Updating Profiles when changing LDAP directory

When you need to change to a new LDAP directory, you must synchronize the user data stored in profiles with the information in your new LDAP directory. You can run a command that synchronizes the information in the Profiles database with the user information stored in your new LDAP deployment.

Before you begin

You must ensure that the values of either the uid or the email address in the existing data source match those in the new deployment LDAP directory. If neither of these properties have matching values, you cannot use the scripts provided with IBM® Connections to synchronize the IDs.
Note: Changing a user's identifier in Connections Content Manager (CCM) results in the user record being viewed by the system as a totally new user, and access will be lost, which can be a particular concern when administrative access is lost.

Procedure

To use the scripts provided with IBM Connections to synchronize the IDs and update Profiles, complete the following steps:

  1. Open the profiles_tdi.properties file from the IBM Tivoli® Directory Integrator directory on the system that hosts the Profiles application in a text editor, and edit the following properties to match the values of the corresponding properties in the LDAP system:
    • source_ldap_url
    • source_ldap_user_login
    • source_ldap_user_password
    • source_ldap_search_base
    • source_ldap_search_filter
    • source_ldap_use_ssl
    For more information about these properties and how they are used, see Tivoli Directory Integrator properties.
  2. Ensure that the guid property in the map_dbrepos_from_source.properties file is set to the appropriate value for your environment:
    • IBM Tivoli Directory Server:
      guid=ibm-entryUuid
    • IBM Lotus® Domino® Directory:
      guid={function_map_from_dominoUNID}
    • Microsoft Active Directory:
      guid={function_map_from_objectGUID}
    • Sun Java System Directory Server:
      guid=nsuniqueid
    • Novell (NetIQ) eDirectory:
      guid={function_map_from_GUID}
  3. Identify a database attribute to synchronize with – either uid, guid or email – with the same value per member in the old LDAP deployment as in the new, and then set the sync_updates_hash_field property in the profiles_tdi.properties file to this attribute. The names of the LDAP attributes are immaterial. For example:
    sync_updates_hash_field=uid
  4. Synchronize the data so that the values from the new LDAP deployment are updated in the Profiles database by running the following script:
    • IBM AIX® or Linux:
      chmod +x sync_all_dns.sh
./sync_all_dns.sh
    • Microsoft Windows:
      sync_all_dns.bat
    • IBM i:
      sync_all_dns.sh
    For more information about the properties that you can set when synchronizing LDAP data with Profiles, see Synchronizing LDAP directory changes with Profiles.