Member fixer tool

 

+

Search Tips   |   Advanced Search

 

Overview

Member fixer is used to...

The member fixer's function is to check all of the items in a specified library for references to users and groups that no longer exist in the current user repository. In report mode, it will report all the references to members. In fix mode, these references can be fixed, either by replacing them with references to members that exist, or by removing the references. The "fix" parameter determines whether the member fixer runs in report or fix mode.

References to members in library items contain the distinguished name (DN) of the member as well as a unique ID for the member. This unique ID is an internal id that is unique over time, and is different to the DN. This means if a member is deleted and another member is created with the same DN, the two members will have different unique IDs. The mismatched_id parameter can be used to update or remove these unique IDs.

When a member that has been given permissions on a library is deleted, the member permissions are entirely removed from the library, so that any inherited permissions for items in the library will also be removed. Therefore, the member fixer can not be used to update these permissions to a different member. However, when an LDAP transfer is carried out, the member permissions on the library are maintained. So, the member fixer can be run after an LDAP transfer to update or remove these permissions

 

Custom Mapping

To update a reference to a member that does not exist with a member that does exist, member mappings can be defined in a custom mapping file. Where the member fixer does not find a mapping in this file for a member, it will search the user repository for members with the same ID as the member that no longer exists. If such a member is found, it will update the reference with this user or group, or remove the reference, as specified by the alt_dn parameter. If no such member is found, this member is classified as 'invalid' and will be updated or removed as specified by the invalid_dn parameter.

If custom mapping is required perform the following steps to map the user and group domain names before running the member fixer module:

  1. Edit...

    WP_PROFILE/PortalServer/wcm/shared/app/config/wcmservices/MemberFixerModule.properties

    ...and set...

    cn=contentAuthors,dc=lotus,o=ibm->cn=contentEditors,dc=rational,o=ibm

    Use of the MemberFixerModule.properties file applies to Portal v6.0, although it is poorly documented.

    This format is used to completely replace one DN with another.

    cn=[ID],dc=websphere,o=ibm->cn=[ID],dc=tivoli,o=ibm

    This format is used to replace part of a DN. This example will change all of the DN except the common name.

    Further examples are listed in the MemberFixerModule.properties file.

  2. You then run the member fixer using the alt_dn option

 

Run the Member Fixer:

  1. Log in to the portal as an administrator.

  2. You run the member fixer tool by entering a URL in a browser:

    The library specified in the URL is the library to be scanned by the member fixer. If the query parameter "library" is omitted, the default library that has been configured in the WCM ConfigService.properties file will be used.

  3. To view a report of users or groups referenced in WCM items that need fixing, open the following URL in the browser:

    http://host:port/wps/wcm/connect?MOD=MemberFixer&library=libraryname

    Before progressing to the next step and running the member fixer in fix mode, ensure that the report mode indicates that the updates will happen as you require. If the report indicates that the update will not happen as required, change the member fixer parameters and run the report mode again. Repeat this process until you are satisfied that the fixes will be applied correctly. This is important because the fixes made by the member fixer when run in fix mode may not be easy to undo if incorrect fixes are applied.

  4. If there have been changes to users and groups, update the items that reference them by entering the following URL in the browser:

    http://host:port/wps/wcm/connect?MOD=MemberFixer&library=libraryname&fix=true

  5. If the member fixer tool indicates that certain mismatched member conditions exist, enter the specified URL to correct the conditions.

    • Nonexistent users or groups have alternate DNs available.

      To update the items that reference the nonexistent users or groups:

      http://host:port/wps/wcm/connect?MOD=MemberFixer&library=libraryname&fix=true&alt_dn=update

      To remove the members that reference the users or groups:

      http://host:port/wps/wcm/connect?MOD=MemberFixer&library=libraryname&fix=true&alt_dn=remove

      If users or groups have invalid DNs the report will list these as "invalid". This means the DN doesn't exist and there is no alternate DN available.

      To remove users and groups that have invalid DNs:

      http://host:port/wps/wcm/connect?MOD=MemberFixer&library=libraryname&fix=true&invalid_dn=remove

      To update users and groups that have invalid DNs with the portal administrator user's DNs:

      http://host:port/wps/wcm/connect?MOD=MemberFixer&library=libraryname&fix=true&invalid_dn=update

    • Users or groups have been found with mismatched unique IDs.

      To fix the mismatched unique IDs:

      http://host:port/wps/wcm/connect?MOD=MemberFixer&library=libraryname&fix=true&mismatched_id=update

      To remove users and groups with mismatched unique IDs:

      http://host:port/wps/wcm/connect?MOD=MemberFixer&library=libraryname&fix=true&mismatched_id=remove

      These URL options can be combined when the conditions occur at the same time. For example, if alternate DNs are available for nonexistent
      users and groups and there are mismatched unique IDs, you would use the following URL:

      http://host:port/wps/wcm/connect?MOD=MemberFixer&library=libraryname&fix=true&alt_dn=update&mismatched_id=update

    You can preserve the last modified date of items updated by the member fixer module by adding &preserve_dates=true to the URL used to run the member fixer.

    You can restrict which objects types are processed by adding...

    &restrictOn=itemtype

    ...to the URL used to run the member fixer. For example:

    &restrictOn=Content,Style,Template,Taxonomy,Category,Site,SiteArea,Workflow,WorkflowStage,WorkflowAction,Cmpnt

    If not specified, all object types will be fixed.

    To prevent your server timing out before member fixer has finished, you can specify &sessionTimeOut= to the URL used to run the member fixer. This is defined as the number of seconds before a session will timeout. For example...

    &sessionTimeOut=36000

    The default session timeout is 14440 seconds.

    To force locked items to be unlocked while running the tool, add...

    &forceUnlock=true

    ...to the query. This setting defaults to true.

  6. After the member fixer has run, review the SystemOut.log to verify that the member fixer ran correctly. The member fixer may not be able to save items that fail validation, such as items that contain invalid fields. You must edit these items to make them valid and then run the member fixer again.

 

Run the Member Fixer in a multi-realm environment:

You can specify the realm to run the member fixer on by adding &realm=realmName to the URL. In a single realm environment, this parameter can be omitted.

In a multi-realm environment where the realm is specified, the member fixer will check references to members that are under the base DNs defined for the specified realm to see if the members exist. To do this, follow the same steps described above for a single realm environment, but specify the "realm" parameter in the URL. For example:

If &realm=realmName is omitted, the default realm that has been configured in the VMM configuration will be used. The default realm can be configured using the configuration task wp-default-realm.

Additionally, the member fixer can be used to check whether there are any members and groups referenced in items that are not under any of the base DNs defined for any of the realms in the environment and fix these references.

To do this, follow the same steps described above for a single realm environment and add &norealm_dn=true to the URL. For example:

References to members can only be updated with references to members in the specified realm. Typically, in a multi-realm environment, the member fixer should be run for each realm in turn to make sure that all of the references are fixed.

 

Disable browser output:

If you are using the member fixer tool on a large number of items you can disable browser output to improve performance by adding the setting utility.module.browser.output=false to the WCM ConfigService.properties file in...

WP_PROFILE/PortalServer/wcm/shared/app/config/wcmservices

If not specified, results will be output to the browser.

 

Parent topic

Users and groups

 

Parent topic

Developing an access control strategy