Synchronizing user data between Profiles and the LDAP directory

To update profiles data, you typically update the LDAP directory first and then synchronize the changes to the Profiles database. However, there are some cases where you might want to allow your users to make their own changes to their profiles, and these changes need to be written from the Profiles database back to the LDAP directory.

Before you begin

Be sure to install and configure the IBM® HTTP Server before attempting to synchronize data between the Profiles database and the LDAP server. See Configuring IBM HTTP Server for more information.

About this task

You can ensure that data in the LDAP directory is kept current by synchronizing any changes made to the Profiles directory back to the LDAP server. For example, users in your organization might need to update their cell phone details in Profiles. They cannot change the LDAP directory directly and, as administrator, you can allow them to make the changes directly in Profiles. These changes need to be reflected back to the LDAP directory using the drafting process.

The draft table stores values that you edit and which you specify using the draftableAttribute element in the profiles-config.xml file. For example:

<profileDataModel>
   <!-- =================================================================================== -->
   <!-- This section is used to define attributes that are updated via the drafting process -->
   <!-- In most deployments you should never edit the config for this section.   -->
   <!-- Example: <draftableAttribute>displayName</draftableAttribute>  -->
   <!-- Example: <draftableExtensionAttribute extensionIdRef="tieline"/>  -->
   <!-- =================================================================================== -->
   <draftableAttribute>telephoneNumber</draftableAttribute>
</profileDataModel>
The Profiles database is updated immediately with the specified values.
Important: You must configure a Directory Services Markup Language (DSML) server service to receive the update requests. The Profiles application does not provide this service because each implementation of an LDAP server is unique.

To synchronize changes between the draft table and the LDAP server, you must run a script that initializes a daemon process that monitors the Profiles database for updates and, when one is made, formats the update as a DSML request and transmits it to a configured DSML server.

Procedure

To synchronize changes from the Profiles database back to your LDAP directory, complete the following steps.

  1. Define values for the DSML server-related properties in the profiles_tdi.properties file. The DSML server-related properties are the properties with names that begin with monitor_changes_ and dsml_server_. Typically, you must update the following properties:
    • monitor_changes_dsml_server_url
    • monitor_changes_dsml_server_username
    • monitor_changes_dsml_server_password
  2. After providing values for the necessary properties, start the synchronization server process by running the following scripts:
    • IBM AIX® or Linux:
      chmod +x process_draft_updates.sh
      ./process_draft_updates.sh
    • Microsoft Windows:
      process_draft_updates.bat
    • IBM i:
      chmod +x process_draft_updates.sh
      process_draft_updates.sh
    Note: The process_draft_update script tracks the database change record number in a persistent field. Your task cannot run successfully in the following situations:
    • You recreate the Profiles database after you have already run the IBM Tivoli® Directory Integrator Solution at least once.
    • You clear the content of the CHG_EMP_DRAFT and EMP_DRAFT tables manually.
    In such situations, reset the persistent field and run the script again. You can reset the persistent field by performing one of the following steps:
    • Delete the database change record number value using the following script:
      • AIX or Linux:
        chmod +x reset_draft_iterator_state.sh
        ./reset_draft_iterator_state.sh
      • Microsoft Windows:
        reset_draft_iterator_state.bat
      • IBM i:
        chmod +x reset_draft_iterator_state.sh
        reset_draft_iterator_state.sh
    • Set a particular value using the following script and pass it the count value to set:
      • AIX or Linux:
        chmod +x set_draft_iterator_count.sh
        ./set_draft_iterator_count.sh
      • Microsoft Windows:
        set_draft_iterator_count.bat
      • IBM i:
        chmod +x set_draft_iterator_count.sh
        set_draft_iterator_count.sh