Synchronizing the Profiles database with your organization's user data

To keep your organization's user data up-to-date, regularly synchronize the Profiles database with your data sources. Typically, the data source is an LDAP directory. The LDAP directory might also have extension data in a database table.

About this task

The Profiles database is the repository within IBM® Connections for information about the users of Connections in your organization. The source of this information is your organization's LDAP directory or other type of data repository, which is the master copy. The synchronization process is controlled by properties in the file profiles_tdi.properties.

Use the sync_all_dns command to transfer changes in your organization's user data repository to the Profiles database. If you want to keep the Profiles database in a close synchronized state with your LDAP directory, run this task nightly or at another frequency that suits you.

During synchronization, the mapping values that are coded in map_dbrepos_from_source.properties are evaluated to determine which records need updating. Existing records are updated, and new records are added. Records that cannot be found are either removed or deactivated, based on configuration settings. If you configure extension attributes, that information is also compared and synchronized. Because the sync_all_dns command performs a complete comparison of the search scope with the Profiles database, be sure to allow sufficient time for it to run.

Note: In some cases you can use either the process_tds_changes command or the process_ad_changes command instead of the sync_all_dns command. For more information about using these alternate commands, see Synchronizing IBM Tivoli Directory Server and Microsoft Active Directory LDAP changes

The sync_all_dns command creates temporary files that are used during the synchronization process, so you need to have sufficient disk space. Use the sync_updates_working_directory property to specify the location of the temporary files. Use the sync_updates_clean_temp_files property to specify whether to delete or retain the temporary files after synchronization. Retaining the files is useful when you are troubleshooting a problem.

In addition to the temporary files, the following files in the TDI solution directory record the changes that were made during synchronization:

employee.adds
employee.delete
employee.error
employee.skip
employee.update

When the sync_updates_show_summary_only property is set to true, the files contain only the records that need to be changed, but no changes are made. For more information about how the sync_all_dns command works, see Understanding how the sync_all_dns process works.

Like the other TDI tasks, the sync_all_dns command writes log information to the log file ibmdi.log in the TDI\logs directory. You can check the log to see whether the command finishes successfully, and look for error information if necessary.

Procedure

To synchronize LDAP directory changes with Profiles:

Use the properties in the following table to control the synchronization process.

Note: The only property that can be used with the process_tds_changes the process_ad_changes commands is the perform_deletion_or_inactivate_for_sync property.

Option	Description
perform_deletion_or_inactivate_for_sync	Set this property to true when you want to delete or mark as inactive those users who are no longer in the LDAP directory. The sync_all_dns command checks the value of the property and acts using the following logic: If the value is true, look at the `sync_delete_or_inactivate` property to determine which action to take. If the value is false, perform neither the delete action nor the inactivate action.
sync_delete_or_inactivate	Controls what happens to a user record when the delete action is performed. The value must be either delete or inactivate and is case sensitive. By default, the property is set to inactivate. The inactive state is propagated to all the other Connections applications. This property cannot be used with the process_tds_changes and process_ad_changes commands. For information about automating the delete user process, see Using supplied scripts to delete inactive users based on inactivity length
source_ldap_iterate_with_filter	Set this property to the name of a JavaScript file that contains the filter code. Use when the size of the data to be retrieved from LDAP exceeds the search limit of the LDAP or exceeds the memory capacity of the TDI LDAP connector. For example, if your search parameters would return 250K records but your LDAP only allows 10K to be returned at a time, you can use this property. For more information about how to use this property, see Populating a large user set. This property is not configurable when using the population wizard.
sync_check_if_remove	Specifies the name of an assembly line that verifies the delete operation or the inactivate operation. By default, the name of the assembly line is set to sync_all_dns_check_if_remove. The sync_all_dns_check_if_remove assembly line looks up the distinguished name of the about-to-be-deleted user in the LDAP directory. If the user is found, sync_all_dns_check_if_remove returns a status that causes the main assembly to ignore the delete or inactivate action. This property is ignored unless the `sync_updates_double_check` property is set to true. For more information about this property, see Customizing the logic used for the delete operation.
sync_updates_clean_temp_files	When set to true, temporary files are deleted after the synchronization process is complete. When set to false, which is the default, the files are not deleted until the next time that sync_all_dns is run.
sync_updates_double_check	The default value is false. When set to true, the assembly line that is defined by the `sync_check_if_remove` property runs.
sync_updates_hash_field	This is a key property. This property specifies the field that is used to match a record in the Profiles database with the corresponding record in the source. The supported fields are uid, guid, and email. The default is uid. It is critical that you choose a field that will not change, so that the match will remain intact between the source and the Profiles database. If the value in the field in the source does change, the match will be broken and unintended actions can occur. For example, the existing database information for this person could be deleted if the corresponding match in the source is no longer accessible. If the value of the hash field in the source has changed, you must set this property to a different field that has not changed, for at least one run of sync_all_dns. For example, if the value for uid changes in the source, you must set the property to either guid or email. After one run of sync_all_dns, you can change the property back to uid. Note: If the value is guid and you change LDAP providers, you must change the value to uid or email temporarily because guid is LDAP specific.
sync_updates_hash_partitions	Number of partitions to divide the temporary files into. The default of 10 is sufficient in most cases. If problems develop, you can increase the value. The typical problem is running out of memory during the update phase.
sync_updates_show_summary_only	When set to true, this property shows only the records that need to be changed, but does not make the changes.
sync_updates_working_directory	The directory where the working files are stored. The path can be relative to the TDI solution directory or an absolute path. The default value is sync_updates, which is a relative path.

If you are storing data from multiple LDAP branches or multiple LDAP directories in the same Profiles database, you must synchronize each LDAP branch or LDAP directory separately. To accomplish this task, you can set the following properties in the profiles_tdi.properties file:

Note: These properties can only be used with the sync_all_dns command. They cannot be used with the process_tds_changes and process_ad_changes commands.

Option Description

Option	Description
sync_source_url_enforce	Synchronizes only those records where the stored source URL matches the current source URL. The current source URL is the concatenation of the `source_ldap_url`, `source_ldap_search_base`, and `source_ldap_search_filter` properties. When set to true, it limits the scope of the set of data in the database, and skips the records that do not match the current source URL. When set to false, the source URL is ignored if there is no update, and reset if there is an update. The default value is false.
sync_source_url_override	This property is effective only when `sync_source_url_enforce` is true. When `sync_source_url_enforce` is true and `sync_source_url_override` is false, records where the current source URL and the stored source URL do not match are skipped. When `sync_source_url_override` is true, the records that would have been skipped are checked for a match of the hash field in the current LDAP branch or LDAP directory. If there is a match and at least one field needs to be updated, the record is updated, and the source URL is set to the current value. This property should be clearly understood before setting it to true. See the last example later in this document to see it in action.
sync_store_source_url	Stores the source LDAP URL in the `prof_source_url` field in the database. Must be either true or false. The default value is true. The source LDAP URL is needed to determine the source of the data to correctly synchronize it when there is more than one LDAP branch or LDAP directory. Even if there is only one LDAP, it is best to leave this property set to true. When storing the `sync_store_source_url` property in the Profiles database, the data format of `prof_source_url` in the Profiles database is as follows: `ldap://{hostname}:port/ldap_search_base?ldap_search_filter`

sync_source_url_enforce

Synchronizes only those records where the stored source URL matches the current source URL. The current source URL is the concatenation of the source_ldap_url, source_ldap_search_base, and source_ldap_search_filter properties. When set to true, it limits the scope of the set of data in the database, and skips the records that do not match the current source URL. When set to false, the source URL is ignored if there is no update, and reset if there is an update. The default value is false.

sync_source_url_override

This property is effective only when sync_source_url_enforce is true. When sync_source_url_enforce is true and sync_source_url_override is false, records where the current source URL and the stored source URL do not match are skipped.

When sync_source_url_override is true, the records that would have been skipped are checked for a match of the hash field in the current LDAP branch or LDAP directory. If there is a match and at least one field needs to be updated, the record is updated, and the source URL is set to the current value.

This property should be clearly understood before setting it to true. See the last example later in this document to see it in action.

sync_store_source_url

Stores the source LDAP URL in the prof_source_url field in the database. Must be either true or false. The default value is true. The source LDAP URL is needed to determine the source of the data to correctly synchronize it when there is more than one LDAP branch or LDAP directory. Even if there is only one LDAP, it is best to leave this property set to true.

When storing the sync_store_source_url property in the Profiles database, the data format of prof_source_url in the Profiles database is as follows:

ldap://{hostname}:port/ldap_search_base?ldap_search_filter

Run the sync_all_dns command. The command name is either sync_all_dns.sh or sync_all_dns.bat, depending on your operating system.
Note: When the sync_all_dns command runs, a lock file is created in the TDI solution directory. The lock file prevents others from starting a sync_all_dns process in the same TDI solution directory. The name of the lock file is sync_all_dns.lck. The lock file is deleted after the sync_all_dns command has completed. If the command does not complete, the lock file is not deleted. You can delete it yourself, or you can run the clearLock.sh or the clearLock.bat script, located in the TDI solution directory.

Example employee tables

The sample EMPLOYEE table illustrates results from a scenario for the fictional Zeta Bank company, in which you have pulled users A, B, and C from the Littleton LDAP branch and users X, Y, and Z from the Westford LDAP branch.

Following the best practice, you have used two TDI solution directories with slightly different profiles_tdi.properties files. In the following discussion, one of the solution directories is called ABC, and the other is called XYZ.

Each of the profiles_tdi.properties files include the following entries:

source_ldap_url=ldap://ldap.zetabank.com:389
source_ldap_search_filter=((objectClass=inetOrgPerson)(uid=*))
sync_store_source_url=true
sync_source_url_enforce=true
sync_source_url_override=false

The ABC/profiles_tdi.properties file, for the Littleton branch, includes the following entry:

source_ldap_search_base=cn=users,location=littleton,dc=zetabank,dc=com

The XYZ/profiles_tdi.properties file, for the Westford branch, includes the following entry:

source_ldap_search_base=cn=users,location=westford,dc=zetabank,dc=com

After running collect_dns and populate_from_dn_file in each of the two TDI solution directories, the EMPLOYEE table contains the following data:

Table 1. Example employee table after running collect_dns and populate_from_dn_file in each TDI solution directory.
uid	PROF_SOURCE_URL
A	ldap://ldap.zetabank.com:389/cn=users,location=littleton,dc=acme,dc=com?((objectClass=inetOrgPerson)(uid=*))
B	ldap://ldap.zetabank.com:389/cn=users,location=littleton,dc=acme,dc=com?((objectClass=inetOrgPerson)(uid=*))
C	ldap://ldap.zetabank.com:389/cn=users,location=littleton,dc=acme,dc=com?((objectClass=inetOrgPerson)(uid=*))
X	ldap://ldap.zetabank.com:389/cn=users,location=westford,dc=acme,dc=com?((objectClass=inetOrgPerson)(uid=*))
Y	ldap://ldap.zetabank.com:389/cn=users,location=westford,dc=acme,dc=com?((objectClass=inetOrgPerson)(uid=*))
Z	ldap://ldap.zetabank.com:389/cn=users,location=westford,dc=acme,dc=com?((objectClass=inetOrgPerson)(uid=*))

Notice that the only difference between the values for PROF_SOURCE_URL is the location parameter.

If you run sync_all_dns in the ABC TDI solution directory, you get updates for people A, B, and C, but not for people X, Y, and Z because sync_source_url_enforce is set to true and the PROF_SOURCE_URL for those people does not match the concatenation of the source_ldap_url, source_ldap_search_base, and source_ldap_search_filter properties. Setting sync_source_url_enforce to false deletes the people X, Y, and Z from the database because they don’t exist in the Littleton branch.

If the people A, B, and C move from Littleton to Waltham, the ABC/profiles_tdi.properties would then have the following entry for source_ldap_search_base:

source_ldap_search_base=cn=users,location=waltham,dc=zetabank,dc=com

An update is required because the location value in the PROF_SOURCE_URL column is different than the location value in ABC/profiles_tdi.properties. To correctly update the value in PROF_SOURCE_URL, in ABC/profiles_tdi.properties set sync_source_url_override to true and then run sync_all_dns in the ABC TDI solution directory. After the command completes, the EMPLOYEE table contains the following data:

Table 2. Example employee table after running collect_dns in the ABC TDI solution directory.
uid	PROF_SOURCE_URL
A	ldap://ldap.zetabank.com:389/cn=users,location=waltham,dc=acme,dc=com?((objectClass=inetOrgPerson)(uid=*))
B	ldap://ldap.zetabank.com:389/cn=users,location=waltham,dc=acme,dc=com?((objectClass=inetOrgPerson)(uid=*))
C	ldap://ldap.zetabank.com:389/cn=users,location=waltham,dc=acme,dc=com?((objectClass=inetOrgPerson)(uid=*))
X	ldap://ldap.zetabank.com:389/cn=users,location=westford,dc=acme,dc=com?((objectClass=inetOrgPerson)(uid=*))
Y	ldap://ldap.zetabank.com:389/cn=users,location=westford,dc=acme,dc=com?((objectClass=inetOrgPerson)(uid=*))
Z	ldap://ldap.zetabank.com:389/cn=users,location=westford,dc=acme,dc=com?((objectClass=inetOrgPerson)(uid=*))