47 Ronins … actually 2 MVPs … again

Ronin …

… was a samurai with no lord or master during the feudal period (1185–1868) of Japan. A samurai became masterless from the death or fall of his master, or after the loss of his master’s favor or privilege.

Actually there ar 47 Ronin right now entering cinema … to be honest I have not seen this movie yet so I don’t know if it is any good.

Ronin was a lonely samurai without a master, at least in movies often depict as good man fighting for a cause and doing good … often not understood by its society.


Most Valuable Professional, MVP is exceptional award which Microsoft awards some individuals who commit their time to master their skills (like samurai) and  share it in one way or another with community. One more similarity to ronins (if any) is that MVPs are doing a lot of good job for community in which they work and often are well recognized for that.

At Predica we don’t have any ronins – few good people has left us but we think about them still as members of our team (a bit extended) and we are not thinking about ourselves as masters (except our areas of expertise).

At Predica we are proud to have as members of our team two individuals and experts, who besides of supporting our customers and our team as part of their daily duties are committing their time and expertise to support and share with communities. And for that, in January 2014 Microsoft has awarded two of our experts with  Most Valuable Professional, MVP award.


Dariusz Porowski … who is our cloud infrastructure architect and house expert for all kind of and management solution, was proudly awarded for 4’th year in a row with MVP award in Hyper-V area.

Tomek Onyszko, who constantly evangelizes customers and Predica team and about importance of identity in our modern ward was awarded for 3’rd time with MVP awarded in Enterprise Security area (which is his 6’th award – in the past, before joining Microsfot ranks, he used to be  MVP for Directory Services).

Congrats to both of them and keep doing good work!!!

Great start into 2014 for our Predica team, and even if we can’t get MVP award as a team in general we will still keep working hard and contribute to community where it is possible. Here on the blog, on Technet Forums and other places … look out for us and stay tuned here on the blog.

Cisco Unified Communications Manager Management Agent

One of our core competency in identity and access management space is implementation of solutions based on Forefront Identity Manager platform. In the course of implementing several of such projects we have developed products and IP assets. Parts of these assets we are offering either as community asset (check our GitHub profile) or products available from Predica.

(cc) Narisa

Judging by number of inquiries we are getting through our web page one of most popular element from our offering is Cisco Unified Communication Manager management agent. Our development lead – Maciej, took some time to provide a bit of insight on this MA. Enjoy …

As you have, or have not, already noticed Predica provides an interface to integrate Cisco Unified Communications Manager with FIM. This interface is of course dedicated Management Agent that can “talk” to CUCM AXL web services providing FIM with native connectivity interface to CUCM. Number of questions we get on the topic might be related to the fact that at this moment Predica is the only company offering such solution (see Google search result ). To help to understand our offering to those who looks for it we’ve decided to share our product in a greater depth on this blog.

CUCM instance data

This post is intended to be a small demo of our MA’s capabilities. Let’s start by introducing the data that will be used. First, let’s have a look at the users defined in our CUCM instance:

As you can see, we only have 3 users in the system (of course CUCM will usually have many more of them, probably several dozens thousand users, but this will suffice for our purposes).

Users in CUCM can be “connected” to phone numbers, which in most cases is what we are interesting to get from, in many ways. We support all of them (more on this later), but this scenario assumes that “phone lines” are associated with users by “Device profiles”. Here is a device profile associated with users “GCH060”:

It has two lines (“phone numbers”): 11 and 12.

Our MA is able to handle three types of CUCM objects for now: Users (called “End users” in CUCM), Phones (called “Devices” in CUCM) and Hunt Lists. Let’s see how it works in practice.

Creating Predica CUCM MA

First we need to create a new MA using FIM Synchronization Service Manager.

After starting “Create Management Agent” wizard I selected “Extensible Connectivity 2.0” as MA type. I also gave it a descriptive name so that later I know what I am using.

Note: This MA supports both ways to operate in FIM – ECMA 1.0 and ECMA 2.0. This demo uses 2.0 version, because 1.0 will become obsolete in the future.

Next I selected our dll that contains the MA: “Predica.FimExtensions.CCM.dll”. Naturally, I needed to copy it first to FIM extensions directory: “C:Program FilesMicrosoft Forefront Identity Manager2010Synchronization ServiceExtensions”. After selecting the dll I needed to press “Refresh interfaces” – it allows the tool to scan our assembly and verify that it in fact contains a correct MA definition:

Next screens contain configuration entries for our MA. I left all of them blank.

We provide two ways of configuring the agent. One way is to fill all the fields in Sync Manager. Another way is through a configuration file. I choose to follow this approach because it’s easier to change an XML file than to click through UI of Sync Manager. More on configuration file – later in this post.

In “Select Object Types” screen I choose to handle only User object type. It is easier to operate on a single type when presenting a simple demonstration.

I choose to use all user’s attributes.

Configuring a user Anchor is necessary – I use “ID” attribute which contains a GUID generated by CUCM.

We do not want CUCM to create new users in Metaverse, we only want to join users that are already present. So we configure a single Join rule and no Projection rules. UserId attribute needs to be equal to accountName in Metaverse in order to map CUCM users to users already handled by FIM.

For the purposes of this demo we will only define two Export attribute flows. First and Last Names, when modified through FIM portal, will be sent to CUCM, just to show that exporting data from FIM to CUCM is also supported:

And it’s done – our CUCM MA is almost ready to communicate with Cisco Call Manager.

MA configuration

As I mentioned before, we support two ways of configuring our MA. You can either fill in the fields in Sync Manager or create a simple XML file. You can also split the configuration using both approaches – values from Sync Manager always take precedence over the ones defined in config file.

To use configuration file, you first need to modify the sync engine config: “C:Program FilesMicrosoft Forefront Identity Manager2010Synchronization Servicedllhost.exe.config”.

Open it and add this entry in “configSections” section:

[sourcecode language=”xml”]
<section name="ccmSettings" type="System.Configuration.AppSettingsSection, System.Configuration, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" restartonexternalchanges="false" requirepermission="false"></section>

Then, add this entry just below “configSections” section:

[sourcecode language=”xml”]
<ccmSettings configSource="ccm_settings.config" />

These modifications tell the environment that it should look for CUCM-specific configuration entries in a file called “ccm_settings.config”. Go ahead and create it, next to the dllhost.exe.config. Here is the simplest configuration file content that is used in this demo:

[sourcecode language=”xml”]
<?xml version="1.0" encoding="utf-8" ?>
<add key="CCM.url" value=""/>
<add key="CCM.username" value="admin"/>
<add key="CCM.password" value="password"/>
<add key="CCM.soapActionHeader" value="CUCM:DB ver=7.0"/>

<add key="CCM.queries.users" value="u.pkid, u.userid, u.firstname, u.lastname, d.pkid phoneid, n.dnorpattern phonenumber from enduser as u left outer join enduserdevicemap as eudm on eudm.fkenduser=u.pkid left outer join device as d on d.pkid = eudm.fkdevice left outer join devicenumplanmap as dmap on dmap.fkdevice=d.pkid left outer join numplan as n on dmap.fknumplan = n.pkid where u.status == 1 and (eudm.defaultprofile is null or eudm.defaultprofile == ‘t’)" />

As out can see, it contains information “how to connect to CUCM” and a query that is used to fetch users from CUCM, along with their phone numbers. Remember how I stated that we support all ways of associating users with phones in CUCM? Well, here it is. It is all just a matter of a correct query sent to CUCM web services. Nothing is hard-coded, you have full control over the communication process and data sent to and from CUCM.

Testing our configuration

Now after initial setup let’s test our MA in simple import operation. Let’s configure Full import staging operation and pull users from our sample CUCM instance. As you can see below we have pulled three user’s objects from CUCM:

Among others we can see our test user GCH060 with some additional details:

In user details we can see multivalue attribute PhoneNumber, which provides information about line extensions assigned to user in Call Manager.

In similar manner we can pull and expose other information from CUCM as our agent is building connector space attributes based on the output from queries used to pull the data so it is not fixed in anyway in code base.

Also agent can retrieve references between objects and present it as reference attribute. This enabled scenarios where agent can present information about devices assigned to a user with device details and reference attribute which points to the user, or hunt list (line groups) information with list of users, who are members of these groups (actually who’s lines are assigned to these groups).

Through this agent we can also provision new users to CUCM and synchronize passwords and PINs to this target system. But this will be presented in second part of our CUCM description as this post has already become a bit longer than expected. Hopefully with benefit to all who may be interested in that kind of solution.

For further details on our CUCM MA and also on our experience of migration v1 Extensible MA to ECAMv2 … stay tuned to our blog.

Predica = MVP^2

Few times a year (every three months actually), based on some feedback from community and its own evaluation process Microsoft is awarding selected individuals with special award – Most Valuable Professional, MVP.

MVP is special kind of award which Microsoft grants for people who has contributed their time and knowledge in order to help others in technical community.  This contribution might have different forms like contribution code for community, answering topics on forums, speaking engagements or authoring a blog.

At Predica we are lucky that we have a great team of great people, and this January Microsoft has decided to award two of them with MVP award for 2013. And winners are …

… Our dedicated dev lead and in-house open source manager Maciek Aniserowicz was awarded for 6’th year in a row with MVP award in Visual C# area.

Tomek Onyszko, who still evangelizes Predica team and customers on identity was awarded for 2’nd time with MVP awarded in Enterprise Security area (before he joined Microsoft he used to be MVP for Directory Services).

Congrats to both of them and keep doing good work!!!

As Predica team we will not get MVP award but anyway we will keep providing our value for community here on the blog and through our contribution of code and technical expertise on-line. Hopefully you will have a chance also to meet us on speaking on some conferences. Looking forward for interesting 2013 and beyond.