IBM Connections (SDI aka TDI) – Synchronize users based on group membership

IBM Connections (SDI aka TDI) – Synchronize users based on group membership

The standard assemblyline „sync_all_dns“ synchronizes user data from a LDAP source into IBM Connections profiles database. As selection criteria, which users get synchronized / on boarded to IBM Connections an LDAP-filter is used (a standardized search expression with special LDAP-syntax).

But in some customer projects there are more complex requirements than just using a LDAP-filter. Many customers want to synchronize users based on a LDAP group membership. You might say… „No problem, that´s easy“ 😉 Yes it is for Active directory, because each user entry has the „memberOf“ attribute for each group it belongs to so that you can easily use this to filter which group the user belongs to.

But many of our customer environments use DOMINO or SDS (aka. TDS) where you cannot make use of such a “memberOf” attribute. SDS provides the “ibm-allGroups” attribute that also returns the groups the user belongs to but this is a list of groups that you cannot create a simple LDAP filter for. My colleague Konstantin did a great job in extending the standard assembly line so that only users from a specific group get synchronized.

For this case IBM provides a mechanism to use an own iterator or lookup connector (it replaces the components that sync_all_dns uses – all the rest is standard sync_all_dns assembly line). Here you can find a description, how this can be setup

In our specific case, we only need to customize the iterator connector. This assembly line iterates over all LDAP users that should be synchronized to IBM Connections. When you use the standard “sync_all_dns” AL, the assemblyline _internal_ldap_iterate does this job… So that we’ll use this one as base for our custom iterator:

SDI1

Simply copy the _internal_ldap_iterate and rename it to _custom_ldap_group_iterate:

SDI2

Then remove the ldap_iterate connector and replace it with the “LDAP Group Members Connector”. You can also rename this to „ldap_groups_iterate“. Then change the connection properties. We’ll use own properties for Group „Search Base“ and  Group „Search Filter“and add those properties to the file “profiles_tdi.properties”:

SDI3

The „ldap_group_iterator“ connector delivers all group members together with all attributes. Nested groups are automatically resolved. Some internal attributes such as „ibm-entryUuid“ (we`re using SDS here) cannot be resolved using this method. But we need to have this attribute so that „sync_all_dns“ can synchronize this user (GUID is used here as hash value between database and LDAP). For this an additional LDAP-lookup is needed (this lookup uses the standard properties that come from the profiles-tdi.properties file):

SDI4

As „Link-criteria“ we use the „dn“ of the user.

The assembly line has a Prolog configured, as well as some „connector hooks“ with Javascript. The configuration settings from the original „sync_all_dns“ assembly line are taken into account – whereas most of those settings are not needed in our case. We only have to make minimal changes so that our assembly line works.

Next step is to save and publish the assembly line (save it as groupsIterateAdapter.xml) in the packages folder of our tdisol directory.

Then you have to make changes to the “profiles_tdi.properties” file:

source_repository_iterator_assemblyline=groupsIterateAdapter:/AssemblyLines/_custom_ldap_group_iterate

here you specify, that sync_all_dns should use our custom “_custom_ldap_group_iterate” assembly line as repository iterator.

We add three new properties to the file “profiles_tdi.properties”:

#The base where you want to search for groups
source_ldap_groups_search_base=cn=groups,o=ldap

#Filter for the groups
source_ldap_groups_search_filter=(cn=test group)

After this you need to run the script „fixup_tdi_adapters.sh“ to bind these properties to all assembly lines in the packages folder.

You can now start „sync_all_dns“ and you will only synchronize users that are part of the given (or nested) groups. Cool stuff 😉

Btw. inactivation / deletion also works using this AL. In my opinion this is a far better way than letting the customer create flags in LDAP for users that should be on-boarded to IBM Connections 😉

5 thoughts on “IBM Connections (SDI aka TDI) – Synchronize users based on group membership

  1. hi thank you for this post. I am trying to populate Connections with a Domino LDAP and I can retrieve only 0 records. I suspect it is because of the search_base and searchfilter values returning 0 records. Though, I have checked the search values combination if they work in ldapsearch, and they do. I just want to ask if there is anything else I should be looking at or missing. Thank you.

    1. Hi Shery,

      did you configure the file map_dbrepos_from_source.properties to match the values needed for a domino LDAP?
      What happens if you run “collect_dns.sh”… Do you get any results returned?
      Furthermore have a look in the ibmdi.log (in the log dir under tdisol). Maybe some bind errors?

      1. Hi Julia, Thank you for your quick response. Apologies I took some time getting back as we tried so many other solutions. It is stil not working. We upgraded TDI to 7.1.1.x version. Collect_DNS.bat (we are using Windows) results in 0 records as well.

  2. Ah – if only we could use the dominoAccessGroups attribute in search filters. What I used to do was have a separate assembly line that periodically pushed the multi valued operational attribute dominoAccessGroups into another attribute, something like dominoMemberOf. Then can use that in your filters, both in Connections and other apps which don’t have TDI in their corner. (the groups didn’t really change that frequently…)

Leave a Reply

Your email address will not be published. Required fields are marked *