Please see our Using Azure AD DS with CES Guide for creating a Secure LDAP instance in Azure and querying from CES.
Effective October 1, 2020, the LDAP connector service is no longer available for CES customers. In order to use LDAP querying functionality on AsyncOS 13.0 and higher, Azure Active Directory Domain Services needs to be enabled.
The LDAP connector was a service available for CES customers that enables them to leverage Microsoft Graph REST APIs to access data in Azure Active Directory and Office 365 services and effectively manage their user identities and groups.
The interfaces used to interact with Microsoft were inefficient and causing issues for the LDAP connector.
Microsoft also introduced a standard LDAP service within the Azure AD, Azure AD Domain Service. This service caters to the requirements of CES users that were being provided by the LDAP connector.
Thus, LDAP connector service is being discontinued for all users to maintain uniformity, reduce inefficiencies, and improve overall manageability.
Azure AD is supported starting with AsyncOS 13.0 and newer.
Post upgrade to AsyncOS 13.0, User and Group sync will be performed for customers who are already using LDAP connector service, and this will be supported till the LDAP Connector service was discontinued on October 1, 2020.
Azure AD Domain Services provides scalable, managed domain services like LDAP, group policy, and integrated authentication.
Yes, Azure AD Domain Services will incur extra charges. It is charged per hour, based on the total number of objects in the AD Domain Services managed domain, including users and groups.
We will shortly be sending out communication regarding the timelines for LDAP migration.(This has been completed.)
- Currently, Azure AD Domain Services do not synchronize proxy addresses. Microsoft is currently working on providing this functionality, and this functionality will soon be available on Azure AD. Please consult with Microsoft Support regarding this functionality.
If you have any urgent questions about this or the possible impact, please contact Cisco TAC.
These are the possible alternative solutions and you can use the one that suits your environment the best:
- LDAPS: Using secure LDAP services over the internet on CES devices
- CES VPN: Creating a direct S2S VPN to the cisco CES infrastructure: https://docs.ces.cisco.com/docs/site-to-site-vpn
- Azure AD DS: Migrating from the Azure-to-LDAP Connector to Azure AD domain services: https://docs.ces.cisco.com/docs/using-azure-ad-ds-with-ces
- Anything else? Please contact Cisco TAC and provide any questions you may have.
Updated over 1 year ago