Security Director Integrator solution properties for Profiles

HCL Connections maps LDAP, database, and other properties with IBM Security Directory Integrator configuration parameters.

Notes

These properties are in the profiles_tdi.properties file.

The SDI parameter column in the tables contains the name of the parameter in the LDAP connector. For more information, see Security Directory Integrator V7.2.0 documentation.

Note: All file paths that are specified are relative to the Security Directory Integrator solution directory.

Property mappings

The following properties are associated in an LDAP directory that is used as the source for the data. If you want to use a source other than LDAP, see Manually populating the Profiles database.

Table 1. LDAP Properties
Property SDI parameter Definition
source_ldap_url LDAP URL host name and LDAP URL Port

Required.

The LDAP web address that is used to access the source LDAP system. The port is required and is typically 389 for non-SSL connections.

Express this value in the form of ldap://host:port. For example: ldap://myservername.com:389.

If you are using the population wizard, this property is configured with the LDAP server name and LDAP server port on the LDAP server connection page.

Note: The LDAP query constructed from the source URL, search base, and search filter are stored in a source url property, which can be used to segment the Profiles database user set during synchronization. Using different values for this property, which may be equivalent (for example referencing the LDAP server by IP address or DNS name) is not advised.

The default value is ldap://localhost:389.

source_ldap_use_ssl LDAP URL Use SSL connection

Required if you are using SSL to authenticate.

Set to either true or false.

Set to true if you are using SSL (for example if you are using port 636 in the LDAP URL).

The default value is false.

If you are using the population wizard, this property is configured with the Use SSL communication check box on the LDAP server connection page.

source_ldap_user_login Login user name

Login user name that is used for authentication. You can leave this blank if no authentication is required.

If you are using the population wizard, this property is configured in the Bind distinguished name (DN) field on the LDAP authentication properties page.

source_ldap_user_password Login password

Login password that is used for authentication. Leave this blank if no authentication is required. The value will be encrypted in the file the next time it is loaded.

If you are using the population wizard, this property is configured in the Bind password field on the LDAP authentication properties page.

source_ldap_search_base or source_ldap_user_search_base Search Base
The search base (the location from where the search begins) of the iterating directory. The search begins at this point in the LDAP directory structure and searches all records underneath. This must be a distinguished name.
Note: Most directories require a search base, and as such it must be a valid distinguished name. Some directory services allow you to specify a blank string, which defaults to whatever the server is configured to do.

A default value is not specified.

If you are using the population wizard, this property is configured in the LDAP user search base field on the LDAP page.

source_ldap_search_filter or source_ldap_user_search_filter Search Filter

Search filter that is used when iterating the directory.

This filter determines which objects are included or excluded in the search. If you are using the search base and the specified search filter properties do not allow you to adequately construct your search set, use the source_ldap_required_dn_regex property.

Note: Search filters are used by those directories to select entries from which data is retrieved from a search operation. Search filters as they can affect performance of the directory that is being searched, so choose carefully. The directory server schema that is being queried can affect performance.

A default value is not specified.

If you are using the population wizard, this field is called LDAP user search filter and is located in the LDAP authentication properties page.

source_ldap_sort_page_size Page size

If specified, the LDAP Connector tries to use paged mode search. Paged mode causes the directory server to return a specific number of entries (called pages) instead of all entries in one chunk. Not all directory servers support this option. The default value is 0, which indicates that paged mode is disabled.

The default value is 0.

This parameter is not configurable when you are using the population wizard.

source_ldap_authentication_method Authentication Method
Anonymous
This method provides minimal security.
Simple
This method uses a login user name and password to authenticate. It is treated as anonymous if no user name and password are provided.
CRAM-MD5
Challenge/Response Authentication Mechanism using Message Digest 5. This method provides reasonable security against various attacks, including replay.
SASL
Simple Authentication and Security Layer. This method adds authentication support to connection-based protocols. Specify parameters for this type of authentication with the Extra Provider Parameters option.

This parameter is not configurable through the population wizard.

source_ldap_collect_dns_file

Name of the file that is used to collect distinguished names (DNs) by the collect_dns.bat/sh process from the source. This is then used during population by the populate_from_dn_file.bat/sh processes to look up entries to add to the database repository.

This file can also be constructed by hand to populate an explicit set of users.

The default value is collect.dns.

This parameter is not configurable through the population wizard.

source_ldap_escape_dns

Indicates that special characters were not escaped properly and identifies them so the processor can find those characters and escape them. The following characters are the special characters:

  • , (comma)
  • = (equals)
  • + (plus)
  • < (less than)
  • > (greater than)
  • # (number sign)
  • ; (semicolon)
  • \ (backslash)
  • " (Quotation mark)

The backslash is used to escape special characters. A plus sign is represented by \+ and a backslash is represented by \\.

if your distinguished names contains these special characters and you receive errors when the collect_dns/populate_from_dn_file process runs, set this property to true so that the characters are escaped.

The default value is false.

This parameter is not configurable through the population wizard.

source_ldap_required_dn_regex

Allows a regular expression to be used to limit the distinguished names (DNs) which are processed by providing a regular expression, which must be matched. If the regular expression is not matched, that particular record is skipped. Although the search filter property gives some flexibility, you can use a more powerful regular expression when needed.

A default value is not specified.

This parameter is not configurable through the population wizard.

source_ldap_sort_attribute Sort Attribute

Specifies server side sorting. This parameter instructs the LDAP server to sort entries that match the search base on the specified field name. Server side sorting is an LDAP extension. The iterating directory must be able to support this sorting extension.

A default value is not specified.

This parameter is not configurable through the population wizard.

source_ldap_iterate_with_filter

This property should be used if the size of the data to be retrieved from LDAP exceeds the search limit from the LDAP. For example, if your search parameters return 250K records but your LDAP allows only 100K to be returned at a time, use this parameter.

If the data is too large, an LDAP size limit exceeded error message is generated. To configure this mechanism, see the Populating a large user set topic.

When set to true, this attribute specifies that the default iteration assembly line use the collect_ldap_dns_generator.js file to iterate over a set of LDAP search bases and filters. The cconfig setting replaces the sync_all_dns_forLarge and collect_dns_iterate scripts that are used in earlier releases.

This parameter is not configurable through the population wizard.

The default value is false.

source_ldap_binary_attributes Binary Attributes

By default, this property is set internally to GUID, objectGUID, objectSid, sourceObjectGUID. Any additional values that are specified in the property are appended to the list.

This parameter is not configurable through the population wizard.

The default value is GUID.

source_ldap_time_limit_seconds Time Limit

Specifies the maximum number of seconds that can be used when searching for entries; 0 = no limit.

This parameter is not configurable through the population wizard.

The default value is 0.

source_ldap_map_functions_file

Specifies the location of any referenced function mappings.

When you are using the population wizard, the functions that are shown in the mapping dialog are read from and written to this file.

The default value is profiles_functions.js.

source_ldap_logfile

In addition to the standard logs/ibmdi.log file, output from the populate_from_dn_file.bat or populate_from_dn_file.sh task is written to this file.

This parameter is not configurable through the population wizard.

The default value is logs/PopulateDBFromSource.log.

source_ldap_compute_function_for_givenName

Connections allows JavaScript functions for setting values of common LDAP fields such as cn, sn, givenName to run before Connections performs its mapping. For example, sn and givenName can be parsed from cn (common name).

This parameter is not configurable through the population wizard.

A default value is not specified.

source_ldap_compute_function_for_sn

Connections allows JavaScript functions for setting values of common LDAP fields such as cn, sn, givenName to run before Connections performs its mapping. For example, sn and givenName can be parsed from cn (common name).

This parameter is not configurable through the population wizard.

A default value is not specified.

source_ldap_collect_updates_file

This property is no longer used.

source_ldap_manager_lookup_field

This property is no longer used.

source_ldap_secretary_lookup_field

This property is no longer used.

Many properties in the IBM Security Directory Integrator LDAP connector are not mapped to Profiles' Security Directory Integrator properties. To configure properties other than the ones listed here, you can use a different source repository and create your own specialized configuration. Use the LDAP iterator and the connectors that are provided with the IBM Security Directory Integrator solution directory as a starting point. For more information, see Using a custom source repository connector.

The following properties are associated with the Profiles database repository.
Note: Set the following properties in profiles_tdi.properties, even if you are developing your own assembly lines with the connectors provided in the Profiles IBM Security Directory Integrator solution directory. These properties are not configured in the Connector panels, but rather in the profiles_tdi.properties file. For more information, see Developing custom Security Directory Integrator assembly lines.
Table 2. Profiles database properties
Property SDI parameter Definition
dbrepos_jdbc_driver JDBC Driver

Required.

The JDBC driver implementation class name that is used to access the Profiles database repository.

For DB2, the default is com.ibm.db2.jcc.DB2Driver. For example:
dbrepos_jdbc_driver=com.ibm.db2.jcc.DB2Driver
For Oracle, the default is oracle.jdbc.driver.OracleDriver. For example:
dbrepos_jdbc_driver=oracle.jdbc.driver.OracleDriver
If you are using a Microsoft SQL Server database, change the value to reference a SQL Server driver, for example:
dbrepos_jdbc_driver=com.microsoft.sqlserver.jdbc.SQLServerDriver

This corresponds to the JDBC driver path in the population wizard. If not using the wizard, this library must be present in the CLASSPATH of Security Directory Integrator. Otherwise, Security Directory Integrator cannot load the library when initializing the Connector and cannot communicate with the Relational Database (RDBMS).

To install a JDBC driver library so that Security Directory Integrator can use it, copy it into the TDI_install_dir/jars directory, or a subdirectory such as TDI_install_dir/jars/local.

dbrepos_jdbc_url JDBC URL

Required.

JDBC web address that is used to access the Profiles database repository.

You must modify the host name portion and port number to reference your server information.
Note: You can find this information by accessing the WebSphere® Application Server Administration Console (http://yourhost:9060), and then selecting Resources > JDBC > Data sources > profiles.

The default syntax is for DB2, unless using the wizard, but the default uses a local host. If the DB2 is not on the same system as the SDI solution directory, update the URL with the host name.

If you are using an Oracle database:
  • If your Oracle database is configured to use SERVICE_NAME, use the following syntax:
    jdbc:oracle:thin:@//hostname:port/database
    or
    jdbc:oracle:thin:@hostname:port/database
  • If your Oracle database is configured to use SID, use the following syntax:
    jdbc:oracle:thin:@hostname:port:database
If you are using a SQL Server database, use the following syntax:
dbrepos_jdbc_url=jdbc:sqlserver://hostname:1433;databaseName=PEOPLEDB
dbrepos_username User name

Required.

User name under which the database tables, which are part of the Profiles database repository, are accessed.

dbrepos_password Password

Required.

Password that is associated with the user name under which the database tables, which are part of the Profiles database repository, are accessed.

dbrepos_mark_manger_if_referenced

This property is no longer used.

The following properties are associated with the task that monitors the Profiles employee draft table.
Table 3. Change Monitoring Properties
Property SDI parameter Definition
monitor_changes_ldap_server_username
monitor_changes_dsml_server_authentication

Type of authentication that is used by the DSML server update requests.

HTTP basic authentication
A method that is designed to allow a web browser, or other client program, to provide credentials when making a request. The credentials are in the form of a user name and password.
Anonymous
This method provides minimal security.
monitor_changes_dsml_server_url Required if you are transmitting user changes back to the source repository.

Web address of the DSML server to which the DSML update requests are sent.

monitor_changes_dsml_server_username Required if you are transmitting user changes back to the source repository.

User name that is used for authentication to the DSML server.

monitor_changes_dsml_server_password Required if you are transmitting user changes back to the source repository.

Password that is used for authentication to DSML server that the DSML update requests are sent to.

monitor_changes_map_functions_file

Path to the file that contains mapping functions for mapping from a changed database field to a source. for example LDAP field. This file is only needed if changes made to the source based on database repository field changes are not mapped one-to-one. You can use the same file that you use to map from source to database repository fields, assuming the functions are named appropriately.

monitor_changes_sleep_interval

Polling interval, in seconds, between checks for more changes when no changes exist.

The following properties are associated with the Security Directory Integrator processing that reads a Security Directory Integrator change log and subsequently updates the database repository with those changes.
Table 4. Security Directory Server Change Log Properties
Property SDI parameter Definition
ad_changelog_ldap_url
LDAP web address that is used to access the LDAP system that was updated. For example:
ldap://host:port
ad_changelog_ldap_user_login

Login user name to use to authenticate with an LDAP system that was updated. You can leave this blank if no authentication is needed.

ad_changelog_ldap_user_password

Login user name to use to authenticate with an LDAP that was updated. You can leave this blank if no authentication is needed. The value will be encrypted in the file the next time it is loaded.

ad_changelog_ldap_search_base
ad_changelog_ldap_use_ssl

Defines whether to use SSL in authenticating with an LDAP system that was updated. The options are true and false.

ad_changelog_timeout
ad_changelog_sleep_interval

Polling interval, in seconds, between checks for more changes when no changes exist.

ad_changelog_use_notifications

Indicates whether to use change log notifications rather than polling. If true, the tds_changelog_sleep_interval is not applicable since polling is not used. The options are true and false.

ad_changelog_ldap_page_size
ad_changelog_start_at

Change number in the Active Directory change log to start at. Typically this is an integer, while the special value EOD means start at the end of the change log.

ad_changelog_ldap_required_dn_regex.
tds_changelog_ldap_authentication_method Authentication Method

Authentication method that is used to connect to LDAP to read records. Options include the following:

Anonymous
This method provides minimal security.
Simple
This method uses a login user name and password to authenticate. It is treated as anonymous if no user name and password are provided.
CRAM-MD5
Challenge/Response Authentication Mechanism using Message Digest 5. This method provides reasonable security against various attacks, including replay.
SASL
Simple Authentication and Security Layer. This method adds authentication support to connection-based protocols. Specify parameters for this type of authentication using the Extra Provider Parameters option.
tds_changelog_ldap_changelog_base ChangelogBase

Change log base to use when iterating through the changes. This is typically cn=changelog.

tds_changelog_ldap_time_limit_seconds Time Limit

Searching for entries must take no more than this number of seconds; 0 = no limit.

tds_changelog_ldap_url LDAP URL
LDAP web address that is used to access the LDAP system that was updated. For example:
ldap://host:port
tds_changelog_ldap_use_ssl Use SSL

Defines whether to use SSL in authenticating with an LDAP system that was updated. The options are true and false.

tds_changelog_ldap_user_login Login user name

Login user name to use to authenticate with an LDAP system that was updated. You can leave this blank if no authentication is needed.

tds_changelog_ldap_user_password Login password

Login user name to use to authenticate with an LDAP that was updated. You can leave this blank if no authentication is needed. The value will be encrypted in the file the next time it is loaded.

tds_changelog_sleep_interval

Polling interval, in seconds, between checks for more changes when no changes exist.

tds_changelog_start_at_changenumber

Change number in the Security Directory Integrator change log to start at. Typically the number is an integer, while the special EOD value means start at the end of the change log.

tds_changelog_use_notifications

Indicates whether to use change log notifications rather than polling. If true, the tds_changelog_sleep_interval is not applicable since polling is not used. The options are true and false.

The following properties are available in the profiles_tdi.properties file and are associated with Security Directory Integrator debug activities.
Note: The debug properties enable Security Directory Integrator debugging for an entire assembly. In addition, enabling debug_update_profile, which enables debugging for the commands that use the Profiles Connector, also enables Java debugging for the following packages.
  • log4j.logger.com.ibm.lconn.profiles.api.tdi=ALL
  • log4j.logger.com.ibm.lconn.profiles.internal.service=ALL
  • log4j.logger.java.sql=ALL
Note: The following properties are not configurable when you use the population wizard.
Table 5. Security Directory Integrator Debug and Trace Properties
Property Security Directory Integrator parameter Definition
sync_all_dns For information about sync_all_dns, see Understanding how the sync_all_dns process works.
debug_managers

Flag that instructs Security Directory Integrator to log more debug information for the following commands.

The options are true and false.

To enable, set as debug_managers=true.

This property maps as follows:
debug_managers
    mark_managers

The default setting is false.

debug_photos

Flag that instructs Security Directory Integrator to log more debug information for the following commands.

The options are true and false.

This property maps as follows:
debug_photos
    load_photos_from_files
    dump_photos_to_files

The default setting is false.

debug_pronounce

Flag that instructs Security Directory Integrator to log more debug information for the following commands.

The options are true and false.

This property applies to the following commands:
debug_pronounce
    load_pronounce_from_files, 
    dump_pronounce_to_files

The default setting is false.

debug_fill_codes

Flag that instructs Security Directory Integrator to log more debug information for the following commands.

The options are true and false.

This property applies to the following commands:
debug_fill_codes
    fill_country
    fill_department
    fill_emp_type
    fill_organization
    fill_worklok

The default setting is false.

debug_draft

Flag that instructs Security Directory Integrator to log more debug information for the following commands.

The options are true and false.

This property applies to the following commands:
debug_draft
    process_draft_updates
    reset_draft_iiterator_state
    set_draft_iterator_count

The default setting is false.

debug_update_profile

Flag that instructs Security Directory Integrator to log more debug information for the following commands.

The options are true and false.

This property applies to the following commands:
debug_update_profile
    populate_from_dn_file
    delete_or_inactivate_employees
    populate_from_xml_file
    process_ad_changes
    process_tds_changes

The default setting is false.

debug_collect

Flag that instructs Security Directory Integrator to log more debug information for the following commands.

The options are true and false.

This property applies to the following commands:
debug_collect
    collect_dns

The default setting is false.

debug_special

Flag that instructs Security Directory Integrator to log more debug information for the following commands.

The options are true and false.

This property applies to the following commands:
debug_special
    unused at present

The default setting is false.

trace_profile_tdi_javascript

Enables generation of an internal JavaScript trace file.

Options are OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL (values are not case-sensitive).

The default setting is OFF.