IBM Connections – How to switch to a custom global unique ID for users

IBM Connections – How to switch to a custom global unique ID for users

Hi,

many of our todays support cases is related to non-working profiles in IBM Connections.

If users change their name, switch from one to another location or simply get a new account their profile in IBM Connections might get inactivated because the hash key between LDAP and database has changed.

There are three possible hash keys:

  • UID: Often a bad choice, as this might change
  • eMail: Also a bad choice
  • GUID: Unique ID – a good choise

So GUID is the attribute you should go for if you have non-unique eMail or UID values in LDAP.

GUID is a canonical String that is generated from:

  • AD: objectGUID / objectSID
  • Domino: dominoUNID

But in daily use the GUID value is not really as shiny as it seems… Due to the fact that many Domino administrators copy documents (STRG-C + STRG-V) duplicate dominoUNIDs can occur – which might kill an IBM Connections profile. I heard from customers with Active Directories who delete an AD account and recreate it if a person changes names… The IBM Connections profile gets inactivated.

But some customers implemented another unique key (such as employee number) into their LDAP in order to avoid such problems. The question comes up, how do I need to configure IBM Connections to make use of this new unique ID?

Everything is documented in detail and works very well (Please note that you should be very careful using this approach if you have CCM libraries in use – this change might break the access rights for all users!!!):

1. Depending on what attribute shall be used you need to first define a wim extension:

1.1 Attributes that are not part of PersonAccount schema – go to ../DMGR/config/cells/CELLNAME/wim/model and create a file “wimxmlextension.xml”

<?xml version="1.0" encoding="UTF-8"?>
<sdo:datagraph xmlns:sdo="commonj.sdo" 
xmlns:wim="http://www.example.com/websphere/wim">
<wim:schema>
<wim:propertySchema 
nsURI="http://www.example.com/websphere/wim" 
dataType="STRING" multiValued="false" 
propertyName="customerUserID">
<wim:applicableEntityTypeNames>PersonAccount
</wim:applicableEntityTypeNames>
</wim:propertySchema>

1.2 If your customer uses a LDAP attribute that is already part of the PersonAccount schema you can directly go to 2)

2) Open the wimconfig.xml (here we add customerUserID as an supported attribute):

...
<config:attributeConfiguration>
	<config:attributes name="userPassword" propertyName="password"/>
	<config:attributes name="customUserID" propertyName="customUserID"/>
	<config:propertiesNotSupported name="homeAddress"/>
	<config:propertiesNotSupported name="businessAddress"/>
</config:attributeConfiguration> 

3) open and edit the LotusConnectionsconfig.xml file and add the following part:

<sloc:serviceReference profiles_directory_service_extension_enabled="true" serviceName="directory" custom_user_id_attribute="customUserID"/> 

4) Make a full resync of all nodes
5) TDI: edit the file “map_dbrepos_from_source.properties” and map the new customerUserId to GUID:

GUID=customerUserID

bildschirmfoto-2016-11-06-um-12-35-43
6) TDI: open the file “profiles_tdi.properties” and change the field “sync_updates_hash_field” from:

sync_updates_hash_field=guid

to

sync_updates_hash_field=uid (or mail)

bildschirmfoto-2016-11-06-um-12-35-15

7) start sync_all_dns.sh and check if the profiles have been correctly updated:

db2 “select PROF_GUID from EMPINST.EMPLOYEE” should show the new customerUserID`s

8) Revert back the change in profiles_tdi.properties so that the sync_updates_hash_field is set back to the guid value

sync_updates_hash_field=guid

 

That`s it.

A profile with the canonical String from a dominoUNID:

bildschirmfoto-2016-11-04-um-12-48-20

A profile with the customUserID as identifier:

bildschirmfoto-2016-11-04-um-12-50-42

Leave a Reply

Your email address will not be published. Required fields are marked *