5.4.4 Creating the Person to DN mappingAdded by Steven Kalmar on September 20, 2013 | Version 1 (Original)
This section covers the creation of the person DN mapping file. In this example we are creating a mapping between person DN in the native Domino directory with the DN in the Active Directory LDAP. To generate such a mapping, a unique attribute must be chosen that exists in both directories. In this example, we uses the email address as it is unique to both directories. This AssemblyLine uses LDAP to access the person entries in the native Domino directory. There are other methods of accessing the person entries other than LDAP, such DIIOP or the Notes API via the Notes client. Each method has it is pros and cons. Since we are only interested in finding the DN by searching on the email address, loading the LDAP task on the Domino server is simplest method. The LDAP server only needs to be loaded on a Domino server that contains a replica of the Domino directory that is shared with Quickr Domino. The LDAP bind ID only requires read access.
Create the Person DN mapping files
- Return to the TDI Configuration Editor. Right click on AssemblyLines and choose New AssemblyLine.
- Enter CreateUserDNMapping for the new AssemblyLine name and click Finish.
- Click Add Component.
- Enter ldap in the search box and select LDAP Connector from the Components list. Change the name to ConnectionsLDAP and set the mode to Iterator. Click Next.
- Since this TDISOL installation is already configured to connect to the LDAP servers, those same references from the properties file can be used here. Properties are used by clicking on the labels, as shown below. By using the properties we can more easily change these parameters in a single properties file rather than having to modify the connectors manually.
- Select the Use Property option. Select the source_ldap_url property from the list. Click OK.
- Repeat the process for the following labels.
- Login username.
- Login password
- Search base.
- Search filter.
- The values from the properties file are populated to the connector configuration. The values are now managed in the properties file rather than the connector configuration. Click Finish.
- Select the Input Map tab and click Connect.
- Click Next several times to iterate through the list of LDAP entries. The LDAP schema is automatically populated by the attributes retrieved from each entry. Click Close to close the session.
- Drag the $dn and mail attributes from the Schema list to the Work Attribute column.
- Click Add component.
- Create another LDAP Connector called DominoLDAP and click Next. Click on the LDAP URL label.
- Select Use Property. New properties are created since the TDISOL environment is not configured to access the Quickr Domino LDAP server. Click Add property.
- Select profiles.tdiproperties for the Store Name. Enter quickr_domino_ldap_url for the property name and ldap://quickr01.itso.ibm.com:389 for the value.
- Verify the information previously entered and click OK.
- Repeat the process for the LDAP user login.
- User login password.
- Clear the Search Base and set the Search Filter to mail=*. This returns only person entries that contain an email address.
- Click Connect to verify that we can access the directory. Click Next several times to populate the Schema attribute list. Click Close to close the connection.
- Drag the $dn attribute to the Work Attribute column of the Input Map. Rename the $dn entry in the Work Attribute column to QuickrDN.
- Click the Link Criteria tab. Click Add. Select mail on the left side (Quickr Domino) and $mail (Connections LDAP) on the right. If there is a different set of attributes that are used to link the Domino and Active Directory users, use those attributes here. Be sure to add the new attribute to the Input Map of the iterator.
- Because we added a new property that contains a password, we can encrypt the password to remove the clear text password from the property file. Open the profiles property file (reload if prompted). Locate the new password property and change the value in the Protected column to true. Click Send the properties to Server and save the changes.
- The password hash can be viewed by clicking on the value.
- Select the DominoLDAP connector. Select the Hooks tab and check the On No Match checkbox under DataFlow - Lookup. Enter the following in the text box. Execution flows to this hook in the event that there is no match found in the Quickr Domino LDAP. The mail address of the entry that can not be located is printed in the log and execution continues with the next LDAP entry in the iterator.
- An exception is generated and the processing stops if you do not trap for the possibility of returning multiple entries for a particular mail address. These lines in the On Multiple Entries hook print the error to the log file and continue execution with the next entry in the iterator. In a perfect world this hook should never execute as the email address in the Domino Directory should be unique. However, it is prudent to trap for it.
- Click Add Component. Enter file in the search box and select the File System Connector from the Components list. Name it WriteDNMapping and select AddOnly as the mode and click Next.
- Set the file name to person_mapping.csv. The file name is relative to the TDI solutions directory, which is /root/QuickrMig/TDI. Click Next.
- Select CSV Parser.
- The Field Separator should be ';' by default. Expand the Advanced section.
- Enter QuickrDN followed by $dn in the Field Names box. The order must be as shown. Uncheck Enable Quoting and Write header. Add UTF-8 to the Character Encoding field. Click Finish.
- Double click the "[Empty map.." text in the Output Map.
- Select $dn and QuickrDN and click OK.
- The output map should be as follows.
- Click Add Component. Enter "if" in the search box and select the IF component. Set the name to IfNoMail and click Next.
- Click Add. Select mail from the Attribute list, check Not, and set the operator to "has value(s)". Click Finish. This sets the conditional to true if the mail attribute is missing, empty, or null.
- Click Yes to add a new branch. This new branch executes if the previous IF connector conditional return true.
- Check the Scripts radio button and select the Empty Script component. Set the name to SkipEntry and click Finish.
- Enter system.skipEntry(); in the text box. This causes the execution to continue to the next entry in the ConnectionsLDAP iterator.
- Drag the newly created IF component directly in front of the DominoLDAP connector.
- Select the WriteDNMapping component and select the Hooks tab. Check the Before Execute hook and enter the following line. Since Quickr is using native Domino authentication, we need to convert the LDAP DN format to the Notes name format. This is done by replacing the "," with "/". If Domino LDAP is used for Quickr authentication, then this line can be removed.
- Save the AssemblyLine and click Run in console. The output is shown below. In this example there are only nine accounts with valid email addresses in Active Directory.
- Examine the contents of the person_mapping.csv file in the /root/QuickrMig/TDI directory. The contents should be similar to the following.
CN=Matt Ayer/O=itso;CN=Matt Ayer,OU=ITSO,DC=ad,DC=ITSO,DC=net
CN=Amy Blanks/O=itso;CN=Amy Blanks,OU=ITSO,DC=ad,DC=ITSO,DC=net
CN=Peter Brown/O=itso;CN=Peter Brown,OU=ITSO,DC=ad,DC=ITSO,DC=net