|Latest 7 Posts
| SAML & IBM Connections 5.5 – not a dream team|
Fri, Aug 18th 2017 59
| IBM Docs – Migration from DB2 –> ORACLE|
Fri, Jul 7th 2017 2
| IBM Connections – trouble adding additional nodes|
Wed, May 31st 2017 4
| SNOUG 2017 Presentation – SikaConnect goes External|
Thu, Mar 23rd 2017 1
| Whiteboard in IBM Sametime Meeting 9.0.1 removed|
Fri, Mar 17th 2017 1
| Wikis content not accessible…|
Thu, Jan 26th 2017 1
| Automatic WebSphere plugin modification II – PowerShell for Windows|
Thu, Dec 1st 2016 5
| SAML & IBM Connections 5.5 – not a dream team|
Fri, Aug 18th 2017 59
| DB2 Instance autostart does not work on SLES 12 / RHEL 7|
Tue, Jul 12th 2016 16
| SAML – Enterprise SSO in the WebSphere world|
Mon, Jul 20th 2015 14
| Configuration of secret key storage in WebSphere Application Server|
Thu, Mar 12th 2015 9
| Critical vulnerability in WebSphere Application Server (CVE-2015-7450)|
Thu, Nov 19th 2015 9
| IBM Connections 5 CR3 released|
Tue, Jul 21st 2015 8
| HTTP Outbound authentication via SAML|
Tue, Oct 6th 2015 7
| IBM Open Batch program – IBM Champion|
Tue, Mar 22nd 2016 6
| IBM Connections 5.5 – Problem with ibm_upload_module and NFS|
Mon, Jul 4th 2016 6
| Automatic modification of WebSphere Plugin (Primary / BackupServers) to maintain two-line concept|
Wed, Jul 6th 2016 6
||IBM Connections (SDI aka TDI) – Synchronize users based on group membership
IBM Connections (SDI aka TDI) – Synchronize users based on group membership
The standard assemblyline „sync_all_dns“ synchronizes user data from a LDAP source into IBM Connections profiles database. As selection criteria, which users get synchronized / on boarded to IBM Connections an LDAP-filter is used (a standardized search expression with special LDAP-syntax).
But in some customer projects there are more complex requirements than just using a LDAP-filter. Many customers want to synchronize users based on a LDAP group membership. You might say… „No problem, that´s easy“ Yes it is for Active directory, because each user entry has the „memberOf“ attribute for each group it belongs to so that you can easily use this to filter which group the user belongs to.
But many of our customer environments use DOMINO or SDS (aka. TDS) where you cannot make use of such a “memberOf” attribute. SDS provides the “ibm-allGroups” attribute that also returns the groups the user belongs to but this is a list of groups that you cannot create a simple LDAP filter for. My colleague Konstantin did a great job in extending the standard assembly line so that only users from a specific group get synchronized.
For this case IBM provides a mechanism to use an own iterator or lookup connector (it replaces the components that sync_all_dns uses – all the rest is standard sync_all_dns assembly line). Here you can find a description, how this can be setup
In our specific case, we only need to customize the iterator connector. This assembly line iterates over all LDAP users that should be synchronized to IBM Connections. When you use the standard “sync_all_dns” AL, the assemblyline _internal_ldap_iterate does this job… So that we’ll use this one as base for our custom iterator:
Simply copy the _internal_ldap_iterate and rename it to _custom_ldap_group_iterate:
You can also rename the LDAP iterator to „ldap_groups_iterate“. Then change the connection properties. We’ll use own properties for Group „Search Base“ and Group „Search Filter“and add those properties to the file “profiles_tdi.properties”:
The „ldap_group_iterator“ connector delivers all group members together with all attributes. Nested groups are automatically resolved. Some internal attributes such as „ibm-entryUuid“ (we`re using SDS here) cannot be resolved using this method. But we need to have this attribute so that „sync_all_dns“ can synchronize this user (GUID is used here as hash value between database and LDAP). For this an additional LDAP-lookup is needed (this lookup uses the standard properties that come from the profiles-tdi.properties file):
As „Link-criteria“ we use the „dn“ of the user.
Next step is to save and publish the assembly line (save it as groupsIterateAdapter.xml) in the packages folder of our tdisol directory.
Then you have to make changes to the “profiles_tdi.properties” file:
here you specify, that sync_all_dns should use our custom “_custom_ldap_group_iterate” assembly line as repository iterator.
We add three new properties to the file “profiles_tdi.properties”:
#The base where you want to search for groups
#Filter for the groups
After this you need to run the script „fixup_tdi_adapters.sh“ to bind these properties to all assembly lines in the packages folder.
You can now start „sync_all_dns“ and you will only synchronize users that are part of the given (or nested) groups. Cool stuff
Btw. inactivation / deletion also works using this AL. In my opinion this is a far better way than letting the customer create flags in LDAP for users that should be on-boarded to IBM Connections
Feb 03, 2015
| Recent Blog Posts
SAML & IBM Connections 5.5 – not a dream team|
Fri, Aug 18th 2017 7:45a GIS Techblog
last week we had to fight with an activation of SAML on a IC 5.5 CR3 environment.
The setup was:
IBM Connections 5.5 CR3 as test instance
ADFS Server 3.0 (I know… it is only tested with ADFS 2.0 – but works with 3.0 too)
We followed the instructions from the IBM Connections Knowledge Center. Smooth setup everything standard procedure. When testing this setup, the redirect to the IdP was initiated. After logging into the IdP the browser was redirected to IBM Connections ACS
IBM Docs – Migration from DB2 –> ORACLE|
Fri, Jul 7th 2017 9:52a GIS Techblog
IBM Docs – Migration from DB2 –> ORACLE
within our last big project, we had the challenge to transfer the IBM Docs database from DB2 to ORACLE. Within this database comments and other document related data is stored.
Officially there is no script available to perform this move using DBT (remove constraints / transfer / reapply constraints). We looked into the database and figured out how to perform this task using DBT – so we are not dependent on any other products. We m
IBM Connections – trouble adding additional nodes|
Wed, May 31st 2017 2:52p GIS Techblog
IBM Connections – trouble adding additional nodes
we are currently involved in a project where we installed a 1 node IBM Connections 6 Cluster and later added a second node to the cell.
So far so good… Everything that needs to be done after adding the second node is described here … Everything? Yes, mainly… but not in the mandatory details as I think! Missing custom properties and other settings might result in non-functional nodes. Especially not setting httpSess
SNOUG 2017 Presentation – SikaConnect goes External|
Thu, Mar 23rd 2017 1:06p GIS Techblog
SNOUG 2017 Presentation – SikaConnect goes External
yesterday I was at SNouG in Zurich. I had a great time there – good speakers and a overall perfectly organized event (would we expect sth. else from Switzerland? )
Raymond Weber from SIKA Informationssysteme AG and I did a session about the SIKA Extranet Feature:
Whiteboard in IBM Sametime Meeting 9.0.1 removed|
Fri, Mar 17th 2017 10:43a GIS Techblog
Whiteboard in IBM Sametime Meeting 9.0.1 removed
IBM implemented in Sametime Meeting 9.0.1 a whiteboard function as technical preview. Ben described in his articel how to enable this feature:
With the current cumulative Fix 901-ST-General-FP-SMOL-AK4G43 for the Meeting Server IBM has removed this function.
The response on my PMR was:
“I can confirm The Meetings Whiteboard feature release is being put on hold indefinitely.
Wikis content not accessible…|
Thu, Jan 26th 2017 10:54a GIS Techblog
Wikis content not accessible…
it`s been quite a long time; many projects at the moment so that blogging needs to wait
Last week we had a very interesting problem at one customer’s environment. When accessing a Wiki, the page was displayed blank – no content was available. Browsing to older versions of this wikis worked.
The error in the log:
Parsing error… Wikis content (the body) gets store in the filesystem as xml files. If you access a Wiki there is a XML parser
Automatic WebSphere plugin modification II – PowerShell for Windows|
Thu, Dec 1st 2016 6:54p GIS Techblog
Automatic WebSphere plugin modification II – PowerShell for Windows
some months ago I published a shell script to automatically modify the Primary / BackupServer definition in a WebSphere plugin-cfg.xml file.
As we have several Windows customers we decided to transfer this script to PowerShell so that it is also useable for a Windows Cluster installation. My colleague Jan Bruns did a great job implementing this script.
It basically works the same way as the Linux script:
IBM Connections Docs – file preview not possible for some CCM pdf files|
Thu, Nov 17th 2016 2:15p GIS Techblog
IBM Connections Docs – file preview not possible for some CCM pdf files
last week we had trouble in a customer environment using the file preview functionality for some pdf files (only those that were uploaded using CCM).
Instead of a preview the message was displayed:
At the same time we saw the following warning in the log:
The mime-type was set to “image/pcl” instead of “application/pdf”… this mime-type is not supported by IBM Docs File viewer. We had to dig deep into th
IBM Connections 5.5 CR2 released|
Thu, Nov 10th 2016 8:13a GIS Techblog
IBM Connections 5.5 CR2 released
IBM released CR2 for IBM Connections 5.5:
The Fix list
Download the CR
Database updates are mandatory (Activities, Files, Homepage, Mobile, Wikis)
Filenet updates are mandatory
Updates for Community Surveys (Fixes the TLS 1.2 issues)
A prerequisite for CR2 is at least WAS 8.5.5 FP9 (let`s see when FP10 will be officially supported)
A general step-by-step guide installing CR2 is provided by IBM.
A new CR2 version of the Cognos wizard can be downloaded (y
IBM Connections – How to switch to a custom global unique ID for users|
Mon, Nov 7th 2016 8:59a GIS Techblog
IBM Connections – How to switch to a custom global unique ID for users
many of our todays support cases is related to non-working profiles in IBM Connections.
If users change their name, switch from one to another location or simply get a new account their profile in IBM Connections might get inactivated because the hash key between LDAP and database has changed.
There are three possible hash keys:
UID: Often a bad choice, as this might change
eMail: Also a bad choice
GUID: Unique I