Improving directory synchronizationAdded by IBM on February 11, 2013 | Version 1 (Original)
|Use this procedure to help keep track of users as they transition from part-time to full-time or from one country to another and enable your IBM® Tivoli® Directory Integrator solution to handle actions that could otherwise lead to orphaned user data.
Before you begin
To strengthen your Tivoli
Directory Integrator (TDI) scripts, your organization must maintain data in the LDAP directory that allows you to connect the old employee record with the new employee record.
About this task
Certain HR-related actions can result in orphaned user data by causing the value in the uid field in the LDAP directory to change. Tivoli
Directory Integrator uses the uid field to synchronize data so any action that changes the value of the field will cause the user to appear as a completely new user to the Tivoli
Directory Integrator scripts. Examples of HR actions that can have this effect include moving users from part-time to full-time or from one country to another country.
To strengthen your Tivoli
Directory Integrator solution, define and use a custom assembly line that specifies the delete logic to use to identify when a user needs to be deleted from the Profiles database.
Parent topic: Sample user management scenarios
Setting up your development environment
- Configure your development environment for creating a delete logic script by following the steps in the topic, Setting up your development environment.
- Define an assembly line that contains your delete logic in the file.
Your assembly line must return one of the following values:
- remove. Specifies that the current entry should be added to the delete list.
- updated. Specifies that the current entry should be updated, not deleted.
These values are case-sensitive.
Return the value as follows:
- Retrieve the checkResult attribute field from the work object into your assembly line. The attribute name is case-sensitive.
- Set your checking result to the value of the checkResult attribute.
checkingResult = work.getAttribute("checkResult");
For more information about how to create an assembly line, go to the following web page: http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.IBMDI.doc_7.0/CreatingyourfirstassemblyLine.htm
- Use the publish feature to export the assembly line as a Tivoli Directory Integrator adapter.
- Right-click the assembly line in the Navigator and select Publish.
- Enter the name of the adapter in the Package ID field.
- Specify the following directory in the File Path field, and then click Finish.
- Add a reference to the profiles property store to your adapter files by running the fixup_tdi_adapters.sh or fixup_tdi_adapters.bat command.
Note: This reference is required to use the Profiles Tivoli Directory Integrator adapter. Even if you do not believe that your adapter file requires access to the profiles property store, there is no penalty for adding the reference so it is strongly advised that you run this command regardless.
- Open the profiles_tdi.properties file from the following location:
- Set the following properties in the file:
Specifies whether your checking assembly line is used. When set to true, your deletion-checking assembly line is used. When set to false, the checking operation is not performed. The default value is false.
Specifies the name of your checking assembly line:
By default, the assembly line's name is set to sync_all_dns_check_if_remove
For example, if you publish the assembly line with the file name deleteCheckRoutines
and the assembly line is example_check_if_user_really_deleted
, use the following statement to set this property:
Controls what happens to a user record when the delete action is performed. This property can be set to one of the following values:
- delete. Specifies that the user record is deleted.
- inactivate. Specifies that the user record is inactivated.
The inactive status is propagated to the member and login tables for all the applications. An event is generated for each of the following: Activities, Blogs, Bookmarks, Communities, Files, Forums, Profiles, Wikis, and News (which includes both Home page and Search). These events inactivate the user in every application by removing the user from the login tables and setting the user's status to 1 in all member tables.
These values are case-sensitive so type them with care. The default value is inactivate.
- Save your changes to the profiles_tdi.properties file.