Thursday, 7 January 2010

Using Tivoli Directory Integrator to populate Lotus Connections Profiles from a Domino group

As per a previous blog post , I've recently worked out how to use TDI to populate the Lotus Connections Profiles database from a Domino group.

The "problem" is that Domino does not support the memberOf attribute that other LDAP servers support, meaning that there is no simple way to identify members of a Domino group via a LDAP search filter.

As is probably well known by now, Lotus Connections includes TDI as a  mechanism for integrating data from various systems, including LDAP directories, into the Profiles database.

The Connections product includes a set of scripts ( known as the Profiles Population Wizard ) that use TDI for this, and other related purposes. The wizard actually invokes one or two TDI processes, known as Assembly Lines. In my particular scenario, there are two Assembly Lines involved: -

collect_ldap_dns

This Assembly Line iterates through the LDAP specified in profile_tdi.properties, and then writes dn into the collect.dns file.

Populate_from_dns_file

This Assembly Line runs after collecting dns in the collect.dns file. It iterates over the collect.dns file, fetches data from the LDAP, and syncs the database with details of the employees. This Assembly Line is invoked while running the populate_from_dn_file.sh script.

The LC Wiki outlines this in far more detail here.

My solution replaces the collect_ldap_dns Assembly Line, and uses consists of three elements: -

Domino_Group_Members_into_Profiles.properties

##{PropertiesConnector} savedBy=root, saveDate=Fri Jan 01 11:57:23 GMT 2010
source_ldap_url=ldap://dmht60p.uk.ibm.com:389
source_ldap_search_filter=CN=LC25
source_ldap_user=CN=domadmin,O=ibm

source_ldap_password=passw0rd



Domino_Group_Members_into_Profiles.sh

#! /bin/sh
rm collect.dns
/opt/IBM/TDI/V6.1.1/ibmdisrv -s . -c Domino_Group_Members_into_Profiles.xml -r Domino_Group_Members_into_Profiles


Domino_Group_Members_into_Profiles.xml

This is "Blue Glue" that joins the two together - the shell script invokes the TDI server ( ibmdisrv ) which reads the properties file AND the XML file, which contains the details of the Assembly Line ( called Domino_Group_Members_into_Profiles - yeah, I know my naming convention isn't the best ... ).

This Assembly Line uses an LDAP Connector to read the members of the group, specified by source_ldap_search_filter=CN=LC25, via iteration, and parse the user name ( Distinguished Name ) to remove everything apart from the preceding CN= and the closing O= . This list of user names is then written, line by line, to a text file, collect.dns.

That's it, simple as that.

Now if I was REALLY smart, I'd work out how to (a) amend the out-of-the-box Assembly Line ( collect_ldap_dns ) or (b) invoke the Populate_from_dns_file Assembly Line from my own version.

However, that'll do for the time being ...

With thanks and kudos to many, including: -

Eddie Hartman
Keith Brooks
Mitch Cohen
Sjaak Ursinus


and three  awesome products; Lotus Domino and Tivoli Directory Integrator and Lotus Connections.


No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...