191 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Automatic WebSphere plugin modification II – PowerShell for Windows
Thu, Dec 1st 2016 2
IBM Connections Docs – file preview not possible for some CCM pdf files
Thu, Nov 17th 2016 9
IBM Connections 5.5 CR2 released
Thu, Nov 10th 2016 3
IBM Connections – How to switch to a custom global unique ID for users
Mon, Nov 7th 2016 4
IBM Connections – add additional login attribute
Wed, Oct 12th 2016 9
IBM Connections – Set read-only access to CCM libraries
Thu, Oct 6th 2016 4
Security Bulletin: HTTP Response Splitting in WebSphere Application Server (CVE-2016-0359)
Tue, Sep 13th 2016 5
Top 10
DB2 Instance autostart does not work on SLES 12 / RHEL 7
Tue, Jul 12th 2016 10
Configuration of secret key storage in WebSphere Application Server
Thu, Mar 12th 2015 9
IBM Connections – add additional login attribute
Wed, Oct 12th 2016 9
IBM Connections Docs – file preview not possible for some CCM pdf files
Thu, Nov 17th 2016 9
HowTo: Change the admin password in IBM Connections
Mon, May 18th 2015 7
HTTP Outbound authentication via SAML
Tue, Oct 6th 2015 6
Files widget does not load using non US UI language
Wed, Dec 17th 2014 5
WebSphere Portal – Change WCM AD Group permissions using memberFixer
Fri, Apr 8th 2016 5
WebSphere custom TAI – Doing SSO the right way
Tue, Sep 6th 2016 5
Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)
Tue, Sep 13th 2016 5


IBM Connections (SDI aka TDI) – Synchronize users based on group membership
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Julius Schwarzweller    

IBM Connections (SDI aka TDI) – Synchronize users based on group membership

The standard assemblyline „sync_all_dns“ synchronizes user data from a LDAP source into IBM Connections profiles database. As selection criteria, which users get synchronized / on boarded to IBM Connections an LDAP-filter is used (a standardized search expression with special LDAP-syntax).

But in some customer projects there are more complex requirements than just using a LDAP-filter. Many customers want to synchronize users based on a LDAP group membership. You might say… „No problem, that´s easy“ ;-) Yes it is for Active directory, because each user entry has the „memberOf“ attribute for each group it belongs to so that you can easily use this to filter which group the user belongs to.

But many of our customer environments use DOMINO or SDS (aka. TDS) where you cannot make use of such a “memberOf” attribute. SDS provides the “ibm-allGroups” attribute that also returns the groups the user belongs to but this is a list of groups that you cannot create a simple LDAP filter for. My colleague Konstantin did a great job in extending the standard assembly line so that only users from a specific group get synchronized.

For this case IBM provides a mechanism to use an own iterator or lookup connector (it replaces the components that sync_all_dns uses – all the rest is standard sync_all_dns assembly line). Here you can find a description, how this can be setup

In our specific case, we only need to customize the iterator connector. This assembly line iterates over all LDAP users that should be synchronized to IBM Connections. When you use the standard “sync_all_dns” AL, the assemblyline _internal_ldap_iterate does this job… So that we’ll use this one as base for our custom iterator:

SDI1

Simply copy the _internal_ldap_iterate and rename it to _custom_ldap_group_iterate:

SDI2

You can also rename the LDAP iterator to „ldap_groups_iterate“. Then change the connection properties. We’ll use own properties for Group „Search Base“ and  Group „Search Filter“and add those properties to the file “profiles_tdi.properties”:

SDI3

The „ldap_group_iterator“ connector delivers all group members together with all attributes. Nested groups are automatically resolved. Some internal attributes such as „ibm-entryUuid“ (we`re using SDS here) cannot be resolved using this method. But we need to have this attribute so that „sync_all_dns“ can synchronize this user (GUID is used here as hash value between database and LDAP). For this an additional LDAP-lookup is needed (this lookup uses the standard properties that come from the profiles-tdi.properties file):

SDI4

As „Link-criteria“ we use the „dn“ of the user.

The assembly line has a Prolog configured, as well as some „connector hooks“ with Javascript. The configuration settings from the original „sync_all_dns“ assembly line are taken into account – whereas most of those settings are not needed in our case. We only have to make minimal changes so that our assembly line works.

Next step is to save and publish the assembly line (save it as groupsIterateAdapter.xml) in the packages folder of our tdisol directory.

Then you have to make changes to the “profiles_tdi.properties” file:

source_repository_iterator_assemblyline=groupsIterateAdapter:/AssemblyLines/_custom_ldap_group_iterate

here you specify, that sync_all_dns should use our custom “_custom_ldap_group_iterate” assembly line as repository iterator.

We add three new properties to the file “profiles_tdi.properties”:

#The base where you want to search for groups
source_ldap_groups_search_base=cn=groups,o=ldap

#Filter for the groups
source_ldap_groups_search_filter=(cn=test group)

After this you need to run the script „fixup_tdi_adapters.sh“ to bind these properties to all assembly lines in the packages folder.

You can now start „sync_all_dns“ and you will only synchronize users that are part of the given (or nested) groups. Cool stuff ;-)

Btw. inactivation / deletion also works using this AL. In my opinion this is a far better way than letting the customer create flags in LDAP for users that should be on-boarded to IBM Connections ;-)



---------------------
http://techblog.gis-ag.info/2015/02/03/ibm-connections-sdi-aka-tdi-synchronize-users-based-on-group-membership/
Feb 03, 2015
3 hits



Recent Blog Posts
2
Automatic WebSphere plugin modification II – PowerShell for Windows
Thu, Dec 1st 2016 6:54p   GIS Techblog
Automatic WebSphere plugin modification II – PowerShell for Windows Hi, some months ago I published a shell script to automatically modify the Primary / BackupServer definition in a WebSphere plugin-cfg.xml file. As we have several Windows customers we decided to transfer this script to PowerShell so that it is also useable for a Windows Cluster installation. My colleague Jan Bruns did a great job implementing this script. It basically works the same way as the Linux script: modifywasplug
9
IBM Connections Docs – file preview not possible for some CCM pdf files
Thu, Nov 17th 2016 2:15p   GIS Techblog
IBM Connections Docs – file preview not possible for some CCM pdf files Hi all, last week we had trouble in a customer environment using the file preview functionality for some pdf files (only those that were uploaded using CCM). Instead of a preview the message was displayed: At the same time we saw the following warning in the log: The mime-type was set to “image/pcl” instead of “application/pdf”… this mime-type is not supported by IBM Docs File viewer. We had to dig deep into th
3
IBM Connections 5.5 CR2 released
Thu, Nov 10th 2016 8:13a   GIS Techblog
IBM Connections 5.5 CR2 released Hi all, IBM released CR2 for IBM Connections 5.5: The Fix list Download the CR Database updates are mandatory (Activities, Files, Homepage, Mobile, Wikis) Filenet updates are mandatory Updates for Community Surveys (Fixes the TLS 1.2 issues) A prerequisite for CR2 is at least WAS 8.5.5 FP9 (let`s see when FP10 will be officially supported) A general step-by-step guide installing CR2 is provided by IBM. A new CR2 version of the Cognos wizard can be downloaded (y
4
IBM Connections – How to switch to a custom global unique ID for users
Mon, Nov 7th 2016 8:59a   GIS Techblog
IBM Connections – How to switch to a custom global unique ID for users Hi, many of our todays support cases is related to non-working profiles in IBM Connections. If users change their name, switch from one to another location or simply get a new account their profile in IBM Connections might get inactivated because the hash key between LDAP and database has changed. There are three possible hash keys: UID: Often a bad choice, as this might change eMail: Also a bad choice GUID: Unique I
9
IBM Connections – add additional login attribute
Wed, Oct 12th 2016 4:17a   GIS Techblog
IBM Connections – add additional login attribute Hi, last week I got the question if it is possible to use another login attribute for IBM Connections than uid, cn or email. Yes, this is possible and can be done very easy. It just needs some small adjustments (I assume that you already extended your LDAP schema and that the custom attribute is available in LDAP!!): 1. Open a wsadmin session ./wsadmin -lang jacl 2. Make a custom login attribute from LDAP known to the PersonAccount entity:
4
IBM Connections – Set read-only access to CCM libraries
Thu, Oct 6th 2016 5:28a   GIS Techblog
IBM Connections – Set read-only access to CCM libraries Hi, we are in the middle of several migrations to IBM Connections 5.5 and most of our customers come up with the question: What do I need CCM for if I can use nested folders in Files now? Many customers decide to manually migration CCM libraries to Files… This time a customer asked us if it is possible to set access to libraries to read-only so that no new files or folders are added to CCM. This is possible using the following
5
Security Bulletin: HTTP Response Splitting in WebSphere Application Server (CVE-2016-0359)
Tue, Sep 13th 2016 4:30a   GIS Techblog
Classification Score of 6.1 is moderat! Affects IBM WebSphere Application Server (IBM Portal and Connections)! If you need assistance please contact us (support@gis-ag.com) for further procedure. Link to IBM site Content: Summary Vulnerability Details Affected Products and Versions Remediation/Fixes Summary There is a potential HTTP response splitting vulnerability in IBM WebSphere Application Server. Vulnerability Details CVEID: CVE-2016-0359 DESCRIPTION: IBM WebSphere Application
5
Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)
Tue, Sep 13th 2016 4:26a   GIS Techblog
Classification Score of 10 is urgent! Affects all IBM® SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server (indirectly all GIS Portal and Connection users are affected)! If you need assistance please contact us (support@gis-ag.com) for further procedure. Link to IBM site: http://www-01.ibm.com/support/docview.wss?uid=swg21982223 Content: Summary Vulnerability Details Affected Products and Versions Remediation/Fixes Summary There are multiple vulnerabi
3
Security Bulletin: Apache Commons FileUpload Vulnerability affects WebSphere Application Server (CVE-2016-3092)
Tue, Sep 13th 2016 4:22a   GIS Techblog
Classification Score of 5.3 is moderate. Affects WebSphere Application Server and WebSphere Application Server Hypervisor Edition! If you need assistance please contact us (support@gis-ag.com) for further procedure. Link to IBM site: http://www-01.ibm.com/support/docview.wss?uid=swg21987864&myns=swgws&mynp=OCSSCKBL&mynp=OCSSEQTP&mync=E&cm_sp=swgws-_-OCSSCKBL-OCSSEQTP-_-E Content: Summary Vulnerability Details Affected Products and Versions Remediation/Fixes Summary
3
Security Bulletin: Redirect HTTP traffic vulnerability may affect IBM HTTP Server (CVE-2016-5387)
Tue, Sep 13th 2016 4:21a   GIS Techblog
Classification Score of 8.1 is high. Affects versions ( 9.0, 8.5.5, 8.5, 8.0, 7.0) and releases of IBM HTTP Server (powered by Apache) component in all editions of WebSphere Application Server and bundling products! If you need assistance please contact us (support@gis-ag.com) for further procedure. Link to IBM site: http://www-01.ibm.com/support/docview.wss?uid=swg21988019&myns=swgws&mynp=OCSSEQTP&mynp=OCSSEQTJ&mync=E&cm_sp=swgws-_-OCSSEQTP-OCSSEQTJ-_-E Content: Su




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition