Synchronizing IBM Tivoli Directory Server and Microsoft Active Directory LDAP changes
To keep your profiles synchronized with your LDAP directory, use the generic sync_all_dns command. However, if your LDAP directory is IBM® Tivoli® Directory Server or Microsoft® Active Directory, you can use the process_tds_changes or process_ad_changes commands. You must configure your LDAP server to save all updates to a change log, which places a considerable burden on the LDAP, and you must run the change log server.
Before you begin
The TDI scripts are stored in the tdisol_dir/TDI/samples directory. You must copy any scripts that you intend to use to the main TDI solution directory, tdisol_dir/TDI.
About this task
The process_tds_changes and process_ad_changes commands start a daemon process that regularly queries the change log server for updates. For Connections, this approach is more efficient than sync_all_dns because only updates are processed. However, this approach is more work for the LDAP. As a result, use of these commands must be carefully evaluated for LDAP performance impact. Also, if an error occurs, updates can be lost without any indication. Finally, a persistent index into the change log is maintained by the command. If the change log and the index get out of sync, you must use the reset_changelog_state command, which reinitializes the change log and the index.
Neither the process_tds_changes nor the process_ad_changes commands support synchronizing multiple LDAP directories or multi-branch LDAP directories with a single command. If you populated your profiles database with data from multiple locations, running either of these commands applies changes only from the current LDAP directory. Also, if source data is obtained from an additional source such as a database table, the commands cannot be used.
If you get all data from one or more LDAPs that are TDS and/or AD, you can create multiple copies of the TDI solution directories, and run several process_xxx_changes daemons at the same time. In this way, multiple index values will be maintained. What you cannot do is run sync_all_dns when you use this approach because the key column that sync_all_dns uses to keep track of multiple LDAPs, PROF_SOURCE_URL, is not maintained by the change log commands.