Synchronize user data between Profiles and the LDAP directory 

To update profiles data, you typically update the LDAP directory first and then synchronize the changes to the Profiles database. However, there are some cases where you might want to allow your users to make their own changes to their profiles, and these changes need to be written from the Profiles database back to the LDAP directory.


Before starting

Be sure to install and configure the IBM HTTP Server before attempting to synchronize data between the Profiles database and the LDAP server. See Configure IBM HTTP Server for more information.


About this task

You can ensure that data in the LDAP directory is kept current by synchronizing any changes made to the Profiles directory back to the LDAP server. For example, users in your organization might need to update their cell phone details in Profiles. They cannot change the LDAP directory directly and, as administrator, you can allow them to make the changes directly in Profiles. These changes need to be reflected back to the LDAP directory using the drafting process.

The draft table stores values that you edit and which you specify using the draftableAttribute element in the profiles-config.xml file. For example: 

<profileDataModel>
   <!-- =================================================================================== -->
   <!-- This section is used to define attributes that are updated via the drafting process -->
   <!-- In most deployments you should never edit the config for this section.   -->
   <!-- Example: <draftableAttribute>displayName</draftableAttribute>  -->
   <!-- Example: <draftableExtensionAttribute extensionIdRef="tieline"/>  -->
   <!-- =================================================================================== -->
   <draftableAttribute>telephoneNumber</draftableAttribute>
</profileDataModel>

These editable fields are sent back to the LDAP directory instead of being updated into the database immediately.

Configure a Directory Services Markup Language (DSML) server service to receive the update requests. The Profiles application does not provide this service because each implementation of an LDAP server is unique.

To synchronize changes between the draft table and the LDAP server, run a script that initializes a daemon process that monitors the Profiles database for updates and, when one is made, formats the update as a DSML request and transmits it to a configured DSML server.


Procedure

To synchronize changes from the Profiles database back to your LDAP directory...

  1. Define values for the DSML server-related properties in the profiles_tdi.properties file.

    The DSML server-related properties are the properties with names that begin with monitor_changes_ and dsml_server_. Typically, update the following properties:

    • monitor_changes_dsml_server_url
    • monitor_changes_dsml_server_username
    • monitor_changes_dsml_server_password
    • dsml_server_ldap_user_login
    • dsml_server_ldap_url
    • dsml_server_ldap_user_password
    • dsml_server_ldap_search_base
    • dsml_server_ldap_search_filter

  2. After providing values for the necessary properties, start the synchronization server process...

    • IBM AIX or Linux:

      chmod +x process_draft_updates.sh
      ./process_draft_updates.sh

    • Microsoft Windows:

      process_draft_updates.bat

  3. The process_draft_update task tracks the database change record number in a persistent field. In two situations, your task cannot run successfully:

    1. You recreate the Profiles database after you have already run the IBM Tivoli Directory Integrator Solution at least once.

    2. You clear the content of the CHG_EMP_DRAFT and EMP_DRAFT tables manually.

      In such situations, you should reset the persistent field and run the task again. You can reset the persistent field by performing one of the following steps:

      • Delete the database change record number value...

        • AIX or Linux:

          chmod +x reset_draft_iterator_state.sh
          ./reset_draft_iterator_state.sh

        • Microsoft Windows:

          reset_draft_iterator_state.bat

      • Set a particular value using the following script and passing it the count value to set:

        • AIX or Linux:

          chmod +x set_draft_iterator_count.sh
          ./set_draft_iterator_count.sh

        • Microsoft Windows:

          set_draft_iterator_count.bat

      Setting draft values to display immediately
      When the com.ibm.lconn.profiles.config.see.draft.values.immediate property is set to true, draft table values are written back to both the main employee and draft employee tables, and the information in the Profiles database and the LDAP directory can become unsynchronized. To fix the problem, run the sync_all_dns task.


Parent topic

Synchronize LDAP directory changes with Profiles

Related concepts
Configure IBM HTTP Server


Related tasks


Mapping fields manually
Synchronize user identification data between Communities and the LDAP directory
Change Profiles configuration property values
Use the Profiles database as the user directory

Related reference
Activities administrative commands

+

Search Tips   |   Advanced Search