CCNA Voice - CUCM LDAP Custom Filters

Transcript

1	Introduction, Agenda, and Welcome Message	0h 17m
2	What are Cisco's Unified Communication Certifications, and Where Do I Go From Here?	0h 34m
3	Fundamentals of Telephony	1h 27m
4	Quality of Service Primer	0h 29m
5	Unified Communications System Overview	1h 05m
6	Network Infrastructure Basics and Phone Registration	0h 14m
7	Network Infrastructure Overview	0h 59m
8	Network Infrastructure VLAN, NTP, DHCP	1h 25m
9	Network Infrastructure DHCP, TFTP	0h 48m
10	Cisco Unified Communications Manager Administration (CUCMA) Overview	0h 04m
11	CUCMA Serviceability Service Activation, DNS vs IP Addressing, System Shutdown	0h 21m
12	CUCMA Service Control, Bulk Administration Tool (BAT)	0h 16m
13	CUCMA BAT Report, SSH, TFTP Files, Database Replication	0h 58m
14	CUCMA Traces, RISdb, Performance Monitor (PerfMon), Real-Time Monitoring Tool (RTMT)	1h 04m
15	CUCMA BAT and TAPS	1h 09m
16	CUCMA Call Detail Records (CDR) and Call Management Records (CMR)	0h 52m
17	Cisco Unified Operating System (CUOS), Dialed Number Analyzer (DNA), Disaster Recover System (DRS)	0h 25m
18	CUOS Unified Reporting, Real-Time Monitoring Tool (RTMT)	0h 18m
19	CUCM Servers, Server Groups, Date/Time Groups, Regions, Locations Call Admission Control (CAC), Survivable Remote Site Telephony (SRST)	1h 44m
20	CUCM Device Pools, System Parameters, Enterprise Parameters, Templates	1h 09m
21	CUCM Phone Button Templates, Softkey Templates, SIP Phones, SCCP Phones	0h 40m
22	CUCM Button/Softkey Template and SCCP/SIP Phone Testing	0h 24m
23	CUCM SIP Phone Troubleshooting and Registration	0h 03m
24	CUCM Users, Groups, Lightweight Directory Access Protocol (LDAP) Overview	0h 14m
25	CUCM User Credentials, User Policies, LDAP Synchronization of Users	0h 50m
26	CUCM LDAP Synchronization cont'd, User Roles, Multi-Level Access (MLA)	1h 24m
27	CUCM User Roles with LDAP, Contact Center Users, Presence Users, Messaging Users	1h 36m
28	CUCM LDAP Custom Filters	0h 49m
29	CUCM Phone and Calling Features Overview	0h 15m
30	CUCM SCCP and SIP Phone Display	0h 23m
31	CUCM SCCP and SIP Phone Firmware	0h 12m
32	CUCM SCCP and SIP Phone Logging	0h 06m
33	CUCM SCCP and SIP Ring Setting	0h 37m
34	CUCM SCCP and SIP Phone Forwarding	0h 48m
35	CUCM SIP and SCCP Advanced Call Forwarding	0h 22m
36	CUCM SIP and SCCP Phone Auto-Answer	0h 11m
37	CUCM SIP and SCCP Phone CallBack (Camp-On)	0h 11m
38	CUCM SIP and SCCP Phone Intercom	0h 10m
39	CUCM SIP and SCCP Call Hold	0h 09m
40	CUCM SIP and SCCP Phone Call Park	0h 18m
41	CUCM SIP and SCCP Phone Call Pickup	0h 42m
42	CUCM Shared Line, Barge and cBarge Configuration	0h 27m
43	CUCM Shared Line, Barge and cBarge Testing	0h 17m
44	CUCM Media Resources Overview	0h 47m
45	CUCM Media Resources Overview cont'd	0h 44m
46	CUCM and IOS Gateways and Trunks Overview	0h 09m
47	CUCM Dial Plan Fundamental Concepts	1h 37m
48	CUCM Dial Plan Fundamental Concepts cont'd	1h 05m
49	CUCM Dial Plan - Class of Service (CoS) Calling Search Spaces and Partitions	0h 42m
50	CUCM Dial Plan - Gateways, Route Groups, Device Pools	0h 06m
51	CUCM Dial Plan - Route Lists, Standard Local Route Groups	0h 12m
52	CUCM Dial Plan - Route Patterns, Translation Patterns	0h 43m
53	CUCM Dial Plan - Calling Party Transformations and Called Party Transformations, IOS Dial Peers	1h 15m
54	CUCM Dial Plan - Private Line Automatic Ringdown (PLAR)	0h 09m
55	CUCM Dial Plan - Testing	0h 55m
56	CUCM Dial Plan - Digit Addressing, Time of Day (ToD), Hunt Group Coverage, FAC, CMC, Automated Alternate Routing (AAR) Overview	0h 58m
57	CUCM Dial Plan - Digit Addressing, Time of Day (ToD), Hunt Group Coverage, FAC, CMC, Automated Alternate Routing (AAR) Testing	1h 07m
58	Troubleshooting Endpoint Issues	0h 17m
59	Cisco Unified Border Element (CUBE) Overview	0h 50m
60	CUCM Mobility Overview	0h 42m
61	CUCM Mobile Connect Setup	1h 24m
62	CUCM Mobile Connect Ring Schedule	0h 16m
63	CUCM Mobile Connect Access Lists and Exclusivity	0h 20m
64	CUCM Mobile Voice Access Inbound Call Recognition	0h 56m
65	CUCM Mobile Voice Access Direct Inward System Access	1h 09m
66	CUCM Mobile Connect Mid-Call Features	0h 13m
67	CUCM Mobile Connect Mid-Call Features cont'd	0h 42m
68	CUCM Device and Extension Mobility Overview	0h 27m
69	CUCM Device Mobility - Between Sites but Within a Country	1h 27m
70	CUCM Device Mobility - Between Sites and Between Countries	0h 42m
71	CUCM Extension Mobility Setup	0h 51m
72	CUCME Overview, CUCME Dial Peers, Show & Debug Commands	1h 00m
73	CUCME DHCP	0h 10m
74	CUCME Clock and Network Time	0h 06m
75	CUCME TFTP Server	0h 10m
76	CUCME SIP Server Setup	0h 17m
77	CUCME SIP Phones Setup	0h 36m
78	CUCME SCCP Server Setup	0h 23m
79	CUCME SCCP Phones Setup	0h 44m
80	CUCME Directory Services	0h 10m
81	CUCME Server Redundancy for SCCP Phones	0h 13m
82	CUCME Endpoint Registration With External SIP Proxy Server	0h 06m
83	CUCME Templates	0h 17m
84	CUCME Phone Customization	0h 20m
85	CUCME Web UI	0h 34m
86	CUCME Digit Manipulation and Class of Restriction (CoR)	0h 46m
87	CUCME PSTN Dialing	0h 51m
88	CUCME Voice Translation Rules	0h 34m
89	CUCME Load Balancing VoIP Calls	0h 09m
90	CUCME Class of Restriction (CoR)	0h 23m
91	CUCME Speed Dials	0h 46m
92	CUCME Calling Features Overview	0h 19m
93	CUCME Shared Lines with SIP Phones	0h 32m
94	CUCME Shared Lines and Feature Ring with SCCP Phones	0h 17m
95	CUCME Shared Lines with Barge & Privacy with SCCP Phones	0h 27m
96	CUCME Intercom with SIP and SCCP Phones	0h 15m
97	CUCME Night Service with SCCP Phones	0h 12m
98	CUCME Call Park with SIP and SCCP Phones	0h 34m
99	CUCME Call Blocking with SIP and SCCP Phones	0h 20m
100	CUCME CallerID Blocking with SIP and SCCP Phones	0h 09m
101	CUCME Call Transfer and Call Forwarding for SIP and SCCP	0h 41m
102	CUCME as Survivable Remote Site Telephony	0h 12m
103	CUCME as Survivable Remote Site Telephony cont'd	0h 51m
104	CUCME as Survivable Remote Site Telephony cont'd	0h 23m
105	CUCME 4-Digit Reachability	0h 14m
106	CUCME Call Pickup Groups	0h 16m
107	CUCME Basic Automatic Call Distribution (B-ACD)	0h 56m
108	CUCME Basic Automatic Call Distribution (B-ACD) cont'd	0h 12m
109	CUCME Unified (Traditional) SRST	0h 12m
110	Messaging - Cisco Unity Connection (CUC) Overview	0h 14m
111	Messaging - Unity Connection Setup, Integration, Message Waiting Indicators (MWI), Users, System Call Handlers	1h 06m
112	Messaging - Unity Connection System Call Handlers, Directory Handlers, Routing Rules, Conversations, Audio Text Auto-Attendant Menus	1h 00m
113	Messaging - Cisco Unity Express (CUE) Overview	0h 49m
114	Messaging - Unity Express Setup, Integration, Message Waiting Indicators (MWI), Users, Groups	0h 52m
115	Messaging - Unity Express Administration via Web UI, Users, General Delivery Mailbox, Schedules, IVR Apps, Conversations, License Activation	1h 19m
116	Messaging - Voice Profile for Internet Mail (VPIM) Networking between Unity Connection and Unity Express	0h 31m
117	Presence Overview	0h 43m
118	Presence - Native CUCM Subscribe CSS and BLF Speed Dials	0h 45m
119	Presence - Native CUCM Presence Groups and Call History Lists	0h 23m
120	Presence - Native CUCM Presence Groups and Call History Lists cont'd	0h 18m
121	Presence - CUPS & CUCM Integration and CUPC Provisioning and Testing	1h 52m
122	Presence - CUPS & CUCM Integration and CUPC Provisioning and Testing cont'd	0h 10m
123	Presence - CUPS & CUCM with IP Phone Messenger (IPPM)	0h 25m
124	Presence 8 Updates	0h 36m
Total Duration		74h 11m

Slides - Introduction and Agenda

Slides - What are Cisco's Unified Communication Certifications...

Slides - Fundamentals of Telephony

Slides - Quality of Service Primer

Slides - Unified Communications Overview

Slides - Network Infrastructure Basics and Phone Registration

Slides - Cisco Unified Communications Manager Admininistration

Slides - Users Groups and LDAP

Slides - CUCM Phone and Calling Features

Slides - CUCM Media Resources Overview

Slides - CUCM and IOS Gateways and Trunks

Slides - Additional Call Routing Topics

Slides - Troubleshooting Endpoint Issues

Slides - Cisco Unified Border Element

Slides - Unified Mobility

Slides - Device Mobility

Slides - CUCME Overview, CUCME Dial Peers, Show & Debug Commands

Slides - CUCME Digit Manipulation and Class of Restriction

Slides - CUCME Calling Features Overview

Slides - Messaging: Cisco Unity Connection Overview

Slides - Messaging: Cisco Unity Express Overview

Slides - Presence Overview

0:00:14	OK, so let’s add on to what we have already looked at with LDAP
0:00:19	and let’s begin talking about custom filters. So we’re logging in and we’ll take a look,
0:00:30	I believe we already have some LDAP directory set up from before, we do,
0:00:37	and we already have their therefore some end users in our configuration,
0:00:44	that is imported into our user directory. Remember LDAP has no,
0:00:51	bearing no effect on the application users, those are always stored locally.
0:00:59	So looks like here we have 16 users currently in our database and they're all marked
0:01:07	as active and so we’re going to go over and create a custom filter
0:01:15	and actually before we do that, no that’s fine, let’s go ahead
0:01:21	and let’s take a look at the very user real briefly. Currently, there are no control devices.
0:01:30	They probably were controlled at some point, but given all the changes that I’ve made,
0:01:37	I'm going to go ahead and add these again and I believe we’ve gone over this,
0:01:42	but I just want to be certain, so verify currently has all of the phone devices
0:01:49	associated as controlled, doesn’t have any groups or permissions, it just uses authentication
0:01:56	for our remote verify phone control client, previously we had been using something called
0:02:03	VOIP integration, but now we’re strictly using the web based verify phone client
0:02:08	which is a much better remote client and is completely http based,
0:02:14	so can run on any platform. So anyhow, that’s one of our users that always needs
0:02:19	to stay around, so at this point, we’re going to go back to our directory
0:02:25	and we want to go ahead and let’s just remove both of this directories.
0:02:31	Let’s delete them so there are no LDAP directories or no synchronization agreements
0:02:39	as they’re also called. And keep in mind that these LDAP directories could point to
0:02:46	separate LDAP forests altogether, so when I go to system LDAP, LDAP system
0:02:55	and I take a look, this just simply says, enable synchronization from LDAP,
0:03:01	what type of LDAP, we know that IPLANET, Sun ONE, which use the same format,
0:03:06	that’s why either one of those would be chosen by that server type,
0:03:12	OpenLDAP, 2.3 or 2.4, I believe it’s 2.3.4.2 specifically 4.2.4, or a
0:03:21	active directory application mode or just plain Microsoft active directory
0:03:25	Non-Application Mode which is what we’re using. This doesn’t specify which active directory
0:03:31	forest, so when we go back to LDAP, not system but directory,
0:03:36	and we were adding directories, these could be completely separate forest,
0:03:44	for instance when we did our search base, we had done let’s say,
0:03:49	executive was the organizational unit, the next organization unit down in the hierarchy
0:03:54	was island natural exports, in fact let me just grab that LDAP schema again,
0:04:00	real briefly, and let me drag this over here and one of the things
0:04:08	to notice from any of the videos that we’ve been doing and in the modules is
0:04:15	that we did at one point here change this IP address, it was .10
0:04:21	for the third octet, 177.1.10.110 and we changed it to .100.110 so that it’s common
0:04:30	to all the racks, so that it’s not just on one rack and we don’t
0:04:35	have to have a separate DC server for every single rack and therefore slow all
0:04:38	the racks VM ware ESX servers or EAX servers down, but anyhow we have the com,
0:04:46	then ine, dc, then the ou for island natural exports and then we’ve got executive sales,
0:04:55	research and development, IT operations and security, so these six separate ous underneath
0:05:02	there's actually even some ous underneath of these, however there aren’t any users in those.
0:05:06	The users all belong in these six ous that you see here, so just as a refresher,
0:05:17	but we could have one of these LDAP directories or synchronization agreements with the
0:05:25	dc=ine dc=com, and then whatever ous underneath of it and we don’t even have
0:05:31	to go as far down as the executive level and bring this back up,
0:05:35	so we could just simply, I believe we said this before sync to the island natural exports
0:05:41	level or even we could just sync to com and ine, so dc=ine, dc=com, we can
0:05:55	just go to that level and it would poll not only island natural exports ou,
0:05:59	but any users that actually even just lived here or any other ous,
0:06:04	if there were other horizontal ous that aren’t pictured here, we could of course do that,
0:06:11	we could have multiple LDAP directory or synchronization agreements with other LDAP
0:06:16	providers in general, provided that they were all of the same type,
0:06:22	so the one important thing is that we cannot sync with other LDAP forests or trees ,
0:06:30	or whatever if they are of different types, so they all have to be Microsoft
0:06:34	active directory, or Sun ONE, or Open LDAP, etc. OK, so anyhow, I believe we’ve
0:06:44	deleted all the directories, 0 records found, the users if we go back to end user,
0:06:50	we see that they're all marked as inactive, which means that after 24 hours
0:06:55	they will be deleted by the system if we don’t do anything else.
0:06:59	This is if we continue to have LDAP active and you say we don’t have LDAP active.
0:07:04	What we do, going back to system LDAP, LDAP system, it still says use or
0:07:10	enable synchronization, it’s just that we don’t have any synchronization agreements
0:07:14	or directories configured, so all these users are inactive and although we can click on them,
0:07:23	we could go into them, notice there's no add or delete or anything like that,
0:07:30	so we can go into them, there is a delete pending, we can save information here,
0:07:37	but the user is currently inactive and we can’t delete it.
0:07:42	If we go to LDAP, LDAP system and untick this, then click Save.
0:07:49	Now we go back to end user and now we have 16 records and we have
0:07:54	Select All, Clear All, and Delete, and Add. So now we can select all except for verify,
0:08:01	and accept for UCCX Admin, no let’s go ahead and delete UCCX Admin
0:08:06	as well, just leave verify and we’re going to delete 15 records, notice they
0:08:11	no longer have the LDAP status column, so they no longer have anything related to
0:08:18	inactive or active, once I untick the Use System or Enable Synchronization from
0:08:26	LDAP under LDAP system, then they're no longer slated to be deleted by the system
0:08:32	after 24 hours, they will stay active, typically on a production environment,
0:08:37	you're not going back and forth like this, but it’s good to know how to
0:08:41	do it anyhow, so I still have to verify user and I'm going to change the last name
0:08:46	to verify but lower case and I’ll change the first name to verify as well
0:08:56	and notice that it still has all of its phone associations, device associations,
0:09:06	so I’ll go ahead and click Save and go back to find users
0:09:09	and now I have the first name and last name or verify,
0:09:12	the first name is all lower case, last name is all lower case,
0:09:19	user ID verify all lower case. OK, so now let’s go back to LDAP
0:09:26	and now we’re actually going to get in to the custom filter, so one of the
0:09:30	things is that, especially when you're playing around in a lab environment,
0:09:35	obviously a production environment, you would plan everything ahead of time
0:09:38	and then you would go ahead and execute it hopefully properly the first time,
0:09:45	but whether in a production or lab environment, if you find that you need to add
0:09:49	a custom filter or tackle a custom filter away in LDAP directory or a synchronization
0:09:56	agreement as you might call it, it’s important to note that it’s probably a good idea
0:10:03	to go ahead and delete the LDAP directory or individual record for the synchronization
0:10:10	agreement between adding or removing the custom filter otherwise, what you´ll find is that
0:10:16	you can add the custom filter and I don´t, just mean go ahead
0:10:20	and add a custom filter in to the system but when you are at the LDAP directory,
0:10:24	just actually not going to let me do anything because I have to Enable Synchronization
0:10:29	from the LDAP System Page before making changes here so let´s do that real briefly,
0:10:34	let´s say Synchronize, save, we´ll just see what that did to our End user verify,
0:10:41	he´s currently inactive which means that unless we do something within 24 hours
0:10:47	it´ll be deleted, but we´ll take care of that but once we´re on LDAP Directory,
0:10:51	we have the ability even if we are not adding new but we had already
0:11:00	configured a synchronization agreement or LDAP directory instance, we have the ability to add
0:11:05	in the custom filter. I should have showed you this before but once an
0:11:10	directory instance has already been configured and saved, the one thing
0:11:17	that becomes grayed out, we can change a lot of the information but the one thing
0:11:22	that becomes grayed out is the Search Base. It doesn´t really become grayed out,
0:11:25	it simply becomes, it transfers from a html text box input field to simply information
0:11:34	that we see on the page, it´s hard coded or it´s pretty much set on stone until
0:11:38	you delete it and re add it. LDAP Custom Filter is not one of those
0:11:41	things that you cannot change, once you´ve already created an LDAP directory,
0:11:46	you can add or delete it. However, many times we´re working in 851 here,
0:11:52	many times you will find that when you update it and press save,
0:11:57	you'll want to perform, there´s a button that appears saying Perform Full Sync,
0:12:02	you´ll click that and it will never synchronize and even if it does sometimes
0:12:08	it doesn´t make the changes to the End User, so the easiest thing to do
0:12:11	is to delete this LDAP directory and add it again with all the same information,
0:12:17	being careful to you know make sure every criteria, re synced time, telephone number,
0:12:24	whatever fields you´ve synchronized up and maybe changed or appropriate, but add
0:12:32	the Custom Filter and then. And obviously in a real deployment,
0:12:37	you would simply make sure that you added it properly, the first time you planned properly.
0:12:42	So let´s go ahead and add our Custom Filter, Find, we don´t have any.
0:12:54	Now, the LDAP Custom Filters follow the RFC, specifically RFC 4515,
0:13:03	let me just bring a window over, text pad that we´re going to do
0:13:09	some RFC 4515 defines LDAP, the standard Custom Filters and you can certainly read
0:13:24	over that RFC, there´s also a lot of good examples out there. The main thing to know
0:13:30	is how to actually configure just in terms of the Gooey interface
0:13:36	and a couple of high level things that we´ll take a look at.
0:13:39	We won´t look at every single thing, we will look at everything in terms of the
0:13:43	operators and really how you define the filter and how you format it
0:13:48	and apply it and we´ll do the test here. However, what we won´t do
0:13:52	is necessarily go in to every single LDAP field and the main reason for
0:13:56	that is that LDAP fields. The field names change depending on what platform you´re using,
0:14:03	so for instance let me just go back here real quick. If we´re using
0:14:06	LDAP system Microsoft active directory and we go to LDAP directory and we add new,
0:14:14	which we´re not going to do just yet. We see and we talk about this before
0:14:20	the user fields to be synchronized from the LDAP, so let´s just draw this way
0:14:29	and get my pen out here and I´m not sure, it´s over on the other screen, hang on.
0:14:36	OK, here we go, so the LDAP fields synchronize to the CUCM Manager User fields
0:14:49	and we´ve got two sections, we´ve got LDAP User Fields here,
0:14:53	they´re just in two sets of two columns, so the green is, the green circle
0:15:00	is the CUCM user fields obviously by the header name and the red is the
0:15:04	LDAP user fields. So these user fields synchronize over to the CUCM user fields
0:15:12	and some of them are set, you can´t change them, actually this one was the unique key
0:15:18	that we set back at the LDAP system. We were able to choose specifically
0:15:23	which unique attribute we wanted to use to map to the CUCM User ID field,
0:15:35	pass that we have different ones we can change and these are the way they´re
0:15:39	named so middle name, all one word or all one concatenated word with a lower case m
0:15:46	for middle but an upper case N for name, which is a common programming thing to do.
0:15:51	Lower case for the first word in a you know multi word conglomerator,
0:16:00	concatenated word and upper case to separate the words visually, so telephone number or
0:16:07	IP phone, manager department, so these are the things that we´re going to use
0:16:12	in the RFC 4515 custom filter that we´re going to create here however,
0:16:18	there´s more that are outside of this and we´re not going to necessarily go over
0:16:22	everything because again, one there´s a lot more outside of this and two it depends
0:16:28	on the LDAP system you use, if we chose to use open LDAP,
0:16:32	for instance you know Sam, account name for Microsoft something that´s been around,
0:16:42	something that´s been around in Microsoft domains for quite some time even before active directory
0:16:49	was the security account manager so now we´ve got initials for middle name.
0:16:55	One of the things that almost always stays the same between LDAP types is last name,
0:17:02	is always sn for surname, first name is almost always given name but here we have given
0:17:09	and the name and name is not a capital, so again that´s the reason why
0:17:13	we can’t really necessarily go over every single one because there´s different types
0:17:19	and there´s many that aren´t pictured here and the ideas to get the understanding
0:17:25	of how to create these Custom Filters in general and the format and
0:17:29	the rules that you need to follow. So first let´s just give it a name,
0:17:33	let´s call this one, let´s see let´s call this one, Variphy and the filter
0:17:49	that we´re going to give it is going to be one that specifies that the
0:17:54	surname must be equal Variphy, so surname equals Variphy, it´s not necessary
0:18:03	and in fact we don´t put quotes, single or double quotes around the user
0:18:10	or around the value. OK? We do have the field name equals
0:18:17	and right up against the value, but there are some rules to LDAP Custom Filters,
0:18:23	first of all your over all filter, whatever the expression is has to be
0:18:29	inside a pair of parenthesis, open and close parenthesis, so that´s the first thing
0:18:35	we have to do. OK? The next thing and I´ll just leave this up here for
0:18:45	the overall rules, the next thing is that we can use Boolean logic to determine
0:18:53	to determine what is or is not or is greater than or is less than or
0:18:59	things like that in terms of our values, so I could say and we placed the
0:19:05	Boolean logic inside of the parenthesis. I could say is not and it´s not bang equals,
0:19:15	in this case it´s just bang so is not the serial name is not Variphy,
0:19:21	that´s one of the things I could do or I can just leave it blank
0:19:25	or just omit the bang, the exclamation and surname does equal variphy.
0:19:32	The next thing that I can do is I can concatenate rules together so I can,
0:19:39	let´s have my opening and close parenthesis, actually I have those up here
0:19:42	I´ll leave those. Let´s say I want to say surname equals variphy
0:19:49	or but we don´t do it that way, so I´m going to have another set of
0:19:56	open-close parenthesis and I got logged out behind here and I say or surname equals
0:20:03	let´s say reyes, but I have to put both of those in their own parenthesis
0:20:11	to separate them and then I have to put the overall rule instead of parenthesis.
0:20:18	Now, the only problem is right now, there´s no Boolean logic to specify this
0:20:23	and it would seem to make sense that I would put the Boolean logic here
0:20:27	and logical or for Boolean in programmatic languages, typically a pipe. OK?
0:20:34	So, Boolean logic can be things like, things like not, pipe equals or,
0:20:58	ampersand equals and, so or, and not, are the typical Boolean operators
0:21:05	that we use. So I could say, surname equals variphy or surname equals reyes,
0:21:15	I could not say and because there´s no way that the surname is going to be variphy
0:21:20	which I spelled wrong. Variphy and the surname is going to be reyes,
0:21:25	it´s going to be one or the other, so that would be a logically insane argument
0:21:28	but regardless of what my argument is and I´m going to use the pipe for
0:21:33	or at we don´t put it in between the possibilities because what if
0:21:39	we had another set of parenthesis here and another set of parenthesis
0:21:46	and we said or surname equals, let´s say shepherd or surname equals let´s say Linus,
0:22:00	in order to do that I would have to put a or, or, or and while that seems
0:22:08	like it would be just fine, there´s an easier way to do it and in fact
0:22:12	the proper way to do it is actually to put it at the beginning.
0:22:14	So first of all, let´s just note and we just break this apart.
0:22:20	We´ve got four separate surnames and there in four separate sets of
0:22:31	open close parenthesis. OK? To add to that, we have to have an open
0:22:40	and close parenthesis for the entire argument, think of it like xml or html,
0:22:46	we have to have an open and close tag or element for the whole document
0:22:51	or the whole value, but if we go back here to LDAP Custom Filter, add new
0:23:02	and we´re going to say variphy, the filter has to go on a single line,
0:23:08	so this is where we´re going to concatenate all of these on to a line
0:23:16	and actually before I do that, let me go back to the way it was.
0:23:23	What we´re going to do is say Boolean or for any of these, so surname equals variphy
0:23:29	or surname equals reyes or shepherd or linus , or linus. So here is once
0:23:39	I collapsed it on the same line where it begins to look
0:23:42	and make a little bit more sense, so that the logical or is at the front.
0:23:48	And there´s a lot of good examples on Microsoft´s website for their developer website
0:23:53	for specifically for active directory as well as many other Linux or Unix websites that deal
0:24:02	with X.500 and LDAP. OK? So that´s one possibility, so something else is that we can
0:24:13	even nest things even further, so we could say what if we wanted to say,
0:24:20	given name equals Hugo and the surname equals variphy or reyes or shepherd or linus,
0:24:39	now it´s probably not the bext example because in this case Hugo
0:24:45	is only actually going to matched up with the surname of reyes but the argument
0:24:49	would still work because we´re saying given name equals Hugo and one of these four
0:24:55	to be correct and one of them is, but what we´ll do is let´s say instead,
0:24:59	let´s say department. Department equals executive or executives and these things
0:25:09	have to be true. OK? So in order to do this, again we need to have
0:25:17	the ampersand at the beginning and we need to have this,
0:25:21	in its own set of open close parenthesis but actually we want to concatenate it
0:25:28	with all of these, right? So here we bring this up to this line and close this,
0:25:36	close it with the close parenthesis here, I wish that I had a text editor,
0:25:42	I do have a text editor that shows different colors for different elements,
0:25:46	open and close elements like for xml and things like that, for different programming languages
0:25:52	or script languages like xml or tcl. I don´t have one that specifically highlights
0:25:57	on RFC 4515 for LDAP Custom Filters but what you would see is
0:26:02	that this is the open and this is the close element to the entire piece
0:26:06	and again I think a good way to do this is to put them out on separate lines,
0:26:22	we get this out here. And that´s actually just, this is our overall rules,
0:26:39	let´s just bring this to another document all together, so here is my open and close
0:26:54	and I´m saying that department equals executives, so department equals executives
0:27:04	and surname equals variphy or reyes or shepherd or linus.
0:27:11	I think it´s easiest to do it in notepad like this and then to go ahead
0:27:16	and collapse everything, so that you make sure that you have the proper number
0:27:21	of open and closes because here´s the thing about the, let me expand out
0:27:29	my text edit so that I don´t have a word wrap. OK? So there´s my
0:27:47	and here´s the problem, let´s say I forget to include this last close parenthesis,
0:27:55	if I copy this in to the filter here, paste it and press save,
0:28:01	it says the add was successful. Now it will bark at me at me if
0:28:06	I don´t have certain things like let's say I took away this and this,
0:28:15	so I only have my serial names with the logical or, actually I don´t even
0:28:21	have a close to this open parenthesis but I´ve got this bit and I´ve got this bit,
0:28:27	let´s see if it will take this. OK, paste that in there, press save,
0:28:40	yes it even takes that. OK. I will show you something that it will bark
0:28:47	at you, if I just have department equals executives, I don´t have the parenthesis
0:28:53	around it. It tells me that I have to enclose the filter within and
0:28:57	it says brackets, to me a bracket is either a curly, a square bracket
0:29:04	or a set of curly cube brackets but a parenthesis is not really a bracket,
0:29:10	but that´s what it tells you. Please enclose it within brackets. OK?
0:29:14	The problem is like I just showed you, this is not a valid argument.
0:29:18	First of all, there´s no close to this open and even if I added one,
0:29:24	there´s nothing that encloses both this and this together and even if I added that,
0:29:31	open at the beginning and close at the end there´s nothing that states what to do
0:29:37	between these two entities. And I think I´ve actually been referring to this
0:29:45	as a Boolean or the entire time, this as I mentioned is not a Boolean or,
0:29:49	in fact it´s a Boolean not so, my mistake for slipping, slip of the tongue,
0:29:58	is a Boolean or. So let´s just go ahead and do an example, a test here.
0:30:04	Let´s do, let´s say either and I keep, keep hitting the bang for
0:30:15	either but it is not, so there we go, either department equals executives
0:30:24	or surname equals variphy close that out and let´s bring this all back to one line
0:30:39	and copy this and put this in our field here, just clean it out make sure
0:30:50	nothing´s in there except what I copy pasted. OK? Let´s do a save.
0:30:58	And let me just mention right off the bat that it´s best to test out
0:31:05	your queries using some sort of LDAP query mechanism,
0:31:10	one is built right in to Microsoft active directory actually built not
0:31:14	just to the domain controllers but actually to every single computer that participates
0:31:21	on the network and what we can do is test this out
0:31:24	and the reason we want to test them using some other, some other query mechanism
0:31:32	is we don´t want to be experimenting and testing with CUCM Custom Filters
0:31:39	can certainly not only break your synchronization agreements or LDAP Directory
0:31:45	instances but in some cases when you´re testing with these Custom Filters you´ll find that
0:31:54	they update the LDAP Directory instance just fine but they don´t synchronize the users
0:31:59	and sometimes actually you click on LDAP directory, you click Perform Full Sync
0:32:03	and it gets stuck there, that is you exit out of the screen and come back
0:32:07	and it´s still says cancel the synchronization meaning it hasn´t occurred properly yet
0:32:14	and sometimes re going to Cisco unified service ability and the control center
0:32:21	for feature services on the publisher alone, you can sometimes restart the
0:32:27	sync service and that will be enough, other times you actually have to reboot
0:32:34	the publisher in order to sort of free up this sort of stuck query
0:32:41	and stuck custom you know bad information or garbage information
0:32:45	that´s got in to the buffer there and we´re running on CUCM 8.5.1 right now
0:32:53	and I still seen that behavior quite a bit in that release again with the Custom Filters.
0:33:00	So let´s actually go and take a brief moment to go over not necessarily
0:33:05	part of your exam, but let´s just go over to an LDAP client
0:33:14	and this is actually the dc controller itself but I´m going to use everything
0:33:20	just out of explorer, just as you would if you were on an XP
0:33:25	or Vista or Windows 7 machine, and I´m going to go to network and
0:33:31	and then explorer here, I´m going to go up to search active directory and
0:33:36	I´m going to choose the specific domain I want to search in
0:33:39	but for find, I´m going to, by the way I´m not just going to click on advance,
0:33:45	I am going to click on advance but not only advanced, with this
0:33:51	what I can do is add this conditions for user or group and
0:33:56	by the way here are lot of the specifics about the LDAP, information is carried
0:34:03	along with the LDAP for a user or for a group, keep in mind that
0:34:07	these are not the LDAP official names, so for instance it´s not distinguish name. OK?
0:34:15	It would look different or user, I´m not going to find, let´s see, anyway if
0:34:23	I find, it might say last name, it might say surname, it might just say name.
0:34:29	OK? There it is last name, but we know that the LDAP refers
0:34:32	to that as sn for surname. Anyhow, I am going to be on advance
0:34:36	but I am going up here to find and I´m going to click on Custom search
0:34:39	and then advanced and here I can enter an LDAP query, so I´m just
0:34:47	going to copy my LDAP query and paste it right in here and see if
0:34:53	this results in anything and it sure does, I had the Boolean or, so if the
0:34:58	department equaled executive or the surname equaled variphy and just to see what it would
0:35:07	look like without variphy, for some reason this mouse is not wanting to cooperate properly.
0:35:30	OK. Well, anyway I´m gonna have to just type it in department equals
0:35:41	and it's really case sensitive shouldn´t matter, I accidentally had caps lock on,
0:35:48	department equals, OK. I´m already PUd in to this machine through a Mac
0:35:54	and I think this is the problem, I´m getting equals but it´s showing plus.
0:36:00	No, this isn´t going to work, I will simply copy and paste from something
0:36:07	that does work for me, there we go. So executives, all four of these guys
0:36:15	Hugo Reyes, Jack Shepherd, Ben Linus, Charles Widmore, there all in the
0:36:19	department of executives but when I add the Boolean or for Variphy or executives
0:36:28	that´s when I get the addition of the variphy users, so this query should work,
0:36:34	so I'll press save and now we´ll go, make sure or turn LDAP back on,
0:36:41	if it´s not, create a directory or a synchronization instance. It tells us that
0:36:50	users not found will be deleted, we already have a user over here it´s variphy
0:36:54	as long as the user ID matches then it will stay, it won´t be deleted
0:37:00	and none of the characteristics will be deleted. So let´s, this time browser completion is nice,
0:37:13	let´s simply say the ou is the entire island natural exports for ine and dc is com,
0:37:20	dc is ine and dc is com and let´s call on the custom filter we just created,
0:37:28	change fields like phone number, fill in the proper IP address .100.110 press save,
0:37:37	now if the custom filter has a problem for instance before I had accidentally
0:37:46	had a bang in there, that might cause a problem instead of the Boolean or
0:37:52	because you can´t say not department executives and not, well you probably could,
0:37:58	that might cause a problem I believe it would have, it typically use a
0:38:03	not if you´re combining it with something else, sometimes you´ll just say not
0:38:08	this but anyhow, if there is some sort of a problem with your custom filter
0:38:13	that is if your, in your Windows find custom LDAP query serach and it doesn’t
0:38:22	work properly there, your query doesn´t work properly there then this could actually cause
0:38:27	cause the LDAP directory to say it wasn´t a successful add that it could read
0:38:33	the directory but or that it couldn´t read the directory even though the username
0:38:36	and password were correct, I don´t remember the exact verbiage, but it will show a bad
0:38:41	status here in red as well as if it does happen to take it
0:38:47	and the add was successful but the query is still you know wrong
0:38:52	in some way, it didn´t evaluate to true over here, then when I do perform
0:38:57	full sync which is what I´m going to do now, we see Cancel Sync Process
0:39:04	and that´s because I´m still on the page, if I go out
0:39:09	and then I come back in to this instance it should say Perform Full Sync
0:39:17	just like it does. It should not say Cancel Sync, if it says Cancel Sync
0:39:23	that means that it´s still taking, now I suppose if it´s a very large LDAP
0:39:30	and its returning thousands of users, then yes, it very well may say Cancel Sync
0:39:35	and it might take a good you know 5 or 10 minutes,
0:39:38	probably not that long but it you know, a good amount of time depending on
0:39:43	the number of users to actually finish the synchronization, but we´ve got less than
0:39:47	in our LDAP here and we had a very easy custom query, so it doesn´t say
0:39:54	Perform Full Sync, that leaves me hopeful that we can go over to our end users
0:40:00	and see them all there and indeed, we see our variphy. The last name has
0:40:09	been changed to all upper case, the first name is gone that´s because
0:40:13	that field is overwritten and we only see the five users,
0:40:19	Benjamin Linus, Charles Widmore, Hugo Reyes, Jack Shepherd and Variphy that we saw here
0:40:27	in our custom LDAP query search client, so LDAP customization, custom query is working properly.
0:40:38	Now, if we want to go change this custom filter, I know that it tells you
0:40:45	if you make a change that you need to do a full sync again
0:40:49	and that´s true but just telling you from experience sometimes it can have issues,
0:40:55	so what I prefer to do is actually go and again this is more lab environment
0:41:02	and again you would do a lot of labing and test before you would actually
0:41:08	role this out to a life client, not just this function but actually whatever custom query
0:41:15	you´re wanting to do for the client, you would probably have some sort of test
0:41:20	to do that but I would delete this. So, there´s no LDAP directories,
0:41:29	if we go back to the users, we see that they´re all still here, they´re just inactive.
0:41:35	So this isn´t too much of a problem, it´s just that they´re inactive,
0:41:39	we have 24 hours before they´ll be purged from the system
0:41:42	so then I´ll go change my custom query or maybe I´ll just, just for cleanliness sake
0:41:51	and database sanity, maybe my sanity, maybe I´ve just been burned too many times.
0:41:57	I´ll delete the filter and add a new one and before I add the new one,
0:42:02	let´s do the test in the, let´s create it in our notepad
0:42:08	and then let´s do the test in the actual Microsoft client just to verify.
0:42:15	So, let´s go, let´s say open and close and we´ll do these on
0:42:24	multi lines again and then we´ll concatenate them all back together
0:42:28	by doing back space deletion. So, let´s say we definitely want the surname of variphy,
0:42:36	that´s something we want to remain and we also want any users whose department
0:42:46	equals executives or whose manager is Hugo Reyes and since we´re querying users in a directory,
0:43:07	not that LDAP queries have to just be on users, in fact we can
0:43:11	say object class is one of the LDAP attributes, object class equals person,
0:43:16	but in the case of CUCM, it´s already, it´s only asking for a person type object class,
0:43:24	it´s not asking for computers or printers or other things like that,
0:43:29	that might reside in the LDAP. It´s only synchronizing users across,
0:43:32	so we don´t really have to say object class equals person but because we´re querying
0:43:38	CUCM on our behalf, it´s querying person type objects if we want to talk about
0:43:43	someone’s manager, what we have to say is we have to specify the way
0:43:50	that the manager is attached to the user is it shows the manager´s fully qualified name.
0:43:56	So the manager´s name would be something like, cn for canonical name equals Hugo Reyes
0:44:05	comma ou equals and he happens to be in the sub category of executive,
0:44:15	so ou equals executive comma ou equals island natural exports comma, dc equals ine,
0:44:29	comma, dc equals com, so he´s in that, that´s his fully proper name or
0:44:38	fully qualified LDAP name and so we want to say manager equals him,
0:44:44	so yes this is correct, the syntax, manager equals cn equals Hugo Reyes,
0:44:50	ou executive, ou, island natural exports, dc, ine, dc, com and I just expanded
0:44:58	my text edit window, they´re a little bit so it´s on one line,
0:45:02	so I´ll put the closing parenthesis. So I want to bring this up,
0:45:06	so that those two are all on one line, department and executives,
0:45:11	and I want to say Boolean & so both of these must be true.
0:45:17	The department equals executive which we already know will yield us 4 users
0:45:26	but what also must be true is that the manager must be Hugo Reyes etcetera
0:45:33	and so we need to enclose this Boolean & with a parenthesis open
0:45:38	and close and then we´ll bring this back up to the line
0:45:43	and we want to say between these two that is this one and
0:45:50	entity we want a Boolean or and I keep doing that, I keep hitting not
0:45:55	there we go a pipe, Boolean or. So let´s bring this back up to the line
0:46:00	and let´s bring the closing parenthesis back up the line and there´s actually
0:46:05	a space here, it´s not a carriage return, it´s just a line wrapped.
0:46:10	So let´s go ahead and test this, we´ll copy this and we will get rid
0:46:12	of our old LDAP query here, we´ll paste in our new query,
0:46:23	say find now so we should have variphy because it´s variphy or any of these others
0:46:30	and we know all of this are a part of executives department but are,
0:46:36	are they all managed by Hugo. Well, Hugo himself is probably not managed
0:46:42	by himself, he probably has another manager, so I´m guessing that a list Hugo
0:46:46	will disappear, click find now and it looks like we only have Jack and Benjamin,
0:46:53	not Charles and not Hugo. So it is indeed a subset of this but
0:46:59	but the query does work, so let´s take this query, go back to our CUCM
0:47:04	and maybe we´ll call this one, we´ll call this one execs, execs that report to
0:47:17	Hurley and Variphy. I don´t if it will like my ampersand there
0:47:25	and we´ll paste that in, we´ll press save, we don´t get any error, that´s good.
0:47:31	That doesn´t necessarily mean anything, there´s certainly could be an error still there
0:47:35	but we´d haven´t got one yet, go back to LDAP, re create our just do find here,
0:47:42	no records, do add new and give it a name our login CCIE Cisco, our base,
0:47:58	we´re going to do the entire island natural exports, none of the subcontainers,
0:48:02	which means it´s allowed in all of the subcontainers, choose our executives that report to
0:48:07	Hurley and Variphy, kind of looks like they report to Hurley and Variphy but
0:48:12	but we know what I mean for right now put in the IP address of the LDAP,
0:48:18	click save. OK. No problem yet with syntax, perform full sync, says Cancel Sync process.
0:48:27	Let´s go back out to find, come back in, Perform Full Sync, that´s good.
0:48:33	So this should mean that there we go, now you say wait a minute
0:48:39	we still have all five users, that´s true but three of them, one, two and three
0:48:45	are marked for active and the other two aren´t yet deleted give it the 24 hour period
0:48:51	and they will be purged, they´re currently inactive so if we click on CWidmore
0:48:56	we see that he has a delete pending whereas BLinus is completely active,
0:49:03	so our Custom Query worked just fine our Custom Filter.

Now Viewing

CCNA Voice
Title:	CCNA Voice
Duration:	74h 11m
The CCNA Voice class is an ultimate all-in-one solution for engineers pursuing the Cisco Certified Network Associate Voice (CCNA Voice) certification. This Video-on-Demand course includes over 70 hours of instructor-led content that will fully prepare you for the latest Cisco 640-461 ICOMM v8 certification exam. Please note that per Cisco CCNA Voice certification requirements, you need to have already met the pre-requisite of having a valid regular CCNA (Routing & Switching) status.
Get instant access to our entire library!
$159/month	Add to Cart
Download this Course
$199.00	Add to Cart

CUCM LDAP Custom Filters

Create Bookmark