Time for another INE Voice Trivia Contest. This week we will wait until Friday morning to choose a winner, giving you all a few days to come up with correct responses.

Here is the problem that needs solving for this week’s Voice Trivia Contest:

Integration with an corporate LDAP has been properly setup and many users have been imported into the CUCM server, but now it has been requested that an LDAP Custom Filter be built in order to limit the imported users down to only a few.

The base LDAP schema is that there is an OU called “island natural exports” in the domain of “”.

The only desired users to remain imported are:

  • A user with the last name of “Linus”


  • All users who are in the department of “executives” that also have a manager whose canonical name is “Hugo Reyes”

So your task for this week’s trivia contest is quite simply to post the proper RFC 4515 compliant LDAP custom filter query string in the comments section below.

As always, the winner of this contest will have their choice of any one of these items:

  • $100USD Amazon Gift Card
  • $100USD in GradedLabs Tokens (which is 6.5 Voice rack sessions!)
  • $100USD worth of¬† online store credit

The rules for this contest are as follows:

  • You must answer all questions correctly – this means that the solution provided must fully meet the requirement (i.e. If something else breaks, such as normal dialing, or digit appearance is not as requested, as a result of your answer – it will not be counted as a correct answer)
  • You must submit your answers in the comments section of this post along with a valid email address to reach you for your prize (submissions emailed to INE will not be accepted)
  • If there are multiple, correct respondents, then we will place all of the¬†correct respondents names into an online randomizer – the modern day ‘hat’ if you will
  • We will not allow any of the response comments to be posted here on this blog post (publicly) until the contest is over, so as not to give an unfair advantage to anyone

I’ll be watching the submissions over the next few days, and I will return on Friday to gather up the winners, choose a random name, and post all of the comments along with some of with my own replies and comments, and of course, the correct solution.

Good Luck!

We Have a Winner

OK, so first off I should note that I probably should have been just a bit more specific than to say that I only wanted “the proper RFC 4515 compliant LDAP custom filter query string”, and if I were to do it over I would change that to say something more like “a single LDAP custom filter query string that works to return actual results against a Microsoft Active Directory LDAP in the CUCM Custom Filter web page, and will also work if using the Microsoft ‘Find Custom Search – Advanced tab’ in any AD-attached PC where it says ‘Enter LADP Query’”.

That being said – all of the solutions seem to be RFC 4515 compliant, and so I included them all in my online randomizer when picking the winner.

So first off, we had some very detailed answers – I am impressed! They, of course, can be seen in the comments below. While I definitely agree that one could benefit by filtering out only the import of ObjectClass=user and possibly even UserAccountControl, CUCM will only import the ObjectClass of users anyhow, so we can omit that step when dealing with this in relation to the CUCM filter string. And Dave, while I was not more specific in saying that you couldn’t create more LDAP Directory entries in CUCM and have multiple Filters (which is why I included you in the drawing), I want to point out that you can do the query in a single line.

So here is my simplified (and working) official answer:

(|(sn=linus)(&(department=executives)(manager=cn=Hugo Reyes,ou=executives,ou=island natural exports,dc=ine,dc=com)))

See this screenshot below of the query returning results in the DC’s “Find Custom Search –> Advanced –> LDAP Query” window:

So after I entered all three names in my online randomizer, it told me that Kevin Dierckx is our winner! Kevin will be receiving his choice from the above prizes.

Congratulations Kevin!

I would like to point out that we never had a winner for a contest that I held for this contest: CCNP Voice Trivia Contest :: CCD Dynamic Routing of DNs, so I will be publishing it again in the not-too-distant future. So have a look at it now, and see what you might be able to see to have a leg-up on the competition. Heck, it could win you $100!

BTW, as a bit of a spoiler for that, I cover exactly that scenario (along with many others) in the ~5 hours of videos that I recorded on that topic of SAF and Call Control Discovery, which can be found in these 6 videos:
Call Control Discovery (CCD) via Service Advertisement Framework (SAF) Overview
Call Control Discovery via SAF – CUCM Inter-Cluster Call Routing
Call Control Discovery via SAF – CUCM Call Routing with PSTN Failover
Call Control Discovery via SAF – CUCM Call Routing during SRST Fallback
Call Control Discovery via SAF – CUCM to CME Call Routing
Call Control Discovery via SAF – Inter-Cluster RSVP via SIP Preconditions

About Mark Snow, CCIE #14073:

Mark Snow has been actively working with data and traditional telephony as a Network Consulting Engineer since 1995, and has been working with Cisco Call Manager and voice-over technology since 1998. Mark has been actively teaching and developing content for the CCIE Voice track since 2005, and the Security track since 2007. Mark's story with both data and voice technology started out quite young, as he began learning around the age of five from his father who was a patented inventor and a research scientist at AT&T Bell Laboratories. Mark started out on Unix System V and basic analog telephony, and went on from there to large data networking projects with technologies such as Banyan Vines, IPX and of course IP, and large phone systems such as Nortel 61c, Tadiran Coral, Avaya Definity and of course Cisco Unified Communications Manager in both enterprise and 911 PSAP environments across the US and internationally. Mark is also an accomplished pilot and punched his ticket in 2001. When Mark isn't learning, labing, consulting or teaching, he can be found either piloting or possibly jumping out of a perfectly good airplane, hanging off a rock somewhere or else skiing out west. He also might just be enjoying a quiet day at the beach with his wife and two wonderful young kids, Ryleigh and Judah.

Find all posts by Mark Snow, CCIE #14073 | Visit Website

You can leave a response, or trackback from your own site.

7 Responses to “CCNP Voice Trivia Contest :: LDAP Custom Filters”

  1. Kevin Dierckx says:

    If the LDAP search base is set to ou=island natural exports,dc=ine,dc=com then the following filter will return all the desired users (and yes, only the users, no other objects that might happen to fit the other criteria)

    (&(&(objectCategory=person)(objectClass=user))(|(sn=Linus)(&(ou:dn:=executives)(manager:cn:=HUgo Reyes))))


  2. Dave Phillips says:

    Hi Mark, quick question. I need to know where Hugo resides in the directory structure to provide his canonical name. Is he under the executives OU or the island natural exports OU.

    • Excellent question – and you may be on to something no one else has gotten yet. I’ll post both your question and the reply for all to see and benefit from before the answers are revealed.

      Hugo is in the ‘executives’ OU, which is directly underneath the ‘island natural exports’ OU which is in the domain.

      Good Luck!

  3. emearg says:

    Hmm trickier than it seems.

    Here is my go:

    (| (&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(sn=Linus)) (&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(distinguishedName=*OU=executives*)(manager=*CN=Hugo Reyes*)))

  4. Dave Phillips says:

    Here goes….

    You cannot do what you are asking in a single LDAP filter(query). You can not search for users in a specific OU with out changing the base DN to point to this OU (otherwise it will search through the base DN and all sub-trees). You are also unable to use wildcards when querying on an objects DN (ex. CN=*,OU=executives,OU=island natural exports,DC=ine,DC=com will not return anything)

    Since a user object has no information about which OU it resides in (besides its DN) and an OU object has no inofrmation about which objects are below it…..

    This would need to be done in 2 parts

    1. Create a LDAP custom filter with (sn=Linus) as the filter
    2. Create a LDAP directory entry with the user search base ou=island natural exports,dc=ine,dc=com, apply the custom filter in step 1 to this entry
    3. Create a LDAP custom filter with (manager=CN=Hugo Reyes,ou=executives,ou=island natural exports,dc=ine,dc=com) as the filter
    4. Create another LDAP directory with the user search base ou=executives,ou=island natural exports,dc=ine,dc=com and apply the filter created in step 3 to this entry

    perform a full sync on both LDAP directory entries and you will have only users that meet the tasks criteria in CUCM

  5. Dave Phillips says:

    Hi Mark, I must note that you said you wanted users in the sub-OU of executives, not the department of executives….department would have made things much simpler :-)


Leave a Reply


CCIE Bloggers