Open micictdi

IBM Collaboration Solutions

01 December 2015

Open Mic: Integrate IBM Connections Profiles with Tivoli Directory Integrator

2 © 2015 IBM Corporation

Open Mic Team

• Kok Yen Feng – IBM ESS Support Manager• Facilitator for Open Mics

• Hansraj Mali - IBM ESS Technical Expert

• Jayavel Rajendran - IBM ESS Technical Expert

• Ranjit Rai - IBM ESS Technical Expert

• Teck Soon - IBM ESS Support Engineer• Presenter

• Boon Teck - IBM ESS Support Engineer• Presenter

• Xiao Zhong - IBM ESS Support Engineer• Presenter

© 2015 IBM Corporation3

IBM Presentation Template Full Version

Agenda

TDI - overviewAssemblyLines and ConnectorsTDI config editorSimple exampleFiles involved populating Profiles with TDIPopulating the Profiles databaseUse sync_all_dns taskExternal CollaborationTroubleshooting Tivoli Directory IntegrationOpen Q&A


Agenda

1. Part 1

TDI - overviewAssemblyLines and ConnectorsTDI config editorSimple example

2. Part 2

Files involved populating Profiles with TDIPopulating the Profiles databaseUse sync_all_dns taskExternal Collaboration

3. Part 3

Troubleshooting Tivoli Directory IntegrationOpen Q&A


IBM Tivoli Directory Integrator - overview

IBM Tivoli Directory Integrator is a tool for real time synchronization of repositories of data, with a special focus on identity data, including directories, databases, and operating system repositories.

It can aggregate data from a source to another target. It can transform the data


In Connections, TDI is used to aggregate data from a source (e.g. LDAP) to the Profiles DB.

Domino LDAPIBM SDSMS ADNovel eDirectoryOracle DSSun JSDS

DB2MS SQLOracle DB

LDAP Database



Connections 5.0 requires TDI 7.1.1, certified with fixpack 3. - http://www-01.ibm.com/support/docview.wss?uid=swg27010509To find the current fixpack level - <tdiHome>/bin/applyUpdates -queryreg

Info on part no:Windowshttp://www-01.ibm.com/support/docview.wss?uid=swg24025581Linuxhttp://www-01.ibm.com/support/docview.wss?uid=swg24032022


Requirements




AssemblyLines & Connectors

The main tool within Tivoli Directory Integrator is the AssemblyLine.

An AssemblyLine - processes data such as entries, records, items, and objects from an LDAP

directory, - transforms it, - and outputs it to the Profiles database. .

Frequently used assembly lines PopulateDBFromDNFile, sync_dns_from_file, collect_dns


AssemblyLines and Connectors - cont

Standalone assembly lines can be written using supplied TDI programming components called Connectors

Connectors are needed to build an AssemblyLine. – Connectors are designed to ease the working with various data stores, systems,

services, or transports. – Each type of connector uses a specific protocol or API to handle the details of data

source access. – IBM Connections provide customer with various default Connectors

Attribute mapping– Attribute Maps are the instructions on which attributes are brought into the

AssemblyLine during input, or included in output operations. – An AssemblyLine is designed and optimized for working with one item at a time,

such as one data record, one directory entry or one registry key.


Project - Collection of AssemblyLines and Resources Connectors -Pre built templates to connect to different systems - Many installed with TDI AssemblyLine are made up of - Feeds and Data Flows Workspace

\IBM\tdi\v7.1.1\ibmditk.bat – the batch file to launch the TDI Config editor

TDI Config EditorTerminology


From a windows OS perspectiveUsing TDI Config editor, to view the supplied assembly lines

TDI Config Editor


TDI Config EditorLaunch the installed TDI Config Editor (\ibm\TDI\V7.1.1)e.g, ->ibmditk –s c:\IBM\Connectrions\TDISOL\TDI


TDI Config EditorCreate a new project


TDI Config EditorUse the IBM Tivoli Directory Integrator project template


TDI Config EditorName the project


Specify the location of the profiles_tdi.xml and import - profiles_tdi.xml - config file consisting AssemblyLines, Connectors, Parsers, Script and etc

TDI Config Editor


TDI Config EditorAfter the successful import, the profiles would be populated.


TDI Config EditorExecuting a assembly line – collect_dns is the same as running batch file collect_dns.bat


TDI Config EditorResults – collect.dns


TDI Config EditorConnectors


The Photo ConnectorUsed to retrieve, create, update, and delete photo entries in the Photo table in the Profiles database

The Profile ConnectorUsed to retrieve, create, update, and reset profile entries in the employee, profile extension, and other employee tables in the Profiles dbIt's also used to change the user state and change whether a user profile is listed as a manager.

The mode setting of the ProfileConnector determines what role the connector carries out in the assembly line, here are the main modes;Iterator - Iteratively scans database entries, reads their attribute valuesLookup - Fetches records from Employee table in Profiles db based on search criteria.Update - Updates the profile records in the Employee table in the Profiles db. Delete - Deletes records in the Employee table in the Profiles db.AddOnly - Adds new records to the Employee table in the Profiles db.

TDI Config Editor


TDI Config EditorPhotoConnector


TDI Config EditorProfile Connector


Simple example You need to populate Connections profiles with pictures after populating the profile dbYou have a list of jpgs with the user uid name i.e. mlittle.jpg

To run the load_photos_from_files.bat, you need a collect_photos.in with the following data. If you have many records to populate this is rather tedious..


Simple example Remember the collect.dnsDuplicate this file (copy and paste) and named it as collect_dns_with_photos_outputAs this AssemblyLine will call another sub Assemblyline - collect_dns_flow.We will duplicate this file and named it collect_dns_flow_with_photo


Simple example In the newly created assembly, collect_dns_with_photo_outputClick on the Data Flow > Call_collectFlow and in the Connection Tab change the calling to our new created assembly line collect_dns_flow_with_photoi.e. collect_dns_with_photo_output → collect_dns_flow_with_photo


Simple example In the collect_dns_flow_with_photo,Add a Component → Connectors ->FileConnector with AddOnly mode


Simple example Click next and provide the filename to write to → collect_photos.inClick next and select Simple ParserClick Finish


Simple example In newly create FileConnector,

create photo attribute and assign it to “file:/c:/temp/photos/”+work.uid +”.jpg”


Simple example In newly create FileConnector,create another attribute uid and assigned to it work.uid


Simple example Save both the AssemblyLines file and we can click on the Run in consoleOn successful run, it will note that the FileConnector (which we added) also executed 6 times


Simple example Before populating the photos


Simple example With the generated photos.in, we can launch load_photos_from_file.bat


Simple example


Agenda

1. Part 1


2. Part 2


3. Part 3



Files involved populating Profiles with TDI● profiles_tdi.properties

Contain the property values relevant to the customer's configuration See the following Connections Wiki for a full explanation of all parameters.

http://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/install/r_pers_tdi_props.dita?lang=en

● collect_dns.bat● Use in the first step of the process to populate the Profiles database

● collect.dns● Create a file called collect.dns that contains the distinguished names from the LDAP

directory

● map_dbrepos_from_source.properties● Tell TDI how and what to map from enterprise directory to profile database● The mapping can consist of:

● LDAP Attribute: Specifies the LDAP attribute to assign to the database field● JavaScriptTM function: Specifies a JavaScript function whose return value

assigned to the database field. The function name profiles_functions.js





map_dbrepos_from_source.properties file

Files involved populating Profiles with TDI




sample EMPLOYEE table




● profiles_function.js● contains all the functions used in the map_dbrepos_from_source.properties file● Functions can be added if necessary

● profiles_tdi.xml● Configuration file containing connectors and assemblyline info

● populate_from_dn_file.bat● Populate the Profiles database from the source LDAP directory. ● This batch file reads the collect.dns data file created with the collect_dns batch

file● The batch file also updates existing employee records in the Profiles database


Using the Population Wizard to populate the Profiles db

1. Copy the Wizard CD to the hard drive where you installed TDI (C:\install\Wizards) and run the populationWizard.bat file

1.2. Click Next on the Profiles population wizard for Connections Welcome window 1.3. Set the Tivoli Directory Integrator install directory (C:\IBM\TDI\V7.0) 1.4. Select the Profiles db type used by Connections (IBM DB2 example) 1.5. Enter the details on how to connect to the database 1.6. Enter the details on how to connect to your LDAP directory 1.7. Specify bind user name & password to query all users & attributes from LDAP 1.8. Set the base entry for your LDAP directory & search filter to find all users 1.9. Check the mapping between the Profiles database and LDAP fields 1.10. Optional database tasks 1.11. Review the summary details info, & click Configure to populate the Profiles db 1.12. Once the population is complete, check for errors and click Finish.


Using the Population Wizard to populate the Profiles db 1. Copy the Wizard CD to the hard drive where you installed TDI

(C:\install\Wizards) and run the populationWizard.bat file



1.2. Click Next on the Profiles population wizard for Connections Welcome window



1.3. Set the Tivoli Directory Integrator install directory (C:\IBM\TDI\V7.0); click Next


Using the Population Wizard to populate the Profiles db 1.4. Select the Profiles database type used by Lotus Connections (IBM DB2® in

this example environment) and click Next


Using the Population Wizard to populate the Profiles db 1.5. Enter the details on how to connect to the database; click Next


Using the Population Wizard to populate the Profiles db 1.6. Enter the details on how to connect to your LDAP directory; click Next


Using the Population Wizard to populate the Profiles db.. 1.7. Specify the bind user name and password to query all users and

attributes from your LDAP directory; click Ne


Using the Population Wizard to populate the Profiles db. 1.8. Set the base entry for your LDAP directory and search filter to find all users;

click Next


Using the Population Wizard to populate the Profiles db. 1.9. Check the mapping between the Profiles database and LDAP fields. A full list

of LDAP attributes, available variables, and functions will be in the drop-down list for you to use for your mappings


Using the Population Wizard to populate the Profiles db 1.10. Optional database tasks.

– Five supplemental tables can be used during Profiles population:


Using the Population Wizard to populate the Profiles db.

● 1.10. Five supplemental table info● Countries.

● Value pair table that contains a country code / description pair.● Departments.

● Value pair table that contains a department code / description pair.● Organizations.

● Value pair table that contains an organization code / description pair.● Employee types.

● Value pair table that contains an employee type code / description pair.● Work locations.

● This is a multi value table containing a work location code / complete address mapping.


Using the Population Wizard to populate the Profiles db. 1.11. Review the summary details information, and click Configure to populate

the Profiles database


Using the Population Wizard to populate the Profiles db. 1.12. Once the population is complete, check for errors and click Finish


Running command files to manually populate Profiles1. Update the profiles_tdi.properties file in the TDISOL\TDI directory.

– The fields outlined in red must be adapted for your environment. Passwords will be encrypted after the first time this is run.

– profiles_tdi.properties


Running command files to manually populate Profiles

2. Update map_dbrepos_from_source.properties. – This file is used to map the LDAP attributes to the employee table in the

Profiles database.



3. Now populate the Profiles database. – By this time you must have the artifacts specified above copied to the

TDISOL\TDI directory. – Run these three commands to completely populate the database

• collect_dns.bat. Creates the collect.dns file with all the users in the LDAP.

• populate_from_dn_file.bat. Populates the main Profiles tables (EMPLOYEE, SURNAME,GIVEN_NAME).

• mark_managers. Marks all managers with a ‘Y’ so you will receive the People Managed link if the user is a manager.



4. Supplemental tables (optional):– fill_country. populates the COUNTRY table from the isocc.csv file– fill_department. populates the DEPARTMENT table from deptinfo.csv file– fill_emp_type. populates the EMP_TYPE table from the emptype.csv file– fill_organization. populates the ORGANIZATION table from the orginfo.csv

file– fill_workloc. Populates the WORKLOC table from the workloc.csv file


Use sync_all_dns task Use the sync_all_dns command to keep your profiles data synchronized with

changes to the LDAP directory. new, updated, deleted or inactivate employees Note: The property sync_delete_or_inactivate resides in the

profiles_tdi.properties file.

Troubleshooting Tip.– Temporary files are created during synchronization and stored in the directory

denoted by the sync_updates_working_directory=sync_updates property. – By default, the temporary files are deleted at the end of synchronization. – If you want to keep the files or need to troubleshoot problems, set

sync_updates_clean_temp_files=false to ensure that the temporary files are not deleted.


Use sync_all_dns task

Lists of the users for each of the operations are stored in the following files in the solution directory. You can examine these files when the synchronization process has completed.

These files are not considered temporary and are not removed at the end of the synchronization process.

employee.adds – These records were added to the database employee.delete – These records were deleted or inactivated in the database employee.error – There was an error processing these records employee.skip – These records were not changed in the database employee.updates – These records were updated in the database


External Collaboration

– External User Collaboration provides a means for customers to bring external users into their Connections environment.

– External users will see only content shared with them and only the people associated with that content

– People can immediately identify external users

– External users have a targeted experience of the content and people in the organization who invited them

– Administrators can see who is an external user, can control who can invite them in, and can manage those accounts

– External users may be created via TDI or the Admin API


External Collaboration A user is created with a designated mode and initial role

– internal → employee– external → visitor

By default, internal users cannot create content that is visible to external users.

To allow collaboration between internal users and external users, you must assign the EMPLOYEE_EXTENDED role to the internal users.

Only users with the EMPLOYEE_EXTENDED role can create content that can be shared with external users. However, the content can be shared by any internal user

– internal user: employee or employee.extended Roles for employee.extended must be set independently via wsadmin

commands



There are three ways to register a user. All methods set the value of mode to external to denote an external user.

Map a standard LDAP attribute for external users http://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/admin/t_admin_profiles_ldap_map.html?lang=en

Map a standard LDAP attribute using JavaScript http://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/admin/t_admin_profiles_function_map.html?lang=en

Use an LDAP branch to store external users http://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/admin/t_admin_profiles_ldap_branch.dita?lang=en




Agenda

1. Part 1


2. Part 2


3. Part 3



Troubleshooting Tivoli Directory Integration

● Location of Logibmdi.log is under Wizards\TDIPopulation\<platform>\TDI\logs

● Turn on Debug:Debug is turn on in two files: Wizards\TDIPopulation\<platform>\TDI\profiles_tdi.propertiesWizards\TDIPopulation\<platform>\TDI\etc\log4j.properties

In profiles_tdi.properties, setsource_ldap_debug=truetds_changelog_debug=truesync_updates_clean_temp_files= false



In the \TDI\win\etc\log4j.properties, setlog4j.rootCategory=DEBUG, Default

Please refer to http://www-01.ibm.com/support/docview.wss?uid=swg21610506 Please refer the Infocenter for more debug settings:http://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/troubleshoot/ts_t_check_tdi.ditahttps://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/install/r_pers_tdi_props.dita

http://www-01.ibm.com/support/docview.wss?uid=swg21610506



http://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/troubleshoot/ts_t_check_tdi.dita



https://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/install/r_pers_tdi_props.dita





● Some common problems:- LDAP Connection settings – profiles_tdi.propertiesYou may see error”CTGDIS077I Failed with error: [LDAP: error code 49 - Failed, invalid credentials for ldapbind123]” in ibmdi.log, mean username or password for LDAP authentication is wrong. You need to check the LDAP settings in profilestdi.propertieshttp://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/install/t_prof_populate_manual.dita?lang=en

- LDAP attribute for users:You may see error like below in ibmdi.logCLFRN0209E: Validation failed for field surname. Value is .CLFRN1183E: Validation failed for entry CN=User1 Test,O=APCP

http://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/install/t_prof_populate_manual.dita?lang=en





there mean some problem for surname of this user. You need to check what LDAP field mapping to surname in - map_dbrepos_from_source.properties http://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/install/t_prof_tdi_mapfields.dita?lang=enthen check the user's attribute in LDAP directory. For the error above, the LDAP attribure mapped to surname can be blank.

IBM Connections have some requirements for fields, you may please check validate_dbrepos_fields.properties, the validation formula for fields are set. (Please don't change it)



- Some LDAP attriburtes must be unique:You may see “CLFRN1182E: An error occurred while creating the profile:<username>” in ibmdi.log. The problem may caused by duplicated attributes. uid,email,guid must be unique, or it will cause problem.

To troubleshoot the similar issue, you may collect the user's LDAP attribute, and lookup PEOPLEDB – EMPLOYEE table, check if any duplicated exist.Some information available here ->https://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/install/t_config_ldap.dita?lang=en



- sync_updates_hash_field issuesync_updates_hash_field is used by TDI to identify user, it is set to uid by default, then uid should not be changed. If you change one user's uid, will cause problem to sync the user, e.g. the existing user may be changed to inactive.More information available here https://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/admin/t_admin_profiles_sync_ldap.dita?lang=en

https://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/admin/t_admin_profiles_sync_ldap.dita?lang=en





● More troubleshooting tipsEven with TDI debug, we may not able to find the root reason for sync problem. It would be helpful to collect the user's LDAP attaribute and the records in EMPLOYEE table, compare attributes of users who is with/without the problem.To collect user's LDAP attribute, we can use any LDAP search tool to search the user against the LDAP Directory. One ldap search tool from Domino/Notes is ldapsearch, it also can be used to search other LDAP servers.

http://www-01.ibm.com/support/docview.wss?uid=swg27002627https://www-01.ibm.com/support/knowledgecenter/SSKTMJ_8.5.3/com.ibm.help.domino.admin85.doc/H_EXAMPLES_EXPORTING_THE_CONTENTS_OF_AN_LDAP_DIRECTORY_2804_STEPS.html



Questions?Press *1 on your telephone to ask a question.

Visit our Support Technical Exchange page or our Facebook page for details on future events.

To help shape the future of IBM software, take this quality survey and share your opinion of IBM software used within your organization: https://ibm.biz/BdxqB2

IBM Collaboration Solutions Support page http://www.facebook.com/IBMLotusSupport

IBM Collaboration Solutions Supporthttp://twitter.com/IBM_ICSSupport

Date post:	16-Apr-2017
Category:	Software
Upload:	ranjit-rai
View:	337 times
Download:	0 times

Open micictdi

Software