Sync LDAP with Profiles

Sync LDAP with Profiles

We use sync_all_dns.sh to sync profiles data with changes to the LDAP directory. For example, if new hires have been imported into LDAP, we synchronize to write those changes to the Profiles database.
If the LDAP directory has a data size limitation, consider setting...
source_ldap_iterate_with_filter=true

This property replaces the sync_all_dns_forLarge and collect_dns_iterate scripts used in earlier releases.
During synchronization...

Entries in the Profiles database are compared to the mapped values from the LDAP.
Updates are applied to existing Profiles DB records.
New records are added
No longer found records are removed

As with the initial data population, we use mapping values configured in map_dbrepos_from_source.properties.
We specify the location of temp files files, and whether to delete or retain them after synchronization using...
sync_updates_/tmp=/path/to/sync_updates
sync_updates_clean_temp_files=true

To troubleshoot, set...
sync_updates_clean_temp_files=false

In addition to the temporary files, the following files in the TDI solution directory record the changes made during synchronization. When set to true, the sync_updates_show_summary_only property shows only the records that need to be changed, but does not make the changes.

employee.adds
employee.delete
employee.error
employee.skip
employee.update

To verify success, check...

TDI/logssync_all_dns.log
TDI/logs/ibmdi.log

Run sync_all_dns.sh

Set properties in profiles_tdi.properties.

Option Description
perform_deletion_for_sync If perform_deletion_for_sync=false then perform neither the delete nor the inactivate action.
If perform_deletion_for_sync=true then look at the perform_deletion_or_inactivate_for_sync property.
Based on the value of the perform_deletion_or_inactivate_for_sync property (either delete or inactivate), perform the specified action.
source_ldap_iterate_with_filter Use if the size of the data to be retrieved from LDAP exceeds the search limit from the LDAP. For example, if the search parameters would return 250K records but the LDAP only allows 100K to be returned at a time, this parameter must be used.
If the data is too large, an LDAP size limit exceeded error message is generated. To configure this mechanism, see the Populating a large user set.
When set to true, this specifies the default iterations assembly line use the collect_ldap_dns_generator.js file to iterate over a set of LDAP search bases and filters. The cconfig setting replaces the sync_all_dns_forLarge and collect_dns_iterate scripts used in earlier releases.
Default is false.
This parameter is not configurable when using the population wizard.
sync_check_if_remove Close the widget palette. custom delete hook assembly line. By default, the assembly line's name is set to sync_all_dns_check_if_remove. For more information about this property, see Customize the logic used for the delete operation.
The sync_updates_double_check property must also be set to use this functionality.
perform_deletion_or_inactivate_for_sync Controls what happens to a user record when the delete action is performed. The value must be either delete or inactivate and is case sensitive. By default, the property is set to inactivate so that users are not deleted. The inactive state is propagated to all the other Connections applications.
This property cannot be used with the sync_all_dns, process_tds_changes, and process_ad_changes commands.
sync_updates_clean_temp_files When true, deletes temporary files after the synchronization process is completed.
sync_updates_double_check Use the custom deletion-checking assembly line defined in the sync_check_if_remove property to perform a double check. The logic of the default double-check assembly line is to match on the distinguishedName mapping (usually $dn). If that match fails, the user is assumed to no longer be in the LDAP directory, and is deleted.
sync_updates_hash_field Match a record in the Profiles database with the corresponding record in the source. Choose a value that will not change, so the match will remain intact between the source and the Profiles database.
If the value in this field in the source changes, the match will be broken and unintended actions may take place, for example the existing database information for this person could be deleted if the corresponding match in the source is no longer accessible.
Supported values: guid, uid, and email. Default is uid.
If the value of the hash field in the source has changed, we must set this property to a different value that has not changed. For example, if you have not changed the value of email, we can set it to email.
sync_updates_hash_partitions
Number of partitions to divide the temporary files into. The default of 10 is sufficient in most cases. If the file size gets too large, this value can be increased.
sync_updates_show_summary_only When set to true, this property shows only the records that need to be changed, but does not make the changes.
sync_updates_work_dir The directory where the working files are stored. The path can be relative to the TDI solution directory or an absolute path.

With the exception of perform_deletion_or_inactivate_for_sync, these properties can only be used with the sync_all_dns task; they can be used with the process_tds_changes and process_ad_changes commands.

To synchronize data from multiple LDAP branches in the same database, set the following properties in profiles_tdi.properties:

Option Description
sync_source_url_enforce=true Synchronizes only those records that have a matching URL. When set to true, it limits the scope of the set of data in the database, and skips the records that do not match the source URL. When set to false, it deletes the records that do not match the source URL. Default is false.
sync_source_url_override=true Update the source_url field if it doesn't match when the employee is being updated.
sync_store_source_url=true Store the source LDAP URL in the prof_source_url field in the database. The source LDAP URL is needed to determine the source of the data to correctly synchronize it.
When storing the sync_store_source_url property in the Profiles database, the data format of prof_source_url in the Profiles database is :
ldap://{hostname}:port/ldap_search_base?ldap_search_filter

These properties can only be used with the sync_all_dns task; they cannot be used with the process_tds_changes and process_ad_changes commands.

When the sync_all_dns task is performed, it generates a lock file in the TDI solution directory to prevent other customers from starting another sync_all_dns process in the same TDI solution. The name of the lock file is...
sync_all_dns.lck

When the sync_all_dns process has finished successfully, the lock file is automatically deleted. However, if the process did not complete, the lock file won't be deleted. In this case, we can delete it yourself, or run...
TDI_solution_directory/clearLock.sh

Process changes...

./sync_all_dns.sh

Example employee tables

This sample employee table illustrates results from a scenario in which you have pulled users A, B, and C from ldap_branch1 and users X, Y, and Z from ldap_branch2.

uid distinguishedName (DN)
A ldap_branch1
B ldap_branch1
C ldap_branch1
X ldap_branch2
Y ldap_branch2
Z ldap_branch2

To synchronize the ldap_branch2 users, set...

source_ldap_url=ldap_branch2
sync_store_source_url=true
sync_source_url_enforce=true
sync_source_url_override=false

By setting these properties, you get updates for the ldap_branch2 users X, Y, and Z, but not for users A, B, and C.
Updates are not provided for users A, B, and C because their PROF_SOURCE_URL does not match the TDI property source_ldap_url. Setting sync_source_url_enforce to true means the script skips users A, B, and C.
Setting sync_source_url_enforce to false, means users A, B, and C are deleted from the database.
To move the ldap_branch1 users to another branch of the LDAP directory, ldap_branch3, set...

source_ldap_url=ldap_branch3
sync_store_source_url=true
sync_source_url_enforce=true
sync_source_url_override=true

This configuration retrieves the users from ldap_branch3, and finds users A, B, and C but not users X, Y, and Z.
It matches users A, B, and C because the hash field is the same. The synchronization updates in the Profiles database are shown in the following table:

uid distinguishedName (DN)
A ldap_branch3
B ldap_branch3
C ldap_branch3
X ldap_branch2
Y ldap_branch2
Z ldap_branch2

Synchronize TDI and AD Directory LDAP changes
Synchronize changes users have made to their profiles
sync_all_dns

Parent topic:
Manage user data using TDI scripts

Related:
Specify the global ID attribute for users and groups
Manage users
sync_all_dns
Switch to unique administrator IDs for system level communication
Use an LDAP branch to store external users
Synchronize IBM Tivoli Directory Server and Microsoft Active Directory LDAP changes
Sync LDAP with Profiles
Customize the logic used for the delete operation
Inactivate users to manage users with administrative commands
Update Profiles when changing LDAP directory
Tivoli Directory Integrator solution properties for Profiles
Batch files for processing Profiles data
Use supplied scripts to delete inactive users based on inactivity length

Option	Description
perform_deletion_for_sync	If perform_deletion_for_sync=false then perform neither the delete nor the inactivate action. If perform_deletion_for_sync=true then look at the perform_deletion_or_inactivate_for_sync property. Based on the value of the perform_deletion_or_inactivate_for_sync property (either delete or inactivate), perform the specified action.
source_ldap_iterate_with_filter	Use if the size of the data to be retrieved from LDAP exceeds the search limit from the LDAP. For example, if the search parameters would return 250K records but the LDAP only allows 100K to be returned at a time, this parameter must be used. If the data is too large, an LDAP size limit exceeded error message is generated. To configure this mechanism, see the Populating a large user set. When set to true, this specifies the default iterations assembly line use the collect_ldap_dns_generator.js file to iterate over a set of LDAP search bases and filters. The cconfig setting replaces the sync_all_dns_forLarge and collect_dns_iterate scripts used in earlier releases. Default is false. This parameter is not configurable when using the population wizard.
sync_check_if_remove	Close the widget palette. custom delete hook assembly line. By default, the assembly line's name is set to sync_all_dns_check_if_remove. For more information about this property, see Customize the logic used for the delete operation. The sync_updates_double_check property must also be set to use this functionality.
perform_deletion_or_inactivate_for_sync	Controls what happens to a user record when the delete action is performed. The value must be either delete or inactivate and is case sensitive. By default, the property is set to inactivate so that users are not deleted. The inactive state is propagated to all the other Connections applications. This property cannot be used with the sync_all_dns, process_tds_changes, and process_ad_changes commands.
sync_updates_clean_temp_files	When true, deletes temporary files after the synchronization process is completed.
sync_updates_double_check	Use the custom deletion-checking assembly line defined in the sync_check_if_remove property to perform a double check. The logic of the default double-check assembly line is to match on the distinguishedName mapping (usually $dn). If that match fails, the user is assumed to no longer be in the LDAP directory, and is deleted.
sync_updates_hash_field	Match a record in the Profiles database with the corresponding record in the source. Choose a value that will not change, so the match will remain intact between the source and the Profiles database. If the value in this field in the source changes, the match will be broken and unintended actions may take place, for example the existing database information for this person could be deleted if the corresponding match in the source is no longer accessible. Supported values: guid, uid, and email. Default is uid. If the value of the hash field in the source has changed, we must set this property to a different value that has not changed. For example, if you have not changed the value of email, we can set it to email.
sync_updates_hash_partitions	Number of partitions to divide the temporary files into. The default of 10 is sufficient in most cases. If the file size gets too large, this value can be increased.
sync_updates_show_summary_only	When set to true, this property shows only the records that need to be changed, but does not make the changes.
sync_updates_work_dir	The directory where the working files are stored. The path can be relative to the TDI solution directory or an absolute path.

uid	distinguishedName (DN)
A	ldap_branch1
B	ldap_branch1
C	ldap_branch1
X	ldap_branch2
Y	ldap_branch2
Z	ldap_branch2

uid	distinguishedName (DN)
A	ldap_branch3
B	ldap_branch3
C	ldap_branch3
X	ldap_branch2
Y	ldap_branch2
Z	ldap_branch2