1050: TDI Solutions Best Practises with IBM Connections Deployments - IBM Connect 2016

1050 – TDI Solutions Best Practices
with IBM Connections Deployments
Christoph Stoettner – panagenda

Christoph Stoettner
• Senior Consultant – panagenda
 IBM Notes / Domino since 1999
 IBM Connections since version 2.5 / 2009
• Many years of experience in:
 Migrations
 Administration und installation
 Performance analysis
• Joined panagenda in 2015 focusing in:
 IBM Connections deployment und optimization
 IBM Connections monitoring
• Husband of one & father of two, Bavarian
a @stoeps
j christoph-stoettner

Paths and General informations
• Default Values in []
 true|[false]
• valid values are true and false
• false is the Default
• <CONNECTIONS_ROOT>
 C:|D:IBMConnections
 /opt/IBM/Connections
• <WAS_HOME>
 C:|D:IBMWebSphereAppServer
 /opt/IBM/WebSphere/AppServer

Paths and General informations
• <TDI_HOME>
 C:|D:IBMTDI
 /opt/IBM/TDI
• <TDISol> (I do not use TDIV7.1.1tdisol)
 C:|D:IBMTDItdisol
 /opt/IBM/TDI/tdisol
• <TDI_install_dir>
 C:|D:IBMTDIV7.1.1
 /opt/IDM/TDI/V7.1.1

Functionality of TDISol
• Read LDAP (searchBase, searchFilter)
• Create User Profiles (internal and external)
• Update User Profiles
• Delete | Inactivate User Profiles
profiles_tdi.xml
LDAP v3
o Domino
o IBM SDS
o MS AD
o Novell eDirectory
o Oracle DS
o Sun JSDS
o DB2
o MS SQL
o Oracle DB

Install and Update TDI
• Use exactly the version and fixpack mentioned in System
Requirements
• IBM Connections 5.0:

Install and Update TDI (2)
• IBM Connections 5.5
 First version shown:
SDI 7.2
 Download now points
to TDI 7.1
 All links updated
(checked 29. Jan 2016)

Install TDI Fixpack
• Shut down TDI.
• Download and extract 7.1.1-TIV-TDI-FP0003.zip
• Read 7.1.1-TIV-TDI-FP0003.README.html (within ZIP)
• Copy UpdateInstaller.jar to <TDI_install_dir>maintenance
If the Update Installer patch is not applied the CE
will fail to launch after “applyupdate –rollback”

Install TDI Fixpack (2)
• On Windows:
 <TDI_install_dir>binapplyUpdates.bat -update TDI–7.1.1-FP0003.zip
• On Unix :
 <TDI_install_dir>/bin/applyUpdates.sh -update TDI–7.1.1-FP0003.zip
• Verify Installation
 Run the following command to verify the latest fix applied
 Windows: <TDI_install_dir>binapplyUpdates.bat -queryreg
 Unix/Linux: <TDI_install_dir>/bin/applyUpdates.sh -queryreg

Install and Update TDISol
• With IBM Connections 5
 No special/separate update packages for TDISol
 Extract initial version and update from
• <CONNECTIONS_ROOT>tdisoltdisol.zip|.tar
 Do not use TDIPopulation from Connections Wizard
• Different Formatting
• No updates
• Prior versions
 Download and Install new package from IBM Fix Central

Tips and Best Practices
• Do not copy properties from old <tdisol> or Wizard-Folder
• Apply your changes step by step
 Use Linux diff to find all changed values
 Notepad++ and Compare Plugin
• Save your properties to a version control system like git or svn
 Update after changes

Overview
map_dbrepos_from_source.properties
Map LDAP Attributes to Database Columns
(peopleDB – empinst.employee)
Source: Open Mic - Integrate IBM Connections Profiles with Tivoli Directory Integrator
profiles_tdi.properties
Settings used by Assemblyline
profiles_tdi.xml
• LDAP and DB server details
• LDAP Search filter, Search Base
TDI Engine
Profiles
Connector
PEOPLEDB
From profiles_tdi.xml

Properties
• map_dbrepos_from_source.properties
 Definition of LDAP Attribute to Database Column mapping
• map_dbrepos_to_source.properties
 Only needed if you want to write back Profile data to LDAP
• solution.properties
 Global TDI properties (Derby DB, Keyfiles)
• profiles_tdi.properties
 Properties for TDISol Assemblyline
• validate_dbrepos_fields.properties
 Validation parameters (max and min length of values)

Map_dbrepos_from_source.properties
• Mapping of LDAP attribute to peopleDB fields
• value=null
 peopleDB field is not set
• value=attributename (e.g. email=mail)
• Be careful to not override editable fields of profiles
 description=null
 experience=null
• value={functionname}
 Value is calculated through JavaScript

Map_dbrepos_from_source.properties
• Important
 UID, GUID
• Do not map other values as UID or GUID to this DB columns
• Possible errors
 GUID ≠ {function_map_from_objectGUID} or
{function_map_from_dominoUNID}
• Group members in Communities not resolved
 UID ≠ ShortName or sAMAccountName
• In prior versions problems during deletion

Map_dbrepos_to_source.properties
• A possible way to write back changes uses make in
Connections Profiles to your LDAP
• Only fields not mapped in map_dbrepos_from_source can be
written to LDAP
• Domino:
 You can’t specify which database is updated, so all writes will
end up in names.nsf
 Be careful if you use Directory Assistance

A word on
sync_updates_hash_field

sync_update_hash_field
• Setting in profiles_tdi.properties
• Possible values
 UID(default)
 email
 GUID
• Matching accounts from LDAP and profilesDB are calculated with this
value!
• Possible Problems
 User renaming
 Reuse of mail address or shortname (uid)

sync_update_hash_field=uid
• User is renamed
 IBM Domino: UID/Shortname is multivalue
 Microsoft Active Directory: 1. User deactivated, 2. new profile
• User retires
 Profile gets inactivated or deleted
• User hires again (and gets his uid back)
 User is reactivated
• Other User with same UID hires
 Will get all data from old user account

sync_updates_hash_field=email
• User is renamed
 User gets inactivated
 New profile will be created
• User retires
 Inactivated or deleted user within Profiles
• User hires again
 User is reactivated
• Other User with same mail address hires
 Will get all data from old user account
 picture, tags, community membership

sync_updates_hash_field=guid
• User is renamed
 All data synchronize with LDAP
• User retires
 Inactivated or deleted user within Profiles
 Within Domino the person document is deleted
• User hires again
 Newly registered user has new guid
 New profile
 Duplicate login data -> no new profile
• You can use populate_from_dn_file.bat / collect_dns.bat to solve this

Country, Worklocation, Department not shown?
• You wonder why the Country is not shown in Profiles?
• Some database columns are not directly displayed
• Value in EMPINST.EMPLOYEE: PROF_ISO_COUNTRY_CODE
 Lookup in Table empinst.country
 EMPINST.COUNTRY filled with isocc.csv and fill_country.bat|sh
 Default: small char isocodes
isocc.csv (examples)
at;Austria
au;Australia
cz;Czech Republic
de;Germany
us;United States
EMPINST.COUNTRY EMPINST.EMPLOYEE

User not imported
• When your users add a country value with more than 3
characters
 Profile will not be created
 Map_dbrepos_from_source.properties
• countryCode=c
 validate_dbrepos_fields.properties
• countryCode=3

Country not displayed
• Domino LDAP reads Country (LDAP Attribut c) from Person
document -> Free Textfield, so you will find everything there
 Capitals
 Wrong abbreviation (like USA)
 Complete country names
• Solution
 Write a javascript function and rewrite the value in PEOPLEDB
• Lowercase, Isocodes ...
 Change values in Person documents
 Add ISOCODES in Capitals to isocc.csv and use fill_country.bat|sh
 Customize profileDetails.ftl (and display ISOCODE)

Worklocation
 workLocationCode=l
• Copy from TDISOL/samples workloc_samples.csv to
 TDISOL/workloc.csv
• Map value from l in workloc.csv to the StreetAddress
• Format:
• Example:
• Run fill_workloc.bat|sh

Department, Organisation, EmployeeType
• Use
 Deptinfo_sample.csv & fill_department.bat|sh
• Not shown in default profileDetails.ftl (Connections 5.0)
 Emptype_sample.csv & fill_emp_type.bat|sh
 Orginfo_sample.csv & fill_organization.bat|sh
• You can use TDI to create these csv-files
 Parser: CSV
 Source: SAP, LDAP, Databases …

tdienv.bat|sh
• Configuration File for Environment variables
 export TDIPATH=/opt/IBM/TDI/V7.1.1
 set %TDIPATH=D:IBMTDIV7.1.1
• All Scripts in TDISOL need this to find TDI Binaries
• Check if all shell scripts (*.sh) are executable (755)
 Zipped packages often loose Linux file attributes

profiles_tdi.properties
• Main configuration
 LDAP Connection parameter
• Host
• Bind User and Password
• LDAP Search and LDAP Base
 Database parameter
• JDBC Connection String
• Database user and password

profiles_tdi.properties (2)
• Testing your configuration
 sync_updates_show_summary_only=true|[false]
• Important properties
 sync_updates_hash_field=[uid]|guid|email
 sync_store_source_url=[true]|false
 sync_source_url_enforce=true|[false]
 sync_source_url_override=true|[false]
 perform_deletion_or_inactivate_for_sync=[true]|false
 sync_delete_or_inactivate=[inactivate]|delete

validate_dbrepos_fields.properties
• Validation parameters (min and max length)
• Sometimes smaller than maximum database column definition
• There are Technotes, that special ones can be changed
• Do not change database columns
 Update and Migration scripts may fail

Sync_all_dns
Hash DB
entries
• EMPINST.EMPLOYEE
*.dbids
Hash Source
entries
• LDAP
*.ldiff
Compare
Values
• Checks 0-9.dbids with
0-9.ldiff
Delete • Delete or inactivate
Add / Update
•Update
•Create (Add)

Revoke inactive users
• Inactivating users only add state inactive
• Some country laws
 demand removing pictures after some months
• After a period of time the author name is enough

Remove Profiles inactivated since n days
• Copy samples/revoke_*.* to <TDISOL>
• Edit revoke_users.properties
 keep_for_days=21
• revoke_users.bat|sh validate
 Check environment
• revoke_users.bat|sh summary
 revoke.ldif
 revoke_skip.ldif
• revoke_users.bat|sh revoke

Enable External Users
• Copy <TDISOL>, e.g. tdisol_external
• Set in both <TDISOL> to true:
 sync_store_source_url
 sync_source_url_enforce
• Prevents deactivating of Users of other <TDISOL>
 sync_source_url_override
• Tdisol_external
 External Users in different LDAP tree
 Or with special LDAP attribute

External Users in different LDAP (tree)
• Add LDAP (tree) to Federated Repository
 Users need to authenticate on WebSphere
• Change
 source_ldap_url
 source_ldap_search_base
 source_ldap_search_filter
• Add same values to
 source_ldap_url_visitor_confirm
 source_ldap_search_base_visitor_confirm
 source_ldap_search_filter_visitor_confirm

External Users in different LDAP (tree) (2)
 mode={func_mode_visitor_branch}
 Function will mark Users of this branch as External

External Users with LDAP attribute
• Define a LDAP attribute which contains ”external”
• Copy values of
 source_ldap_url
 source_ldap_search_base
 source_ldap_search_filter
• To
 source_ldap_url_visitor_confirm
 source_ldap_search_base_visitor_confirm
 source_ldap_search_filter_visitor_confirm

External Users with LDAP attribute (2)
 mode=LDAP attribute
• All values except of ”external” are interpreted as Internal!
• Easier to deploy, because no additional LDAP Tree or Server is
needed

Performance Improvements
• Several new files / scripts
• Check https://www-
01.ibm.com/support/knowledgecenter/SSYGQH_5.5.0/admin/a
dmin/c_admin_profiles_improving_sync_performance.html for
details
• Performance Improvements
 Timestamp tracking
• sync_updates_use_ldap_timestamp
 Multi processing
• sync_updates_size_model

Be careful – create a documentation
• You can use TDI Editor to change or add functions
• Updates?
 Create a detailed documentation
 TEST TEST TEST
• Alternatives
 Use separate Assembly lines to add your stuff
 Sync the needed values to your LDAP
• With TDI

Log Files
• <TDISOL>/logs
 Ibmdi.log
• Main log file
 PopulateFromDNFile.log
• Log of populate_from_dn_file
 SyncUpdates.log
• Log of sync_all_dns

employee.*
• Good starting point for troubleshooting
 employee.adds
 employee.delete
 employee.error
 employee.skip
 employee.update
• sync_updates_show_summary_only = true
 Dry run of sync_all_dns -> no changes written to DB

Adding Root Certificates to TDISol
• If you want to use LDAPS
• Edit solution.properties
 Uncomment
• javax.net.ssl.trustStore=key.jks
• {protect}-javax.net.ssl.trustStorePassword=keystore-password
• javax.net.ssl.trustStoreType=jks
• Create Keyfile & Add CA Certificate
 $JAVA_HOME/jre/bin/keytool
 keytool –import –alias <some string> –keystore key.jks –file your-key.pem

Populate Users with separate commands
• Use collect_dns.bat|sh to check if
 LDAP Connection is working
 Search Filter & Search Base find all users
• Populate a single user
 Delete all other from collect.dns
 Run populate_from_dn_file.bat|sh
• This shows that DB Connection is working
• No delete or inactivate, just create & update
• Iterate on $DN -> solves issues with different GUID

Collect_dns & Populate_from_dn_file
collect_dns.bat
• Collect user from Source
• Search Filter
• Search Base
creates collect.dns • Contains list of User DN
populate_from_dn_file.bat • Iterate on DN
write changes to
database
• Update Profile
• Create Profile

Links
• IBM Fix Central – http://www-933.ibm.com/support/fixcentral
• Open Mic: Integrate IBM Connections Profiles with Tivoli
Directory Integrator - http://www-
01.ibm.com/support/docview.wss?uid=swg27047226&aid=1

Acknowledgements and Disclaimers
Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM
operates.
The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational
purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to
verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM
shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this
presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms
and conditions of the applicable license agreement governing the use of IBM software.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved.
Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect
of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

Acknowledgements and Disclaimers cont.
© Copyright IBM Corporation 2015. All rights reserved.
• U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
• IBM, the IBM logo, ibm.com, WebSphere and DB2 are trademarks or registered trademarks of International Business Machines Corporation in the United
States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (®
or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may
also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark
information” at www.ibm.com/legal/copytrade.shtml
• Microsoft, Windows are registered trademarks of Microsoft
• Linux is a registered trademark of Linus Torvalds.
• Oracle, Sun and Java are registered trademarks of Oracle.
• Other company, product, or service names may be trademarks or service marks of others.

1050: TDI Solutions Best Practises with IBM Connections Deployments - IBM Connect 2016

More Related Content

What's hot (20)

Viewers also liked (12)

Similar to 1050: TDI Solutions Best Practises with IBM Connections Deployments - IBM Connect 2016 (20)

More from panagenda (20)

Recently uploaded (20)

1050: TDI Solutions Best Practises with IBM Connections Deployments - IBM Connect 2016