Security Director Integrator solution properties for Profiles
HCL Connections maps LDAP, database, and other properties with IBM Security Directory Integrator configuration parameters.
Notes
These properties are in the profiles_tdi.properties file.
The SDI parameter column in the tables contains the name of the parameter in the LDAP connector. For more information, see Security Directory Integrator V7.2.0 documentation.
Note: All file paths that are specified are relative to the Security Directory Integrator solution directory.
Property mappings
The following properties are associated in an LDAP directory that is used as the source for the data. If you want to use a source other than LDAP, see Manually populating the Profiles database.
Property | SDI parameter | Definition |
---|---|---|
source_ldap_url | LDAP URL host name and LDAP URL Port | Required. |
The LDAP web address that is used to access the source LDAP system. The port is required and is typically 389 for non-SSL connections.
Express this value in the form of ldap://host:port
. For example: ldap://myservername.com:389.
If you are using the population wizard, this property is configured with the LDAP server name and LDAP server port on the LDAP server connection page.
Note: The LDAP query constructed from the source URL, search base, and search filter are stored in a source url property, which can be used to segment the Profiles database user set during synchronization. Using different values for this property, which may be equivalent (for example referencing the LDAP server by IP address or DNS name) is not advised.
The default value is ldap://localhost:389.
| |source_ldap_use_ssl|LDAP URL Use SSL connection|Required if you are using SSL to authenticate.
Set to either true or false.
Set to true if you are using SSL (for example if you are using port 636 in the LDAP URL).
The default value is false.
If you are using the population wizard, this property is configured with the Use SSL communication check box on the LDAP server connection page.
| |source_ldap_user_login|Login user name|Login user name that is used for authentication. You can leave this blank if no authentication is required.
If you are using the population wizard, this property is configured in the Bind distinguished name (DN) field on the LDAP authentication properties page.
| |source_ldap_user_password|Login password|Login password that is used for authentication. Leave this blank if no authentication is required. The value will be encrypted in the file the next time it is loaded.
If you are using the population wizard, this property is configured in the Bind password field on the LDAP authentication properties page.
| |source_ldap_search_base or source_ldap_user_search_base|Search Base|The search base (the location from where the search begins) of the iterating directory. The search begins at this point in the LDAP directory structure and searches all records underneath. This must be a distinguished name.
Note: Most directories require a search base, and as such it must be a valid distinguished name. Some directory services allow you to specify a blank string, which defaults to whatever the server is configured to do.
A default value is not specified.
If you are using the population wizard, this property is configured in the LDAP user search base field on the LDAP page.
| |source_ldap_search_filter or source_ldap_user_search_filter|Search Filter|Search filter that is used when iterating the directory.
This filter determines which objects are included or excluded in the search. If you are using the search base and the specified search filter properties do not allow you to adequately construct your search set, use the source_ldap_required_dn_regex property.
Note: Search filters are used by those directories to select entries from which data is retrieved from a search operation. Search filters as they can affect performance of the directory that is being searched, so choose carefully. The directory server schema that is being queried can affect performance.
A default value is not specified.
If you are using the population wizard, this field is called LDAP user search filter and is located in theLDAP authentication properties page.
| |source_ldap_sort_page_size|Page size|If specified, the LDAP Connector tries to use paged mode search. Paged mode causes the directory server to return a specific number of entries (called pages) instead of all entries in one chunk. Not all directory servers support this option. The default value is 0, which indicates that paged mode is disabled.
The default value is 0.
This parameter is not configurable when you are using the population wizard.
| |source_ldap_authentication_method|Authentication Method|Anonymous : This method provides minimal security.
Simple : This method uses a login user name and password to authenticate. It is treated as anonymous if no user name and password are provided.
CRAM-MD5 : Challenge/Response Authentication Mechanism using Message Digest 5. This method provides reasonable security against various attacks, including replay.
SASL : Simple Authentication and Security Layer. This method adds authentication support to connection-based protocols. Specify parameters for this type of authentication with the Extra Provider Parameters option.
This parameter is not configurable through the population wizard.
| |source_ldap_collect_dns_file| |Name of the file that is used to collect distinguished names (DNs) by the collect_dns.bat/sh process from the source. This is then used during population by the populate_from_dn_file.bat/sh processes to look up entries to add to the database repository.
This file can also be constructed by hand to populate an explicit set of users.
The default value is collect.dns
.
This parameter is not configurable through the population wizard.
| |source_ldap_escape_dns| |Indicates that special characters were not escaped properly and identifies them so the processor can find those characters and escape them. The following characters are the special characters:
- , (comma)
- = (equals)
-
- (plus)
- < (less than)
- > (greater than)
- # (number sign)
- ; (semicolon)
- \ (backslash)
- " (Quotation mark)
The backslash is used to escape special characters. A plus sign is represented by \+
and a backslash is represented by \\
.
if your distinguished names contains these special characters and you receive errors when the collect_dns/populate_from_dn_file process runs, set this property to true so that the characters are escaped.
The default value is false.
This parameter is not configurable through the population wizard.
| |source_ldap_required_dn_regex| |Allows a regular expression to be used to limit the distinguished names (DNs) which are processed by providing a regular expression, which must be matched. If the regular expression is not matched, that particular record is skipped. Although the search filter property gives some flexibility, you can use a more powerful regular expression when needed.
A default value is not specified.
This parameter is not configurable through the population wizard.
| |source_ldap_sort_attribute|Sort Attribute|Specifies server side sorting. This parameter instructs the LDAP server to sort entries that match the search base on the specified field name. Server side sorting is an LDAP extension. The iterating directory must be able to support this sorting extension.
A default value is not specified.
This parameter is not configurable through the population wizard.
| |source_ldap_iterate_with_filter| |This property should be used if the size of the data to be retrieved from LDAP exceeds the search limit from the LDAP. For example, if your search parameters return 250K records but your LDAP allows only 100K to be returned at a time, use this parameter.
If the data is too large, an LDAP size limit exceeded error message is generated. To configure this mechanism, see the Populating a large user set topic.
When set to true, this attribute specifies that the default iteration assembly line use the collect_ldap_dns_generator.js file to iterate over a set of LDAP search bases and filters. The cconfig setting replaces the sync_all_dns_forLarge and collect_dns_iterate scripts that are used in earlier releases.
This parameter is not configurable through the population wizard.
The default value is false.
| |source_ldap_binary_attributes|Binary Attributes|By default, this property is set internally to GUID, objectGUID, objectSid, sourceObjectGUID. Any additional values that are specified in the property are appended to the list.
This parameter is not configurable through the population wizard.
The default value is GUID.
| |source_ldap_time_limit_seconds|Time Limit|Specifies the maximum number of seconds that can be used when searching for entries; 0 = no limit.
This parameter is not configurable through the population wizard.
The default value is 0.
| |source_ldap_map_functions_file| |Specifies the location of any referenced function mappings.
When you are using the population wizard, the functions that are shown in the mapping dialog are read from and written to this file.
The default value is profiles_functions.js
.
| |source_ldap_logfile| |In addition to the standard logs/ibmdi.log file, output from the populate_from_dn_file.bat or populate_from_dn_file.sh task is written to this file.
This parameter is not configurable through the population wizard.
The default value is logs/PopulateDBFromSource.log
.
| |source_ldap_compute_function_for_givenName| |Connections allows JavaScript functions for setting values of common LDAP fields such as cn, sn, givenName to run before Connections performs its mapping. For example, sn and givenName can be parsed from cn (common name).
This parameter is not configurable through the population wizard.
A default value is not specified.
| |source_ldap_compute_function_for_sn| |Connections allows JavaScript functions for setting values of common LDAP fields such as cn, sn, givenName to run before Connections performs its mapping. For example, sn and givenName can be parsed from cn (common name).
This parameter is not configurable through the population wizard.
A default value is not specified.
| |source_ldap_collect_updates_file| |This property is no longer used.
| |source_ldap_manager_lookup_field| |This property is no longer used.
| |source_ldap_secretary_lookup_field| |This property is no longer used.
|
Many properties in the IBM Security Directory Integrator LDAP connector are not mapped to Profiles' Security Directory Integrator properties. To configure properties other than the ones listed here, you can use a different source repository and create your own specialized configuration. Use the LDAP iterator and the connectors that are provided with the IBM Security Directory Integrator solution directory as a starting point. For more information, see Using a custom source repository connector.
The following properties are associated with the Profiles database repository.
Note: Set the following properties in profiles_tdi.properties, even if you are developing your own assembly lines with the connectors provided in the Profiles IBM Security Directory Integrator solution directory. These properties are not configured in the Connector panels, but rather in the profiles_tdi.properties file. For more information, see Developing custom Security Directory Integrator assembly lines.
Property | SDI parameter | Definition |
---|---|---|
dbrepos_jdbc_driver | JDBC Driver | Required. |
The JDBC driver implementation class name that is used to access the Profiles database repository.
For DB2, the default is com.ibm.db2.jcc.DB2Driver
. For example:
dbrepos_jdbc_driver=com.ibm.db2.jcc.DB2Driver
For Oracle, the default is oracle.jdbc.driver.OracleDriver
. For example:
dbrepos_jdbc_driver=oracle.jdbc.driver.OracleDriver
If you are using a Microsoft SQL Server database, change the value to reference a SQL Server driver, for example:
dbrepos_jdbc_driver=com.microsoft.sqlserver.jdbc.SQLServerDriver
This corresponds to the JDBC driver path in the population wizard. If not using the wizard, this library must be present in the CLASSPATH of Security Directory Integrator. Otherwise, Security Directory Integrator cannot load the library when initializing the Connector and cannot communicate with the Relational Database (RDBMS).
To install a JDBC driver library so that Security Directory Integrator can use it, copy it into the TDI_install_dir/jars directory, or a subdirectory such as TDI_install_dir/jars/local.
| |dbrepos_jdbc_url|JDBC URL|Required.
JDBC web address that is used to access the Profiles database repository.
You must modify the host name portion and port number to reference your server information.
Note: You can find this information by accessing the WebSphere® Application Server Administration Console (http://yourhost:9060), and then selecting Resources > JDBC > Data sources > profiles.
The default syntax is for DB2, unless using the wizard, but the default uses a local host. If the DB2 is not on the same system as the SDI solution directory, update the URL with the host name.
If you are using an Oracle database:
-
If your Oracle database is configured to use SERVICE_NAME, use the following syntax:
jdbc:oracle:thin:@//hostname:port/database
or
```
jdbc:oracle:thin:@hostname:port/database ```
-
If your Oracle database is configured to use SID, use the following syntax:
jdbc:oracle:thin:@hostname:port:database
If you are using a SQL Server database, use the following syntax:
dbrepos_jdbc_url=jdbc:sqlserver://hostname:1433;databaseName=PEOPLEDB
| |dbrepos_username|User name|Required.
User name under which the database tables, which are part of the Profiles database repository, are accessed.
| |dbrepos_password|Password|Required.
Password that is associated with the user name under which the database tables, which are part of the Profiles database repository, are accessed.
| |dbrepos_mark_manger_if_referenced| |This property is no longer used.
|
The following properties are associated with the task that monitors the Profiles employee draft table.
Property | SDI parameter | Definition |
---|---|---|
monitor_changes_ldap_server_username | ||
monitor_changes_dsml_server_authentication | Type of authentication that is used by the DSML server update requests. |
HTTP basic authentication : A method that is designed to allow a web browser, or other client program, to provide credentials when making a request. The credentials are in the form of a user name and password.
Anonymous : This method provides minimal security.
| |monitor_changes_dsml_server_url| |Required if you are transmitting user changes back to the source repository. Web address of the DSML server to which the DSML update requests are sent.
| |monitor_changes_dsml_server_username| |Required if you are transmitting user changes back to the source repository. User name that is used for authentication to the DSML server.
| |monitor_changes_dsml_server_password| |Required if you are transmitting user changes back to the source repository. Password that is used for authentication to DSML server that the DSML update requests are sent to.
| |monitor_changes_map_functions_file| |Path to the file that contains mapping functions for mapping from a changed database field to a source. for example LDAP field. This file is only needed if changes made to the source based on database repository field changes are not mapped one-to-one. You can use the same file that you use to map from source to database repository fields, assuming the functions are named appropriately.
| |monitor_changes_sleep_interval| |Polling interval, in seconds, between checks for more changes when no changes exist.
|
The following properties are associated with the Security Directory Integrator processing that reads a Security Directory Integrator change log and subsequently updates the database repository with those changes.
Property | SDI parameter | Definition |
---|---|---|
ad_changelog_ldap_url | LDAP web address that is used to access the LDAP system that was updated. For example: |
ldap://host:port
| |ad_changelog_ldap_user_login| |Login user name to use to authenticate with an LDAP system that was updated. You can leave this blank if no authentication is needed.
| |ad_changelog_ldap_user_password| |Login user name to use to authenticate with an LDAP that was updated. You can leave this blank if no authentication is needed. The value will be encrypted in the file the next time it is loaded.
| |ad_changelog_ldap_search_base| | | |ad_changelog_ldap_use_ssl| |Defines whether to use SSL in authenticating with an LDAP system that was updated. The options are true and false.
| |ad_changelog_timeout| | | |ad_changelog_sleep_interval| |Polling interval, in seconds, between checks for more changes when no changes exist.
| |ad_changelog_use_notifications| |Indicates whether to use change log notifications rather than polling. If true, the tds_changelog_sleep_interval is not applicable since polling is not used. The options are true and false.
| |ad_changelog_ldap_page_size| | | |ad_changelog_start_at| |Change number in the Active Directory change log to start at. Typically this is an integer, while the special value EOD means start at the end of the change log.
| |ad_changelog_ldap_required_dn_regex.| | | |tds_changelog_ldap_authentication_method|Authentication Method|Authentication method that is used to connect to LDAP to read records. Options include the following:
Anonymous : This method provides minimal security.
Simple : This method uses a login user name and password to authenticate. It is treated as anonymous if no user name and password are provided.
CRAM-MD5 : Challenge/Response Authentication Mechanism using Message Digest 5. This method provides reasonable security against various attacks, including replay.
SASL : Simple Authentication and Security Layer. This method adds authentication support to connection-based protocols. Specify parameters for this type of authentication using the Extra Provider Parameters option.
|
|tds_changelog_ldap_changelog_base|ChangelogBase|Change log base to use when iterating through the changes. This is typically cn=changelog
.
| |tds_changelog_ldap_time_limit_seconds|Time Limit|Searching for entries must take no more than this number of seconds; 0 = no limit.
| |tds_changelog_ldap_url|LDAP URL|LDAP web address that is used to access the LDAP system that was updated. For example:
ldap://host:port
| |tds_changelog_ldap_use_ssl|Use SSL|Defines whether to use SSL in authenticating with an LDAP system that was updated. The options are true and false.
| |tds_changelog_ldap_user_login|Login user name|Login user name to use to authenticate with an LDAP system that was updated. You can leave this blank if no authentication is needed.
| |tds_changelog_ldap_user_password|Login password|Login user name to use to authenticate with an LDAP that was updated. You can leave this blank if no authentication is needed. The value will be encrypted in the file the next time it is loaded.
| |tds_changelog_sleep_interval| |Polling interval, in seconds, between checks for more changes when no changes exist.
| |tds_changelog_start_at_changenumber| |Change number in the Security Directory Integrator change log to start at. Typically the number is an integer, while the special EOD value means start at the end of the change log.
| |tds_changelog_use_notifications| |Indicates whether to use change log notifications rather than polling. If true, the tds_changelog_sleep_interval is not applicable since polling is not used. The options are true and false.
|
The following properties are available in the profiles_tdi.properties file and are associated with Security Directory Integrator debug activities.
Note: The debug properties enable Security Directory Integrator debugging for an entire assembly. In addition, enabling debug_update_profile, which enables debugging for the commands that use the Profiles Connector, also enables Java debugging for the following packages.
- log4j.logger.com.ibm.lconn.profiles.api.tdi=ALL
- log4j.logger.com.ibm.lconn.profiles.internal.service=ALL
- log4j.logger.java.sql=ALL
Note: The following properties are not configurable when you use the population wizard.
Property | Security Directory Integrator parameter | Definition |
---|---|---|
sync_all_dns | For information about sync_all_dns, see Understanding how the sync_all_dns process works. | |
debug_managers | Flag that instructs Security Directory Integrator to log more debug information for the following commands. |
The options are true and false.
To enable, set as debug_managers=true
.
This property maps as follows:
debug_managers
mark_managers
The default setting is false.
| |debug_photos| |Flag that instructs Security Directory Integrator to log more debug information for the following commands.
The options are true and false.
This property maps as follows:
debug_photos
load_photos_from_files
dump_photos_to_files
The default setting is false.
| |debug_pronounce| |Flag that instructs Security Directory Integrator to log more debug information for the following commands.
The options are true and false.
This property applies to the following commands:
debug_pronounce
load_pronounce_from_files,
dump_pronounce_to_files
The default setting is false.
| |debug_fill_codes| |Flag that instructs Security Directory Integrator to log more debug information for the following commands.
The options are true and false.
This property applies to the following commands:
debug_fill_codes
fill_country
fill_department
fill_emp_type
fill_organization
fill_worklok
The default setting is false.
| |debug_draft| |Flag that instructs Security Directory Integrator to log more debug information for the following commands.
The options are true and false.
This property applies to the following commands:
debug_draft
process_draft_updates
reset_draft_iiterator_state
set_draft_iterator_count
The default setting is false.
| |debug_update_profile| |Flag that instructs Security Directory Integrator to log more debug information for the following commands.
The options are true and false.
This property applies to the following commands:
debug_update_profile
populate_from_dn_file
delete_or_inactivate_employees
populate_from_xml_file
process_ad_changes
process_tds_changes
The default setting is false.
| |debug_collect| |Flag that instructs Security Directory Integrator to log more debug information for the following commands.
The options are true and false.
This property applies to the following commands:
debug_collect
collect_dns
The default setting is false.
| |debug_special| |Flag that instructs Security Directory Integrator to log more debug information for the following commands.
The options are true and false.
This property applies to the following commands:
debug_special
unused at present
The default setting is false.
| |trace_profile_tdi_javascript| |Enables generation of an internal JavaScript trace file.
Options are OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL (values are not case-sensitive).
The default setting is OFF.
|
Parent topic:Manually populating the Profiles database
Related information