IBM Connections (SDI aka TDI) – Synchronize users based on group membership
The standard assemblyline „sync_all_dns“ synchronizes user data from a LDAP source into IBM Connections profiles database. As selection criteria, which users get synchronized / on boarded to IBM Connections an LDAP-filter is used (a standardized search expression with special LDAP-syntax).
But in some customer projects there are more complex requirements than just using a LDAP-filter. Many customers want to synchronize users based on a LDAP group membership. You might say… „No problem, that´s easy“ 😉 Yes it is for Active directory, because each user entry has the „memberOf“ attribute for each group it belongs to so that you can easily use this to filter which group the user belongs to.
But many of our customer environments use DOMINO or SDS (aka. TDS) where you cannot make use of such a “memberOf” attribute. SDS provides the “ibm-allGroups” attribute that also returns the groups the user belongs to but this is a list of groups that you cannot create a simple LDAP filter for. My colleague Konstantin did a great job in extending the standard assembly line so that only users from a specific group get synchronized.
For this case IBM provides a mechanism to use an own iterator or lookup connector (it replaces the components that sync_all_dns uses – all the rest is standard sync_all_dns assembly line). Here you can find a description, how this can be setup
In our specific case, we only need to customize the iterator connector. This assembly line iterates over all LDAP users that should be synchronized to IBM Connections. When you use the standard “sync_all_dns” AL, the assemblyline _internal_ldap_iterate does this job… So that we’ll use this one as base for our custom iterator:
Simply copy the _internal_ldap_iterate and rename it to _custom_ldap_group_iterate:
Then remove the ldap_iterate connector and replace it with the “LDAP Group Members Connector”. You can also rename this to „ldap_groups_iterate“. Then change the connection properties. We’ll use own properties for Group „Search Base“ and Group „Search Filter“and add those properties to the file “profiles_tdi.properties”:
The „ldap_group_iterator“ connector delivers all group members together with all attributes. Nested groups are automatically resolved. Some internal attributes such as „ibm-entryUuid“ (we`re using SDS here) cannot be resolved using this method. But we need to have this attribute so that „sync_all_dns“ can synchronize this user (GUID is used here as hash value between database and LDAP). For this an additional LDAP-lookup is needed (this lookup uses the standard properties that come from the profiles-tdi.properties file):
As „Link-criteria“ we use the „dn“ of the user.
Next step is to save and publish the assembly line (save it as groupsIterateAdapter.xml) in the packages folder of our tdisol directory.
Then you have to make changes to the “profiles_tdi.properties” file:
here you specify, that sync_all_dns should use our custom “_custom_ldap_group_iterate” assembly line as repository iterator.
We add three new properties to the file “profiles_tdi.properties”:
#The base where you want to search for groups source_ldap_groups_search_base=cn=groups,o=ldap #Filter for the groups source_ldap_groups_search_filter=(cn=test group)
After this you need to run the script „fixup_tdi_adapters.sh“ to bind these properties to all assembly lines in the packages folder.
You can now start „sync_all_dns“ and you will only synchronize users that are part of the given (or nested) groups. Cool stuff 😉
Btw. inactivation / deletion also works using this AL. In my opinion this is a far better way than letting the customer create flags in LDAP for users that should be on-boarded to IBM Connections 😉