Cisco SPA Phones have the ability to look up for phone numbers and contacts in an Active Directory/LDAP. For this a template needs to be created and  the Cisco Phones need to be re-provisioned with this template to enable them  to access Active Directory and take AD user information from there.

Step 1: Locating the Cisco template in the 3CX Management Console

Access the 3CX Management Console and click on the node Settings / Provisioning Templates. Click on the drop-down Template Type and select Phones. Select Cisco SPA from the Template Name dropdown and click the Edit button.

Step 2:  Copy and Paste the required LDAP parameters in the Cisco template

Find the section tag called <flat-profile> in the Cisco template and paste the following:

Step 3: Modifying the template according to your domain settings

Replace the variables according to the values in your environment. Not all variables need to be changed. The ones that require modification are mentioned and explained below. The others can remain default.

a) Domain Group – You need to replace the variable Domain.TLD (Domain.TopLevelDomain) with your domain. To do this open a command prompt window and type the following: ipconfig /all

Figure 1: In this example, the domain is “Stefan.local”

b) Primary DNS Group – Replace the variable “DNS Server for internal domain” with with the primary DNS Server. This information can be achieved by typing ipconfig /all and scroll to where you have DNS Servers.

c) LDAP_Server group – The LDAP server group is the FQDN of the Active Directory Server. Example: dc08.stefan.local where dc08 is the host name and stefan.local is the domain name. Replace “FQDN of Domain Controller with Global Catalog” with dc08.stefan.local

d) LDAP_Client_DN Group – Replace the variables “DC=Domain, DC=TOPLevel with the domain controller and the Top Level Domain. Example if the domain is Stefan.local, you need to put DC=Stefan, DC=local

e) LDAP Username Group – Replace “User” with an active directory user. This User must have the appropriate permissions to read Active Directory values. Note: You should not use a Domain Administrator username. A dedicated user must be created example CiscoLdap and this can be used as the user name.

f) LDAP Password Group – Replace “Password” with the Password of the CiscoLdap User account

g) LDAP Search Base Group – This is the Base in AD where searches will be made.
Pre-requisite: For LDAP Search Base group you need a Microsoft tool called ADSI. In Windows Server 2008, ADSI is located in the Administrative Tools section. In Windows Server 2003, “Support Tools” need to be downloaded from Microsoft and installed.
Note: There are many versions of this tool and you need to download the tool that fits your Operating system. Support tools for Server 2003, 32 bit Service Pack 2 can be downloaded from here for example. (Server 2003 R2 might require a different version of Support Tools).

Figure 2: This shows the value of the “distinguishedName” to be  OU=Domain-User,DC=stefan,DC=local.

• Open ADSI and select the Organization Unit of your choice.
• Open Properties and click on Domain User Properties
• Double click on “distinguishedName” and take note of this value. (See Figure 2 below)
• Replace the variable “Ldap Base to search for users and contacts” with the value of the attribute “distinguishedName” you previously took note of.

At this stage, the template should look like Figure 3 below where the variables described above are replaced with the information of your environment.

Figure 3: Snapshot of how the LDAP section will look like in the template.

Step 4: Create the New Cisco Phone template for LDAP.

Under the “model” tag delete all the models you see and add the following: <model>Cisco SPA LDAP</model>

Figure 4a: Model Section in Cisco Template – This is how the model section should look like for this template.

Click on Apply to save these changes. You will be prompted to save the file.  IMP: Do not overwrite the current template file. Type in a new template name and file name to ensure that you keep the original 3CX Templates as they were shipped with the standard 3CX Phone System installation.

Figure 4b: In this case the template name was renamed to Cisco SIP Phone LDAP and the File name was renamed to ciscoLDAP.ph

Step 5: Setting up the extension in the 3CX Management console for provisioning

Figure 5: The new template will be displayed in the Edit Extensions provisioning tab section in the 3CX Management Console

Log out of the 3CX Management console and log in again. Click on Edit Extensions and click Phone Provisioning tab. Enter the Mac address and click on the Model dropdown list. You will see the new Cisco SPA LDAP option available. Select this and click OK. This action will automatically generate a new provisioning file.

Step 6: Forcing the Cisco Phone to re-provision

Open a browser and paste the following link depending on what web server you have set 3CX Phone System with.
IIS Web Server – http://PHONEIP/admin/resync?http://3cxPBXIP/management/provisioning/$MA.xml
Ultidev Cassini – http:// PHONEIP/admin/resync?http://3cxPBXIP:5481/provisioning/$MA.xml
(Replace PHONEIP with the IP address of the Cisco phone and 3CXPBXIP with the IP address of the 3CX Phone System.)

This will force the Cisco phone to re-provision immediately and upon boot up the phone will have all necessary Active directory parameters to be able to search in the Global Address book.

A Cisco LDAP template is available for download from here

Extra LDAP Information:
If you have other phone number information configured in Active Directory for your users, example Ip Phone or Mobile Number, you can change the LDAP_Display_Attrsgroup variable to make this number available for the phone to use.

Example 1: This will force the phone to dial the IP PHONE number from AD
a=cn;a=sn;a=ipPhone,n=Phone,t=p;

Example 2: This will force the phone to dial the MOBILE number from AD
a=cn;a=sn;a=mobile,n=Phone,t=p;

Note 1: This guide has been tested with firmware version 7.3.7. Be aware that different firmware revisions may have different web interface formats, functionality or might not even have this feature.
Note 2: This document does not apply for the Cisco SPA 525G