Question on LDAP integration & user deletion

Similar Messages

• Questions on LDAP w.r.t XML Publisher 5.6.2

  Hi all,
  I have 2 questions on LDAP integration w.r.t XML P 5.6.2
  1) Is OID the only supported LDAP repository? I tried to set up a Iplanet directory server against XMLP, but could not. Did I miss something, or it is not supported?
  Other than OID, any other LDAP supported?
  2) Suppose, my use-case is: I want to show some values from the database, and also in the same report, print out the user attributes from the LDAP (like email id of the user, for example) who fired the report, then is this possible?
  Thanks,
  Ambarish,

  Ok. Question 1 - I have answered myself. I could not set up SunONE Directory server against XMLP :-(
  But I could set up against openldap. :-)
  I plan to contribute to the blog in 2/3 days time on how this can be done.
  But I still need some help on the question 2. How can I create a report which has all the data from both the backend database, and well as from the LDAP repository. For example, report like:
  Report Fired By:
  EMAIL id:
  Mobile:
  (data1, data2...)
  where data1, data2 comes from the database, and email id, mobile from the LDAP.

• Questions on LDAP Realm on different versions of Web Logic

  Kaia,
  I need you to ask JOS / BEA Systems some questions on LDAP
  Integration. I have CC'd Randy and Todd in case they have any
  feedback on this area. I have read the documentation and have
  a
  couple of simple questions. The questions differ depending on
  the version (because the documentation is different):
  4.5 SP7
  Users and groups are cached in the WebLogic Server as Enterprise
  Java Beans. This reduces the frequency of LDAP lookups
  Exactly what is cached? Is authentication carried out against
  the Directory each time, or against the cached credentials? Is
  this configurable such that an authentication attempt is sent to
  the LDAP server each time? Just a suggestion - LDAP lookups are
  very "light" and caching them in this fashion is not a good
  idea. Let the LDAP Directory do the caching.
  The "system" user must be defined in the weblogic.properties
  file and in your LDAP server. The LDAP "system" user must be a
  member of the LDAP group that has administrative privileges in
  the LDAP server
  Does this really mean that the user ID in the LDAP server
  called "system" needs to have full control over the entire
  directory??
  In the WebLogic property file realm, the "everyone" group
  automatically includes all users. You must create an "everyone"
  group and add every WebLogic Server user to its membership list,
  including the "guest" and "system" users.
  Does this really mean that I need to create a group in the LDAP
  directory called "Everyone" and keep it updated with every user
  object in the Directory that we want to authorize using weblogic
  ACL's?
  5.1 Pre SP7
  The property:
  weblogic.security.ldaprealm.userAuthentication
  The description for this in the docs is:
  This property determines the method for authenticating users. If
  you set the property to local (appropriate for Netscape and
  Microsoft servers), LDAPRealm retrieves user data, including
  password, from the LDAP server and checks the password in
  WebLogic Server. If you set the value to external (appropriate
  for Novell NDS), LDAPRealm authenticates a user by attempting to
  bind to the LDAP server with the username and password supplied
  by the WebLogic client. If you use external authentication, you
  must also use SSL
  The way I read this is that if you have local set, the Weblogic
  Server retrieves the entire user credentials from the LDAP
  Directory, and compares the password with what the user passes
  in. If you have external set, weblogic does a bind on your
  behalf - however, you need to have SSL configured for this
  option to be implemented.
  However, in the example for an NDS server, the following is
  listed:
  weblogic.security.ldaprealm.userAuthentication=bind
  What is the bind option referring to?
  5.1 SP 7
  This version makes no reference whatsoever to the
  userAuthentication property above. Has it disappeared? What is
  the authentication method used now?
  6.0
  The documentation below:
  Table 12-10 LDAP Security Realm Fields on the Users Tab
  Field
  Description
  User Authentication
  Determines the method for authenticating Users. Set this field
  to one of the following values:
  Local specifies that the LDAP Security realm retrieves user
  data, including the password from the LDAP Directory server, and
  checks the password in WebLogic Server. The Local setting is
  appropriate for Netscape Directory Server and Microsoft Site
  Server.
  External specifies that the LDAP Security realm authenticates a
  User by attempting to bind to the LDAP Directory server with the
  username and password supplied by the WebLogic Server client. If
  you choose the External setting, you must also use the SSL
  protocol. The External setting is appropriate for Novell NDS.
  Bind
  Note that there is a reference to Bind, but no description for
  what it is supposed to do. So, what is it supposed to do. Also
  a follow up question - This field is not referenced in
  documentation for 5.1 SP7, so I was curious as to whether this
  will also be dropped in future service packs under 6.0, and if
  so, what the authentication process will then be.
  regards,
  Craig Gilmour

  CC 2014 should be the latest version.  You can uninstall any others if you choose to.

• Integrating LDAP/AD users to access servers console's

  Hello,
  I have to investigate the out of bound capabilities of the following server, actually to integrate the LDAP/AD users to access the console of the servers.
  SUN FIRE T2000
  SUN FIRE V240
  SUN FIRE V440
  SUN FIRE V120
  SUN FIRE V490
  SUN FIRE V480
  SUN FIRE V210
  SUN FIRE 280R
  I cant able to find the proper documentation in Oracle site to figure out OOB capabilities.
  I greatly appreciate your help.
  Thanks,
  Kartheek.

  Hi.
  IMHO. This servers don't have this capability.
  Some documentation about OOB of this servers:
  SUN FIRE T2000
  http://download.oracle.com/docs/cd/E19076-01/t2k.srvr/index.html
  http://download.oracle.com/docs/cd/E19076-01/t2k.srvr/819-7991-10/819-7991-10.pdf
  SUN FIRE V120
  http://download.oracle.com/docs/cd/E19088-01/v120.srvr/index.html
  Same system managment. 1:
  SUN FIRE V490
  http://download.oracle.com/docs/cd/E19095-01/sfv490.srvr/index.html
  http://download.oracle.com/docs/cd/E19095-01/sfv490.srvr/817-3951-12/817-3951-12.pdf
  SUN FIRE V480
  http://download.oracle.com/docs/cd/E19095-01/sfv480.srvr/index.html
  http://download.oracle.com/docs/cd/E19095-01/sfv480.srvr/816-0904-10/816-0904-10.pdf
  Same system managment. 2
  SUN FIRE V210
  http://download.oracle.com/docs/cd/E19088-01/v210.srvr/index.html
  http://download.oracle.com/docs/cd/E19088-01/v210.srvr/819-2445-11/819-2445-11.pdf
  SUN FIRE V440
  http://download.oracle.com/docs/cd/E19088-01/v440.srvr/index.html
  http://download.oracle.com/docs/cd/E19088-01/v440.srvr/819-2445-11/819-2445-11.pdf
  SUN FIRE V240
  http://download.oracle.com/docs/cd/E19088-01/v240.srvr/index.html
  http://download.oracle.com/docs/cd/E19088-01/v240.srvr/819-2445-11/819-2445-11.pdf
  SUN FIRE 280R
  http://download.oracle.com/docs/cd/E19088-01/280r.srvr/index.html
  http://download.oracle.com/docs/cd/E19088-01/280r.srvr/806-4806-10/806-4806-10.pdf
  Regards
  Edited by: Nik on 18.02.2011 15:12

• UCCX 7.0.1SR5 to 8.0 upgrade while also adding LDAP integration for CUCM - what happens to agents and Historical Reporting data?

  Current State:
  •    I have a customer running CUCM 6.1 and UCCX 7.01SR5.  Currently their CUCM is *NOT* LDAP integrated and using local accounts only.  UCCX is AXL integrated to CUCM as usual and is pulling users from CUCM and using CUCM for login validation for CAD.
  •    The local user accounts in CUCM currently match the naming format in active directory (John Smith in CUCM is jsmith and John Smith is jsmith in AD)
  Goal:
  •    Upgrade software versions and migrate to new hardware for UCCX
  •    LDAP integrate the CUCM users
  Desired Future State and Proposed Upgrade Method
  Using the UCCX Pre Upgrade Tool (PUT), backup the current UCCX 7.01 server. 
  Then during a weekend maintenance window……
  •    Upgrade the CUCM cluster from 6.1 to 8.0 in 2 step process
  •    Integrate the CUCM cluster to corporate active directory (LDAP) - sync the same users that were present before, associate with physical phones, select the same ACD/UCCX line under the users settings as before
  •    Then build UCCX 8.0 server on new hardware and stop at the initial setup stage
  •    Restore the data from the UCCX PUT tool
  •    Continue setup per documentation
  At this point does UCCX see these agents as the same as they were before?
  Is the historical reporting data the same with regards to agent John Smith (local CUCM user) from last week and agent John Smith (LDAP imported CUCM user) from this week ?
  I have the feeling that UCCX will see the agents as different almost as if there is a unique identifier that's used in addition to the simple user name.
  We can simplify this question along these lines
  Starting at the beginning with CUCM 6.1 (local users) and UCCX 7.01.  Let's say the customer decided to LDAP integrate the CUCM users and not upgrade any software. 
  If I follow the same steps with re-associating the users to devices and selecting the ACD/UCCX extension, what happens? 
  I would guess that UCCX would see all the users it knew about get deleted (making them inactive agents) and the see a whole group of new agents get created.
  What would historical reporting show in this case?  A set of old agents and a set of new agents treated differently?
  Has anyone run into this before?
  Is my goal possible while keeping the agent configuration and HR data as it was before?

  I was doing some more research looking at the DB schema for UCCX 8.
  Looking at the Resource table in UCCX, it looks like there is primary key that represents each user.
  My question, is this key replicated from CUCM or created locally when the user is imported into UCCX?
  How does UCCX determine if user account jsmith in CUCM, when it’s a local account, is different than user account jsmith in CUCM that is LDAP imported?
  Would it be possible (with TAC's help most likely) to edit this field back to the previous values so that AQM and historical reporting would think the user accounts are the same?
  Database table name: Resource
  The Unified CCX system creates a new record in the Resource table when the Unified CCX system retrieves agent information from the Unified CM.
  A Resource record contains information about the resource (agent). One such record exists for each active and inactive resource. When a resource is deleted, the old record is flagged as inactive; when a resource is updated, a new record is created and the old one is flagged as inactive.

• LDAP Integration with CUCM 9.0

  We would like to use LDAP to sync all of our users from Active Directory.  All of our current CM Users are local, the problem is that they have the same user names as our Active Directory users.  From what I understand this is going to be a problem because:
  "If accounts from LDAP match an existing Unified CM account that is not marked as an LDAP synchronized account, then these accounts are ignored."
  Does that mean we will have to delete all our existing CM users in order to sync the LDAP users correctly?  Is there a best practice for this?  Once we syncronize the LDAP users how to I ensure that the user gets associated with the proper phone?  Or do I have to visit each user individually? 

  I just did a quick test for this, my lab CUCM 9 is already LDAP integrated, but I created a local user, then I created that same local user in my LDAP OU, and performed a full sync.
  The user is no longer showing as a local active user, but as an active LDAP synchronized user.
  Which was my thought, there's only one conversion, from LDAP to local.
  The behavior is just as with any previous release, local users who match an LDAP user after you enable it, are just updated, and kept with all their configurations.
  I checked the option to turn it back again into a local user, did a full sync, and it's again an active LDAP user.
  HTH
  java
  if this helps, please rate
  www.cisco.com/go/pdihelpdesk

• ISE and LDAP Integration

  Hello,
  I have a question about the LDAP integration with the ISE:
  Since the ISE has a limitation of reading only 100 groups, I cannot find the groups that I need to use on the authorization, and also the ISE cannot find group if I search for it directly.
  What I mean here, that I can fetch the first 100 groups from the top of the directory, but when I search as example for any group (appear on the list or not) the ISE did not find it.
  Even I tried to change the base DN and the search DN but without luck.
  The ISE version is 1.1.4 installed on VM and the LDAP schema is AD.
  Is there any missing information/tips required in such integration?

  Hello,
  I found a cisco doc that provides resolution of Key Features of Integration of Cisco ISE and LDAP .I hope this helps!
  This section contains the following:
  •Directory  Service
  •Multiple  LDAP Instances
  •Failover
  •LDAP  Connection Management
  •User  Authentication
  •Authentication  Using LDAP
  •Binding  Errors
  •User  Lookup
  •MAC  Address Lookup
  •Group  Membership Information Retrieval
  •Attributes  Retrieval
  •Certificate  Retrieval
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059913

• Some questions about the integration between BIEE and EBS

  Hi, dear,
  I'm a new bie of BIEE. In these days, have a look about BIEE architecture and the BIEE components. In the next project, there are some work about BIEE development based on EBS application. I have some questions about the integration :
  1) generally, is the BIEE database and application server decentralized with EBS database and application? Both BIEE 10g and 11g version can be integrated with EBS R12?
  2) In BIEE administrator tool, the first step is to create physical tables. if the source appliation is EBS, is it still needed to create the physical tables?
  3) if the physical tables creation is needed, how to complete the data transfer from the EBS source tables to BIEE physical tables? which ETL tool is prefer for most developers? warehouse builder or Oracle Data Integration?
  4) During data transfer phase, if there are many many large volume data needs to transfer, how to keep the completeness? for example, it needs to transfer 1 million rows from source database to BIEE physical tables, when 50%is completed, the users try to open the BIEE report, can they see the new 50% data on the reports? is there some transaction control in ETL phase?
  could anyone give some guide for me? I'm very appreciated if you can also give any other information.
  Thanks in advance.

  1) generally, is the BIEE database and application server decentralized with EBS database and application? Both BIEE 10g and 11g version can be integrated with EBS R12?You, shud consider OBI Application here which uses OBIEE as a reporting tool with different pre-built modules. Both 10g & 11g comes with different versions of BI apps which supports sources like Siebel CRM, EBS, Peoplesoft, JD Edwards etc..
  2) In BIEE administrator tool, the first step is to create physical tables. if the source appliation is EBS, is it still needed to create the physical tables?Its independent of any soure. This is OBIEE modeling to create RPD with all the layers. If you build it from scratch then you will require to create all the layers else if BI Apps is used then you will get pre-built RPD along with other pre-built components.
  3) if the physical tables creation is needed, how to complete the data transfer from the EBS source tables to BIEE physical tables? which ETL tool is prefer for most developers? warehouse builder or Oracle Data Integration?BI apps comes with pre-built ETL mapping to use with the tools majorly with Informatica. Only BI Apps 7.9.5.2 comes with ODI but oracle has plans to have only ODI for any further releases.
  4) During data transfer phase, if there are many many large volume data needs to transfer, how to keep the completeness? for example, it needs to transfer 1 million rows from source database to BIEE physical tables, when 50%is completed, the users try to open the BIEE report, can they see the new 50% data on the reports? is there some transaction control in ETL phase?User will still see old data because its good to turn on Cache and purge it after every load.
  Refer..http://www.oracle.com/us/solutions/ent-performance-bi/bi-applications-066544.html
  and many more docs on google
  Hope this helps

• Enterprise Portal - MDM - LDAP integration

  We are succesfully able to integrate Portal to MDM with a trusted connection and with portal users existing in LDAP and mdm users existing in MDM console.
  We also successfully integrated MDM with LDAP so that we dont have to store users in console, but manage them in LDAP. But once we did the LDAP integration, portal to MDM connection was lost saying mdm user details could not be retrieved.
  Has anybody faced this issue? what key steps to taken care during MDM-LDAP integration.

  Hi goerge,
  When ever we integrate MDM with LDAP, we need to make a setting in MDS.ini file.
  Please check the "User Identifier" setting in MDS.ini file.
  Typically this should be The name of the LDAP id field which will match the value the user provides as the Username at logon.
  Make the entry in MDS.ini like User Identifier = cn or SamAccountName.
  If that is done, please verify other parameters corresponding to LDAP in MDS.ini as per the table 91 in Page no 291 in MDM Console referece guide.
  Or refer to the SAP note 1635338 for reference which is pointing to same issue.
  This should solve your problem.
  Regards,
  Sravan

• MDM LDAP Integration

  Hi,
  We have integrated MDM with LDAP, by creating LDAP Roles & mapping them with MDM Roles. We are having log entries for Admin user for all repositories after every 10 milli-seconds. Any idea why these entries, how to stop this?
  2010-03-03T22:56:22.978,1096    ,23,"Log-on failure: LDAP Error, userName = Admin  User not found",MDSPublicServer@AuthorizeSessionForRepository,CatMgrDatabase.cpp,1866,,,1155,Admin,REPO 1<dbserver\DEV [SQL_Server]>,,,
  2010-03-03T22:56:22.994,1096    ,14,"GetUserInfo: Unspecified Exit Point",Horizontal@LDAP,<file not specified>,,GetUserInfo,,1155,Admin,REPO1 <dbserver\DEV [SQL_Server]>,End,,
  Thanks,
  Ketan

  Ketan,
  Please refer this document for MDM LDAP Integration Process Step by Step,
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/8054d5e1-1000-2c10-a09e-a168973f74b5?quicklink=index&overridelayout=true
  Also refer SAP Notes, Note 1279785 - LDAP users connect to MDM with Fallback setting
                                      Note 1096642 - Check-in/out does not work with LDAP user authentication
  Hope it helps...
  Thanks and Regards,
  Mandeep Saini

• CM 7.1 LDAP integration not updating

  I have an LDAP integration that worked at 1 time to import all the users but now when I make a change to a user in AD, it never gets to CM.  The sync process seems to just sit there and the only option is to "Cancel Sync".  I can update the LDAP fields without error so the user/pass and search space all appear t obe correct.  I have looked for issues online but cant find anything to matches this issue, they are usually a search base issue.

  I'm facing the same problem.
  I have set up a lab for  LDAP integration and after setting up for the first time worked but one  user that exists on CUCM and do not exists on AD was flaged as active i  decided to remake ldap settings after that nothing works anymore, it  sayd that users are active even if they do not exist on AD.
  If i add a new ldap directory does not sync and users are not added.
  Any idea?
  already restarted server...no joy

• Default ldap Admin user

  Hi,
  We are using ldap for creating oracle retail store inventory management users and creating store as well.
  I need to know that where can i find ldap admin user and what is the default ldap admin user after installing ldap ?
  Thanks
  Edited by: user11969485 on Jun 28, 2011 3:23 AM

  Hello,
  You can look at the list of forums at:
  http://forums.oracle.com/forums/main.jspa?categoryID=84
  (the link is at the top left of this forum as well)
  and locate the one that looks like the best fit for your question.
  Thank you,
  Sandra

• CUBAC Enable external LDAP integration

  Hi,
  I've client where Attendant is seeing the User's Home Phone number. Customer's requirement is to show the Mobile and IP Phone extension.
  To me it seems they aren't synchronizing with CUCM but directly with Microsoft AD. Enable external LDAP integration is checked and greyed out.
  Is my doubt correct, the client is pulling the Phone information from AD directly?
  How can I uncheck the External LDAP Integration checkbox, do I need to rerun the setup or LDAPServer.exe to do it? Would there be any loss of configuration?
  If Customer wants to continue pulling the info from MS AD directly, can I add some kind of filters in CUBAC not to pick up Home phone field but Mobile Phone and IP Phone extension if those fields are populated?
  CUBAC version is 3.1.8
  Thanks,
  inner_silence

  Hi Madhav,
  See inline COMMENTS (below)
  Bala
  "madhav" <[email protected]> wrote:
  >
  Hi,
  Context:
  I'm using SunOne Directory server as the External LDAP server for my
  application.
  Q1 ) My understanding is that the default providers provided by Weblogic
  communicate
  ONLY with the embedded LDAP server. Is this understanding correct? That
  means
  if I'm integrating with the external LDAP server, I need to have custom
  implementation
  for ALL the providers ( i.e Authentication Provider, Authorization provider,
  IDentity
  Assertion Provider, RoleMapper , Credential Mapper etc). COMMENTS :
  Your understading is correct. (for Authentication, Autherization, RoleMapper,
  CredentialMapper). But you dont need to create custom implementation for all providers.
  You can plug and play OR stack providers in the default realm (myrealm). Or you
  can create your own realm and still can add the weblogic OOTB providers, wherever
  you dont want to implement custom providers. OOTB BEA provides an Authentication
  provider which can integrate with 3rd party Directory Servers (see http://e-docs.bea.com/wls/docs81/secmanage/providers.html#1172008
  for more info). But if you wish to perform other services like Authorization,
  CredentialMapping, RoleMapping with external LDAP providers, then YES you have
  to write custom providers.
  >
  Q2) Or is there a way I can configure the weblogic to communicate with
  an External
  LDAP server so that I can use the default providers i.e when I invoke
  request.isUserInRole(....),
  the look up should be on the external LDAP NOT the internal LDAP.COMMENTS :
  No the default providers are written to look up the Embeded LDAP. But writing
  a provider is well documented (see http://e-docs.bea.com/wls/docs81/dvspisec/index.html
  more info)
  >
  Regards,
  Madhav

• LDAP integration - "LDAP Import adapter warning: No LDAP entry was defined"

  Hi,
  I am trying to integrate ETPM with LDAP (Microsoft AD). I have successfully connected Weblogic and can see the AD users there; I followed the instructions in the "Oracle Utilities Application Framework Administartion User's Guide" on how to integrate with LDAP:
  1) I defined the JNDI server
  2) I created a mapping file as described
  3) registered the file within XAIParameterInfo.xml and MPLParamaterInfo
  WHen i try to import users via the LDAP Import menu the reponse is empty, in the logs I see the following message: "LDAP Import adapter warning: No LDAP entry was defined". Does anybody have had similar issues and maybe a solution to this issue?
  My versions:
  Customer Release V4.1.0 000 000
  Oracle Enterprise Taxation Management V2.3.1.1.0 001 001
  Oracle Utilities Application Framework V4.1.0.1.0 001 000
  My assumption is there is something wrong with the config, as all other connection (including the one from Weblogic) are successful.
  I appreciate any feedback on this.
  Best regards,
  Sebastian

  Would have liked to post an update in my other post, but that one is locked. I found so many problems with the LDAP integration but eventually managed. If anyone runs into similar issues, here is what you need to check:
  1) AD admin user password - is limited to 8 characters (nowhere mentioned in the docs!!!)
  2) Be careful using cases; do NOT rely on the documentation, it is wrong! here is a sample ldapdef.xml (I highlighted the changes you need to make in comparison to the documentation):
  <LDAPEntries>
  <LDAPEntry name="User" baseDN="CN=Users,DC=yourdomain,DC=com" cdxEntity="User" searchFilter="(&amp;(objectClass=user)(name=%searchParm%))">
  <LDAPCDXAttrMappings>
  <LDAPCDXAttrMapping ldapAttr="name" cdxName="*user*" />
  <LDAPCDXAttrMapping cdxName="LanguageCode" default="ENG" />
  <LDAPCDXAttrMapping cdxName="FirstName" default="fn1" />
  <LDAPCDXAttrMapping cdxName="LastName" default="fn2" />
  <LDAPCDXAttrMapping cdxName="DisplayProfileCode" default="NORTHAM" />
  <LDAPCDXAttrMapping cdxName="ToDoEntries" default="1" />
  <LDAPCDXAttrMapping cdxName="TD_ENTRY_AGE_DAYS2" default="12" />
  </LDAPCDXAttrMappings>
  <LDAPEntryLinks>
  <LDAPEntryLink linkedToLDAPEntity="Group" linkingLDAPAttr="memberOf" />
  </LDAPEntryLinks>
  </LDAPEntry>
  <LDAPEntry name="Group" baseDN="OU=Groups,OU=yourgroup,DC=yourdomain,DC=com" cdxEntity="*Group*" searchFilter="(&amp;(objectClass=group)(name=%searchParm%))">
  <LDAPCDXAttrMappings>
  <LDAPCDXAttrMapping ldapAttr="name" cdxName="*group*" />
  <LDAPCDXAttrMapping ldapAttr="description" cdxName="Description" default="Unknown" />
  </LDAPCDXAttrMappings>
  <LDAPEntryLinks>
  <LDAPEntryLink linkedToLDAPEntity="User" linkingSearchFilter="(&amp;(objectClass=user)(memberOf=%distinguishedName%))" linkingSearchScope="onelevel" />
  </LDAPEntryLinks>
  </LDAPEntry>
  </LDAPEntries>
  Oracle OUAF, update your documentation, please.
  Regards,
  Seb

• How to remove an Inactive LDAP Synchronized User

  Hello.
  I searched the documentation and I have not found a way to remove imported users by LDAP that are no longer part of the data base. The users still in the list after some months as "Inactive LDAP Synchronized User" and the manual remove don´t work.
  The error messenge of CM 10.5 is:
  "Error occurred. One or more record did not get deleted. TypeDbErrors.ENDUSER_MODIFICATION_FAILED_SYNC_ENABLED"
  Could someone help?

  Hello,
  Try to convert this user to local and delete.
  User information synchronized from the LDAP directory can be converted to local user information so that the user information then can be edited locally on Unified CM. 
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/directry.html
  Regards
  Leonardo Santana