value>)
Where <attribute> is an LDAP attribute (e.g. "sn" for last name), <operator> is a boolean operator (e.g. "&" for and) and <value> is the value for comparison.
You can then nest multiple filters like so:
(<operator><filter1><filter2>)
A more detailed overview of the syntax can be found on MSDN.
Examples
A school where staff and student accounts reside in the same OUs, but student accounts begin with the year they'll graduate. We can exclude users whose username starts with a number:
(!(|(sAMAccountName=0*)(sAMAccountName=1*)(sAMAccountName=2*)(sAMAccountName=3*)(sAMAccountName=4*)(sAMAccountName=5*)(sAMAccountName=6*)(sAMAccountName=7*)(sAMAccountName=8*)(sAMAccountName=9*)))
Large numbers of staff don't have access to a telephone or only use a shared team phone, we can exclude staff without a phone number in AD:
(telephoneNumber=*)
No comments:
Post a Comment