Cisco CUCM Tricks for Active Directory & LDAP

What is Active Directory

Database Structure of Active Directory
Common Database Schemas of LDAP Server

Active Directory (AD): is Database storing all kinds of Objects and Policies which apply to the interoperations between Objects.
Object: It is the minimum component in the database that AD manipulates and each Object is associated with a set of mandatory and optional attributes or properties. Object can stand for User, Computer, Printer, Shared Folders or any other resources that used in a organization. Typical Objects in AD include Forest / Domain / OU / User / Group / Contact / Computer / Shared Folder / Printer / Site / Subnet etc.

Object types:

Both Container Object & Leaf Object are identified in its own Organization Unity or Container by Common Name (CN) which is also termed Relative Distinguish Name (RDN). However, globally throughout the domian, each object is uniquely identified by Distinguished Name (DN).

Search Description: cn=users, dc=uclab, dc=com

  • Container Object: Objects which can contain other Container Objects or Leaf Objects. Default Pre-installed Container Objects are Domain Controllers / Computers / Users / Builtin / Foreign Security Principals.
  • Leaf Object: Objects that can not contain other Objects.
  • Security Principal Object: used for security control purpose, such as authentication, authorization, access control etc.

ObjectClass Vs. ObjectCategory

ObjectClass Vs. ObjectCategory-From Florian`s Blog

  • ObjectClass: It is a grouping of mandatory & optional attributes or properties for a specific Object. As a part of AD database schema, it is multi-valued and hierarchical (Child ObjectClass inherits attributes from Parent ObjectClass). Itself is a attribute of Object and determines what attributes are mandatory and optional for that Object.
  • ObjectCategory: It is single-valued and identified by Distinguished Name (DN).

Most-Frequently Used Attributes for AD Users

Active Directory User Attribute Reference Table

Login ID->sAMAccountName; First Name->givenName; Middle Name->middleName; Last Name->sn; Manager->manager; Department->department; E-Mail Address->mail; Telephone Number->telephoneNumber; IP Phone Number->ipPhone; Mobile Number->mobile; Home Phone->homePhone.

LDAP Query & Search Filter

LDAP Search over Port 3268 Vs. Port 389

Port 3268 (Global Catalog): used to search object in the entire Forest (including all domains). However, only part of object attributes (those properties that are marked for replication to the global catalog, which is controlled by Schema Manager in MMC) will be returned. That is why Global Catalog LDAP search is faster and more efficient than LDAP search over port 389.

Port 389: used to search object in one single domain (only local domain controller in entire Forest). However, all the object attributes will be returned as search output.

LDAP Over port 3268 Vs. 389

Create Schema Manager MMC console on Windows Server 2003


Reference for LDAP & Active Directory Learning:
The LDAP Explorer
Active Directory 360 – All about Active Directory
The SelfADSI-The LDAP & ADSI Scripting Tutorial
Florian`s Blog-Insights about Active Directory