Synchronizing IBM Tivoli Security Directory Server and Microsoft Active Directory LDAP changes

To keep your profiles synchronized with your LDAP directory, use the generic sync_all_dns command. However, if your LDAP directory is Tivoli Security Directory Server or Microsoft® Active Directory, you can use the process_tds_changes or process_ad_changes commands. You must configure your LDAP server to save all updates to a change log, which places a considerable burden on the LDAP, and you must run the change log server.

Before you begin

The TSI scripts are stored in the tsisol_dir/TSI/samples directory. You must copy any scripts that you intend to use to the main TSI solution directory, tsisol_dir/TSI.

About this task

The process_tss_changes and process_ad_changes commands start a daemon process that regularly queries the change log server for updates. For Connections, this approach is more efficient than sync_all_dns because only updates are processed. However, this approach is more work for the LDAP. As a result, use of these commands must be carefully evaluated for LDAP performance impact. Also, if an error occurs, updates can be lost without any indication. Finally, a persistent index into the change log is maintained by the command. If the change log and the index get out of sync, you must use the reset_changelog_state command, which reinitializes the change log and the index.

Neither the process_tss_changes nor the process_ad_changes commands support synchronizing multiple LDAP directories or multi-branch LDAP directories with a single command. If you populated your profiles database with data from multiple locations, running either of these commands applies changes only from the current LDAP directory. Also, if source data is obtained from an additional source such as a database table, the commands cannot be used.

If you get all data from one or more LDAPs that are TSS and/or AD, you can create multiple copies of the TSI solution directories, and run several process_xxx_changes daemons at the same time. In this way, multiple index values will be maintained. What you cannot do is run sync_all_dns when you use this approach because the key column that sync_all_dns uses to keep track of multiple LDAPs, PROF_SOURCE_URL, is not maintained by the change log commands.

Procedure

To synchronize Tivoli Security Directory Server and Microsoft Active Directory LDAP directory changes with Profiles, complete the following steps.
  1. Update the change log properties in the profiles_tsi.properties file so that the changes to the LDAP directory can be reflected back to the Profiles database. The change log properties are the set of properties that begin with <LDAP_type>_changelog_*.
  2. Copy either the process_tss_changes(.sh|.bat) or the process_ad_changes(.sh|.bat) script from the samples directory to the TDI solution directory.
  3. Process changes by using one of the following options:
    • For Tivoli Security Directory Server, use the following script to process changes made to the LDAP directory and propagate those changes to the corresponding records in your database:
      • IBM® AIX® or Linux®:

        chmod +x process_tds_changes.sh

        ./process_tds_changes.sh

      • Microsoft Windows®:

        process_tss_changes.bat

    • For Microsoft Active Directory, use the following script to process changes made after the initial population:
      • AIX or Linux:

        chmod +x process_ad_changes.sh

        ./process_ad_changes.sh

      • Microsoft Windows:

        process_ad_changes.bat

  4. The process_tss_changes task tracks the changelog number in a persistent field. If your LDAP directory is reset, you can select from the following options:
    • Delete the changelog number value by using the following script:
      • AIX or Linux:

        chmod +x reset_changelog_state.sh

        ./reset_changelog_state.sh

      • Microsoft Windows:

        reset_changelog_state.bat

    • Set a particular value by using the following script and passing it the count value to set:
      • AIX or Linux:

        chmod +x set_changelog_count.sh

        ./set_changelog_count.sh

      • Microsoft Windows:

        set_changelog_count.bat